The immunet Service is not running

[XcamaroX]

Hey guys, first post so bear with me.

 

I have a Remote Desktop Server running about 15 users at once. The Immunet application was running fine for like couple days, and all of a sudden it started giving me this message and agent.exe is not running anymore.

The firewall is off, so I don't know what else to look for. After a restart it works for a while and then stops.

Could it stop because is not meant to work on a multi user environment? What can I do to see why it's stopping?

 

Thanks in advance.

[ritchie58]

First of all, it's my duty to inform you that Immunet is not licensed for the use of any "for-profit" business, organization, service or product. This information is included in the End User License Agreement (EULA) when you first installed Immunet. No Support will be forthcoming if Immunet is used in this manner.

Unlimited Support will be provided if you can provide information that we can verify that you are not using Immunet in such a for-profit manner. If the server is for a non-profit charitable or educational organization or your own personal home based intranet set-up that is perfectly acceptable. A URL to your non-profit site would be the easiest way. If you don't wish to disclose the URL publicly on this forum you can send that to Wookiee or myself via Personal Messenger for verification. 

If you are running a for-profit operation (or not) might I suggest you try "Immunet's enterprise version" called "AMP for Endpoints" instead (AMP stands for Advanced Malware Protection).

Although not freeware this software is designed to be used in a multiple endpoint environment, will provide much greater malware/intrusion protection, is easily deployed and the price is even negotiable depending on the length of your license & how many endpoints are to be covered.

Some degree of advanced computer knowledge will help to get the most out of AMP for Endpoints but you don't need a PhD in computer science to get it up and running & configured for your needs either. That's speaking from experience.

I used AMP myself for a year on my home desktop a while ago just to check it out (yes, AMP for Endpoints can be configured for individual home use too).  https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html

Regards, Ritchie...

[Guest Wookiee]

1) a screenshot of the message.   Immunet hasn't been  called agent.exe for many  years so I'm curious where/ under what conditions he’s seeing  a agent.exe message.

2) s what version of immunet they have installed 

3) What operating system are they  running? 

4) if they you are logged on as the administrator or not.

[ritchie58]

Hi Wookiee, the main process hasn't been called agent.exe since version 5 so I just assumed they're still using an old build.

There were problems reported in the past with version 5 and using it in a remote desktop server platform configuration. If too many simultaneous look-ups occurred that could cause agent.exe to crash.

[Rob.T]

I think what's your probably seeing is the Immunet  *UI* only supports 1 user at a time.  The real time virus protection component does protect all simultaneously connected users, but only the first user to launch the  UI ( system tray icon / application with the scan now & settings)  will appear to be connected.  All other users will have Immunet UI's that appear disconnected.   

Further if the user who has the connected UI logs off or manually closes the Immunet tray icon, the UI connection will be go to the next user who has had the Immunet UI running the longest;  and their disconnected UI will switch to connected.  

Note  when a rdp user disconnects their programs are all left in a running state. Including leaving the the immunet UI running,  potentially holding the Immunet UI connection.

Given the above limitations, what we usually see when the UI appears disconnected in in multi-user environment is that the one Immunet UI connection has passed to an unknown user who disconnected when they were done without actually logging off.

If you think this has happened to you The least disruptive way to reclaim the Immunet UI connection is to:
1)  login as an admin user
2)start -> run -> "Services" -> stop the Immunet Service
3) open task manger & enable show processes from all users. Then task kill all the sfc.exe processes ( sfc.exe is Immunet's  UI process).  Note if you get a message from task manager saying sfc.exe could not be terminated it's probably because the Immunet service hasn't been fully stopped yet.  
4) Once all the Immunet UI's are closed restart the Immunet Service and then UI and it should appear connected within 30 seconds after both are started.

 

Another  approach is to use the task manager to force log off other users who have the Immunet UI / sfc.exe open and then restart the UI on your own session.  This approach doesn't require stopping the immunet service.   Note though if you log off someone who is actively using he system you can expect them to immediately re-logon and potentially take the Immunet UI connection token again.

The last and easiest approach is to restart the machine and be the first to login - note if the machine is set to auto logon at startup then the auto-login user will be the first to login and get the working Immunet UI session.

[chaozz]

The only way to get Immunet working on a Terminal Server is by disabling the auto statup of iptray.exe. Simply run MSCONFIG on your terminal server and disable the auto startup. 

If you need the GUI for some reason as an admin, you just simply start it up from the start menu, then right click the icon in the system tray to open it.

The service that protects your server will be running in the background for all your Terminal Server users, despite iptray.exe not running. As an added bonus, no end-user gets to poke around in the settings (optionally you can even remove the start menu entry, and just add a shortcut to the admin desktop).