vpx file disappeared from online mirrors, 500 clients cannot update anymore

m.vwyk · 2016-12-14T13:07:03.000Z

I’ve logged request as well, no response the entire day, yesterday sometime vps_32-1492.vpx was released, and it disappeared later, but spooled to clients. Now updates are failing enterprise wide

14:58:41 nrm/gen SelectCurrent: selected server ‘Download y0068596 AVAST5 Server’ from ‘main’
14:58:41 nrm/int SYNCER: Type: no proxy
14:58:41 nrm/int SYNCER: Auth: NTLM
14:58:41 dbg/int while trying to get file ‘vps_32-1493-1492.vpx’, error 0x20000004 has occured, try 10
14:58:43 min/int tried 10 servers to get file ‘vps_32-1493-1492.vpx’, but failed (0x20000004)
14:58:43 nrm/pkg DldPackage: C:\Program Files\AVAST Software\Avast Business\Setup\vps_32-1493-1492.vpx, returned 0x20000004

current mirrors indicate that the vps_32-1492.vpx file is gone. Internal mirror reports error 0x2000000b

14:58:25 nrm/int HttpGetWinsock(http://aerss01.aerosud.co.za:16135/vps_32-1493-1492.vpx)
14:58:25 nrm/int Used server: http://aerss01.aerosud.co.za:16135
14:58:25 min/fil GetFileWithRetry:DSA_FileVerify(C:\Program Files\AVAST Software\Avast Business\Setup\vps_32-1493-1492.vpx), error: 0x2000000B

i took one client and tested by just deleting the 1492 file after turning off avast self protection and it immediately fixed the problem.

How do i do this remotely? Is there a cmd way of turning of protection with the known password, delete the file and turn it back on?, is there a way with psexec? can i send a delete command from the console that processes first before the updates run? How can avast created errors like these be resolved enterprise wide?

I’ve tried various anti-rootkit tools to try and delete this file with psexec and it is just stuck. There HAS to be a way to fix problems when the problem is caused by self defense!

Mac · 2016-12-15T00:14:35.000Z

Can you trigger a enterprise wide VPS update from the Enterprise Admin Console? This should force all clients to sync with the mirror, and may resolve the issue.

Also you can download the full VPS offline installer here:
https://www.avast.com/download-update

Possibly try to run this on an affected machine and see if it resolves, and then deploy the file across the network (using the console VPS update function would be easier)

m.vwyk · 2016-12-15T09:52:14.000Z

Thank you for responding, still no response to the request ticket!

The VPS update from console didn’t work because it was still trying to process the existing 1492 file and failing signature check, forcing update from AEA just forced the error to happen.

Here is the solution i implemented to resolve for all users remotely.

Disable self protection on AEA console, then wait about 5 minutes just to be safe
psexec cmd script below on every machine in the company, or you can use a scheduled task injected with GPO that runs with an admin user
sc stop “avast! Enterprise Client Service”
sc start “avast! Enterprise Client Service”
ping 127.0.0.1 -n 10 > nul
del /Q “C:\Program Files\AVAST Software\Avast Business\Setup\vps_32-1492.vpx”
del /Q “C:\Program Files\AVAST Software\Avast Business\Setup\vps_32-1491.vpx”

after that, the auto update will continue as normal at specified intervals.

wait 24 hours to catch all clients, and then turn on self protection from the console again.

what above does is force a refresh of client settings by killing the avast agent, the client then turns off self protection within 5 seconds of contacting the AEA server, we wait 10 seconds to be safe, and then we delete the corrupt/broken/unverified vpx files.

i ran the above on our administrative scheduled tasks, which runs every hour, so even if the agent couldn’t disable the self protection within 10 seconds, it would automatically disable at the agent intervals and the script would delete the file the next hour.

PS. i found a tool that can bypass self protection! But i couldn’t find a CLI version of it, GUI only, but it can delete files with self protection enabled. If i find a CLI version of that i would have used it to delete the file and not bothered with the AEA console rigmarole.

Regards

Announcements