Jump to content

SCAN - FAILED


Venjill
 Share

Recommended Posts

This can be caused by a connectivity issue. Make sure that Immunet's two main processes (sfc.exe & iptray.exe) have unrestricted internet access. Make sure your firewall of choice or some other security product (another AV, a behavior blocker or sandboxing app) you may have installed is not blocking or interfering with these processes. Something you can check into.

Link to comment
Share on other sites

  • 2 years later...

I was hoping a Dev or Admin would get involved with your issue ebloch but that's only wishful thinking these days!

If Immunet seemed to be performing normally before this happened is it possible that your internet connection was interrupted during the scan? Or maybe you have some other app(s) that were hogging up too much of your bandwidth at the time. It is recommended that you close any unnecessary apps before doing a scan.

That would be a few reasons I can think of for the scan to not complete.

Also, since a threat was detected during the scan it could be possible that Immunet was already corrupted by the malware. Have you tried to do an uninstall & reinstall? I know doing a reinstall is not a fix-all for everything but it might be worth the effort.

If you decide to give that a try I would recommend you do a 'clean' uninstall. When asked by the uninstaller if you plan on reinstalling Immunet choose the "NO" option. Once reinstalled you will have to reconfigure the settings, add any custom exclusions you were using and add any scheduled scans you had after doing a clean uninstall.

Link to comment
Share on other sites

Problem has been for a while and I was watching this thread hoping for further info. Thanks for trying but but have already tried uninstall and "clean" install.

Also looked at firewall and even tried bypassing it but same problem. Previous versions, but I do not remember how far back, worked with proper "non-error" completion.

As you can see in attached Windows Event log it appears to be an SFC "dll" problem. Looking at suggestions in <https://www.minitool.com/news/0xc0000409.html>

I am going to uninstall Immunet and do a Registry search for left overs and then reinstall. Will add results here.

 

Link to comment
Share on other sites

I found something interesting which I will try BEFORE uninstall.

Looking in "C:\Program Files\Immunet\" I find many folders from old versions with ".exe" flies which have been converted to documents (.txt). but are still showing as ".exe" AND with the same name as true ".exe" applications in the current version folder. All of these older version items show a "Date Recent;y Accessed" with current dates which I think may be a problem because it means Windows has attempted to run them by extension and found them not to be applications to run. I will delete all of these old version folders and see if that fixes the problem. Also note that the latest Immunet version 7.4.4.20633 has changed from previous n.n.n version number system.

Link to comment
Share on other sites

Those C:\Program Files\Immunet folders for older builds you have used would normally only be accessed if you run the Support Diagnostic Tool to create a SDT report.

Those older folders are left behind for diagnostic/troubleshooting purposes only so that is a bit troubling if some other program or Windows itself is attempting to access them.

It wouldn't be detrimental a bit if you delete all of them before doing a reinstall. If you're comfortable enough to use the command-line regedit Tool it also would be a good idea if you can find any left over/orphaned Immunet registry keys & delete them first too.

Not sure what you mean by the version number changing. That should only happen if you update to a new build.

Link to comment
Share on other sites

I do not know how one can find out what attempted to access the old folder contents just that the Windows last access date was current,

The version comment was just that Immunet has changed the format of version numbers used in "C:\Program Files\Immunet\". That required a change to a batch I made to place the current version number of Immunet into a variable for later processing.

I run an unattended overnight batch which, after some maintenance and data backup, initiates a scan by Ad-Aware, Malwarebytes, Immunet, or MS Security Essentials. Immunet every Wednesday early AM so will see what happens soon. If still a problem will go thru uninstall, clear all Immunet references I can find, reboot, and reinstall from a fresh download.

Do you know the location of Immunet's Exclusion data? I would like to include it in my backups but now can only use a manual screen copy since I do not know the file name.

Link to comment
Share on other sites

Wow, you used a really small font on your last thread!

The default and your custom Exclusion rules would be in one of the four history files which uses the .db file format.

The file paths would be:

C:\Program Files\Immunet\history 
C:\Program Files\Immunet\historyex
C:\Program Files\Immunet\historyex.db-shm
C:\Program Files\Immunet\historyex.db-wal

To be honest I'm not sure which of the four files contain that exact data.

Link to comment
Share on other sites

Small font not intentional. In fact I thought I was using larger than the default.

I think I found the Exclusion list in "C:\Program Files\Immunet\local.xml"

Examining in Notepad++ the file includes Exclusions in lines starting with <item>256|2|0|0| and <item>256|2|1|0| so added the file to my backup

Link to comment
Share on other sites

I was told by a Dev that the custom settings for users are located in those history files.

I also looked at that .xml file and am not convinced that's where the actual settings are located. 

Of course I was never involved in how the code was written for this software but that makes sense to me.

An .xml file can be easily altered or deleted where those .db files can not be accessed, altered or deleted while Immunet is running.

The .xml file most likely is included when an SDT report is created.

Link to comment
Share on other sites

I agree, probably a synced file but helpful since info is there.

Today's scan exited with an error about half way thru or three hours short similar to previous weeks. I just scanned "Event Viewer - Windows Logs - Application" and last complete run appears to be 09/08/21. SFC error on all runs since then.

I will uninstall, cleanup, reboot, and reinstall with fingers crossed.

Link to comment
Share on other sites

Thanks for the update ebloch.

let me know how the reinstall went. Don't forget to clean the registry of any left-over keys associated with Immunet before the install.

I do have a question though, do you normally use the ClamAV module enabled?

If so, one experiment you could try is to turn off ClamAV before a scan to see if it completes and another one with ClamAV enabled. I'm curious if the ClamAV module is causing this bug. I don't use it (only the cloud engines) since I've got Immunet paired with a different paid AV solution and am not seeing this error.

Best wishes, Ritchie...

Link to comment
Share on other sites

Everything enabled except "Blocking Mode", " Allow Definition Updates", and "Scan Archive Files".

I run a daily early evening batch to update definitions for Ad-Aware, Immunet, and MS Windows Defender..Malwarebytes updates before each scan and not by command. Defender with Malwarebytes are my basic defenses and are deactivated during the once a week scans with the others.

An Immunet "Full Scan", when it completes, takes 5 to 6 hours so I do not want to run one except by unattended overnight batch. My experience with "Flash Scan" is that they only take minutes AND DO NOT have the error like "Full Scan". This leads me to a question:

My Immunet "Exclusions" only list "C:\Program Files\Immunet" and "C:\Program Files\Cisco\Immunet\UC" that I think are Immunet related. BUT I do not have "C:\Program Files\Cisco\Immunet\UC" on my system: DO YOU? My system does have "C:\ProgramData\Cisco" which only contains a "UC uninstall" text file.

Link to comment
Share on other sites

Mmm. With the settings that you're not using what's the point of keeping ClamAV enabled if it's not getting new updates. You do have Allow Definition Updates turned off.

Ya know, the heck with that experiment. It has always been recommended that the ClamAV module be disabled when using another AV so my advise would be to disable it anyway. You already got some good security products installed so that would be redundant!

Personally speaking I run a daily scheduled Flash scan and only run a full scan if I observe suspicious activity. The Flash scan does look in the most common places malware likes to hide.

I would also recommend you use the Scan Archive Files & Scan Packed Files settings enabled as most forms of malware come compressed. That will, however, increase scan times if you have many compressed folders or files with your system such as .rar, .zip, 7zip, etc...

I don't have any Program Files\Cisco folders that I can find. I know when Immunet is being installed and it recognizes a possible security deficiency some folks will get additional code installed to minimize that possible risk.

Link to comment
Share on other sites

Did the following:

Uninstall Immunet. Deleted one remaining Immunet folder and contents. RegEdit -search for all Immunet items and deleted them (Some from old versions). Rebooted. Installed fresh Immunet download. Added Exclusions for Ad-Aware, Malwarebytes, and Defender Quarantine folders.

Overnight batch ran Immunet but still had following error report:

Faulting application name: sfc.exe, version: 7.4.4.20633, time stamp: 0x60f78ab4
Faulting module name: ntdll.dll, version: 10.0.19041.844, time stamp: 0x60a6ca36
Exception code: 0xc0000028
Fault offset: 0x0000000000102136
Faulting process id: 0x3bb0
Faulting application start time: 0x01d7d06806b08190
Faulting application path: C:\Program Files\Immunet\7.4.4.20633\sfc.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll      << last error was ucrtbase.dll
Report Id: 5933cd0d-e5a7-4292-8678-3a784e5f691d

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...