To debug CAVA directly:
- Install DebugView from Sysinternals.
- CAVA needs to be configured to output debug messages. This requires adding some keys into the registry. Start by opening up the Registry Editor and navigating to: HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration. Modify the Debug and Verbose keys and set them to 0x3F.
Figure 25. Enable debug and verbose log for the CAVA service
- Use the services.msc to restart both the CAVA service and the CEE Monitor service.
- DebugView will allow you to view debug messages coming from CAVA itself. DebugView does not need to be installed, it runs as a standalone executable. The program should be run with Administrator rights.
- Run the executable for DebugView that matches your OS. For most cases, you will want to use dbgview64.exe.
- Under the Capture menu item, make sure that the following items are checked:
- Capture Win32
- Capture Global Win32
- Capture Events
Figure 26. DebugView
- You should now see the events showing up in the capture window.
Figure 27. Captures in DebugView
A detailed explanation of how to read CEE debug logs is out of scope for this document. However, just retrying an operation that is failing, such as a scan request, and looking through the messages for any obvious errors can be very helpful in pinpointing where the AV scan process is failing.
Here are some tips for looking through the CAVA logs.
- Save the log to a text file to be able to look at the full log messages using File -> Save As
- You should see CheckHeartBeat return back NORMAL results
- Actual scan requests have a tag that starts with <Args action= "7"
- You can look at the CheckFileRequest message and decode the name fields. The fields are Base64 encoded. Simply copy the text string and use a Base64 decoder (https://www.base64decode.org/) and interpret the output as UTF-16LE. For example:
XABcAGMAYQB2AGEALgBwAHMAMQAuAGQAZQBtAG8ALgBsAG8AYwBhAGwAXABDAEgARQBDAEsAJABcAFQAaABpAHMASQBzAEEAUwBhAG0AcABsAGUARgBpAGwAZQAuAGUAeABlAA==
Decodes to:
\\cava.ps1.demo.local\CHECK$\ThisIsASampleFile.exe
To turn off debug, change the Debug and Verbose values in the registry back to 0 and restart the services.