4 Replies Latest reply on Mar 21, 2017 7:52 AM by pingu

    Error activating vm image

    pingu

      Hi,

       

      i have a vATD 3.10 in a testing lab and try to activate a Windows x64 SP1 Image i made with VMware Workstation 12 Player. I always get the vncviewer.php page with a Server disconnected (code: 1006) Error.

       

      I already tried to apply solutions suggested by:

      McAfee Corporate KB - Failed to connect to server (Code:1006) (after activating a VM profile in Advanced Threat Defense …

      McAfee Corporate KB - Server disconnected (code: 1006) (when you activate VM Profile or use XMode) KB85978

       

      • - i dont use a custom web certificate
      • - i dont have any errors in the syslog
      • - vATD and the Host (Windows Server 2008 ) i access the webinterface from are on the same ESXi in the same network (192.168.178.x)
      • - the firewall of the host is completly deactivated, to eliminate errors
      • - the image is build according to a POC guide from mcafee

       

      • - i already tried:
        • different images
        • different browsers
        • different networks (other than 192.168.178.x)
        • i reinstalled the vATD multiple times

       

      (don't get confused by the timestamps, i tested everything multiple times and made an extra test for this post)

       

      If i try to activate the vm, the following system log is produced:

      Tue Mar 14 16:10:23 CET 2017::Previous user-test shutting

      Tue Mar 14 16:10:33 CET 2017::edit Ok: win7sp1x64_130317b mem: cpu:1

      Tue Mar 14 16:10:34 CET 2017::VM created successfully -- win7sp1x64_130317b

       

       

      - i tried to validate and save the vm, which worked and produced the following system log:

      2017-03-14-03:52:23: starting vmcreator -S -l

      2017-03-14-03:52:23: lvclean was successful.

      2017-03-14-03:52:23: Copying image base to work folder: win7sp1x64_130317b.img

      2017-03-14-03:57:50: Copied 13.96G in 327 seconds

      2017-03-14-03:57:50:     43.73Mbytes/second

      2017-03-14-03:57:50: Booting VM: win7sp1x64_130317b_sn01

      2017-03-14-03:57:55: Waiting for VM to come up: win7sp1x64_130317b

      2017-03-14-03:59:01: Starting image install.

      2017-03-14-03:59:01: Loading software: win7sp1x64_130317b

      2017-03-14-03:59:03: Ftp login OK.

      2017-03-14-03:59:04: Upload installation image OK.

      2017-03-14-03:59:08: Telnet login successful.

      2017-03-14-03:59:09: ------ Running the OS validation tool ------

      2017-03-14-03:59:29: Systemfehler 1376 aufgetreten.

      2017-03-14-03:59:29:

      2017-03-14-03:59:29: Die angegebene lokale Gruppe ist nicht vorhanden.

      2017-03-14-03:59:29:

      2017-03-14-03:59:29: OS Windows 7 6.1

      2017-03-14-03:59:29: FTP OK

      2017-03-14-03:59:29: TELNET OK

      2017-03-14-03:59:29: AUTOLOGON OK

      2017-03-14-03:59:29: ADMINISTRATOR FAIL

      2017-03-14-03:59:29: FIREWALL OK

      2017-03-14-03:59:29: FreeSpace OK

      2017-03-14-03:59:29: Microsoft Office 2010 OK

      2017-03-14-03:59:29: Adobe Reader 11.0 OK

      2017-03-14-03:59:29: java version "1.8.0_121" OK

      2017-03-14-03:59:29: flash not exist OK

      2017-03-14-03:59:29: Activation OK

      2017-03-14-03:59:29: Scan Complete!

      2017-03-14-03:59:29:

      2017-03-14-03:59:29: ---------------------------------

       

       

      2017-03-14-03:59:30: Found installation image.

      2017-03-14-03:59:30: Installing application

      2017-03-14-03:59:53: Finishing up installation.

      2017-03-14-04:00:42: Completed software installation.

      2017-03-14-04:00:42: -------------------------------------------

      2017-03-14-04:00:43: Finished install for OS: win7sp1x64_130317b

      2017-03-14-04:01:05: Completed image prep...

      2017-03-14-04:01:05: ----------------------------------------------------------------

      2017-03-14-04:01:05: total number of VMs configured: 1

      2017-03-14-04:01:05: ----------------------------------------------------------------

      2017-03-14-04:01:05: creating VM: win7sp1x64_130317b_sn01

      2017-03-14-04:02:09: Booting VM: win7sp1x64_130317b_sn01

      2017-03-14-04:03:05: Creating snapshot for: win7sp1x64_130317b_sn01

      2017-03-14-04:03:23: time taken: 138.407514

      2017-03-14-04:03:23: -----------------------------------------------------------------------------

      2017-03-14-04:03:23: Updating VM database

      2017-03-14-04:03:23: Vmcreator success.

       

      (The error "2017-03-14-03:59:29: ADMINISTRATOR FAIL" is described here and can, at least in my opinion be ignored:

      McAfee Corporate KB - ADMINISTRATOR FAIL (Windows VM validation fails at ADMINISTRATOR stage) KB87154

      I am using a german OS)

       

      However if i try to use this image with a manual sample upload, using an analyzer profile where "Sandbox" is the only Analyze option activated, i get the following Error message: "System is down".

       

       

      Help, i'm stuck for days now

       

      Thanks

        • 1. Re: Error activating vm image
          Troja

          Hello,

          first of all i would upgrade to vATD 3.10.2. There are many Things fixed.

           

          Jsut a question, other analyzer VMs are working without any Trouble?

           

          Cheers

          1 of 1 people found this helpful
          • 2. Re: Error activating vm image
            pingu

            Hi,

            thanks for the fast response.

             

            I just upgrade to the mentioned version and everything worked fine, thanks for pointing to the new version. However, the problem is still present.

            So far i have no other VMs prepared, due to missing licences, ISOs, etc.

            • 3. Re: Error activating vm image
              Troja

              Hm,

              this is not so easy, because it does not look like a common error. So, such a case i would to the following steps.

               

              . So, you reinstalled the vATD, so any image was removed.

              . There are some special settings needed at the ESX host to get vATD working probably. I just do not know the KB at the moment.

              . After converting the image i browse to https://vATD_IP:8080 to install the certificate from ATD. This is necessary for Firefox browsers.

              . I run the VMDK Preparation tool before copying the image to ATD.

              . I remove the VM from VmWare workstation to remove some, i think but not shure, removing the lck files?!?

              . I´m converting the VMDK File on ATD.

              . I activate the VM on ATD to check anything. Starting the VM, checking if Windows and office are activated. Starting any software on the analyzer VM just for checking.

              . Shutdown the VM an wait some time. I always do this to enshure the VM is shut down probably.

              . Click the validate button to check the VM. If anythng is fine, again, wait some time.

              . Save the VM.

               

              If you do all of this steps and the VM is not working, i would suggest to open a Support CASE.

               

              Cheers

              1 of 1 people found this helpful
              • 4. Re: Error activating vm image
                pingu

                Hi,

                 

                thanks again for your response

                 

                i started from scratch, according to the steps in your last post.

                 

                . So, you reinstalled the vATD, so any image was removed.

                • completly removed vATD from ESXi host
                • fresh install of vATD according to the installation steps in "McAfee Virtual Advanced Threat Defense 3.10.0 Addendum" page 10

                . There are some special settings needed at the ESX host to get vATD working probably. I just do not know the KB at the moment.

                • According to the mentioned document, you have to change an ESXi config file:

                                         | Before you begin

                                         | Enable the nested virtualization on the VMware ESXi server.

                                         | In an SSH session of ESXi server, add this property to the

                                         | configuration file at /etc/vmware/config.

                                         | vhv.enable = "TRUE"

                . After converting the image i browse to https://vATD_IP:8080 to install the certificate from ATD. This is necessary for Firefox browsers.

                • Adding an exception to Chrome
                • After installation and setup of vATD, I installed the upgrade 3.10.2

                . I run the VMDK Preparation tool before copying the image to ATD.

                • Build analysis image and thanks to version 3.10.2 use the new Prep Tool compatible to Non English OS

                . I remove the VM from VmWare workstation to remove some, i think but not shure, removing the lck files?!?

                • Thanks for pointing that out, didn't knew that. And yes, some ".lck" files are deleted.
                • converting of the vmdk file on ATD went fine, log showed no errors
                • activating the vm worked exactly once. After that, the activation  fails with the previous error and overall system health shows "Bad" with "Core" and "Batch" Service not running. Restarting the ATD has no impact.

                 

                i'll try to open a support case.

                 

                Thanks for your time and help!