These two processes are still blocked:
- Screenshot 2026-03-19 100913.jpg (51.8 KB) Viewed 6135 times
[SOLVED] Waptagent deployment issue
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
Renaud Villet
- Messages: 30
- Registration: January 23, 2020 - 2:12 PM
And FYI, disabling the antivirus doesn't fix the problem
These two processes are still blocked:
These two processes are still blocked:
-
Renaud Villet
- Messages: 30
- Registration: January 23, 2020 - 2:12 PM
Actually, my colleague created a support ticket for this issue (https://espaceclient.tranquil.it/support/2601197)! 
For the time being, we've worked around the problem by reverting to the old agent (version 2.6.1.17472), and it's working.
For the time being, we've worked around the problem by reverting to the old agent (version 2.6.1.17472), and it's working.
Hello everyone,
I'm having the same problem here; deploying the new agent via GPO isn't working.
We've tried using the --force option and removing the minimum version check from the script, but nothing helps.
It's not the antivirus; the exceptions are correctly added.
When we launch the agent manually on the desktop, it works.
Version 2.6.17765, and my colleagues tell me there was already a problem with the previous version.
We're waiting for a fix; I'm receiving 50 machines this week
. Best regards.
I'm having the same problem here; deploying the new agent via GPO isn't working.
We've tried using the --force option and removing the minimum version check from the script, but nothing helps.
It's not the antivirus; the exceptions are correctly added.
When we launch the agent manually on the desktop, it works.
Version 2.6.17765, and my colleagues tell me there was already a problem with the previous version.
We're waiting for a fix; I'm receiving 50 machines this week
. Best regards.
I am unable to reproduce the problem at the moment.
There have been quite a few changes, related to security, since version 2.6.1.17472.
As a workaround, it is possible to use waptdeploy.exe version 2.6.1.17472 with the latest version of waptagent.exe
if the problem lies in waptdeploy.
Ideally, we should have a log of whether or not the GPO that launches waptdeploy was executed, along with the contents of the standard output
Would it be possible to modify the GPO like this:
- Add a redirection of the standard output of waptdeploy to a log
-> GPO script: cmd.exe
-> GPO argument: /C "..." >> c:\windows\temp\waptdeploy.log"
- Add log for agent installation with the argument --setupargs="/LOG=c:\windows\temp\waptagent.log"
it must look like
After forcing the GPO (gpupdate /force) and restarting the machine, what is the content of the two files?
c:\windows\temp\waptdeploy.log
And
c:\windows\temp\waptagent.log
FYI: changes to waptdeploy
* Explicit paths in the manifest for DLLs potentially used by waptdeploy (to avoid DLL Hikacking)
* use of the directory<wapt> \private\tmp if it exists for downloading "waptagent.exe"
* Wait for a maximum of "--wait minutes" for the processes 'waptagent.exe', 'waptsetup.exe', 'waptagent.tmp', and 'waptsetup.tmp' to stop before launching the installation of waptagent.exe. If they have not stopped after this time, they are forcibly stopped.
* We wait for the ongoing tasks of the wapt service to finish for a maximum of 10 minutes before stopping it
There have been quite a few changes, related to security, since version 2.6.1.17472.
As a workaround, it is possible to use waptdeploy.exe version 2.6.1.17472 with the latest version of waptagent.exe
if the problem lies in waptdeploy.
Ideally, we should have a log of whether or not the GPO that launches waptdeploy was executed, along with the contents of the standard output
Would it be possible to modify the GPO like this:
- Add a redirection of the standard output of waptdeploy to a log
-> GPO script: cmd.exe
-> GPO argument: /C "..." >> c:\windows\temp\waptdeploy.log"
- Add log for agent installation with the argument --setupargs="/LOG=c:\windows\temp\waptagent.log"
it must look like
Code: Select all
Script: c:\windows\system32\cmd.exe
Arg : /C ""\\mondomaine.lan\SysVol\asfrance.lan\Policies\{DE7ED1A0-C08D-4B2E-943E-610900D31082}\Machine\Scripts\Startup\waptdeploy.exe" --hash=2158caca675e986041ebf924d2ac09b1b5731dc3bba6c78be990097717596465 --minversion=2.7.0.18651 --wait=15 --waptsetupurl=http://wapt.mondomaine.lan/api/v3/get_waptagent_exe/{{ip}}/waptagent.exe --setupargs="/LOG=c:\windows\temp\waptagent.log"" >> c:\windows\temp\waptdeploy.log
c:\windows\temp\waptdeploy.log
And
c:\windows\temp\waptagent.log
FYI: changes to waptdeploy
* Explicit paths in the manifest for DLLs potentially used by waptdeploy (to avoid DLL Hikacking)
Code: Select all
<file name="version.dll" loadFrom="%SystemRoot%\system32\version.dll" />
<file name="secur32.dll" loadFrom="%SystemRoot%\system32\secur32.dll" />
<file name="cryptsp.dll" loadFrom="%SystemRoot%\system32\cryptsp.dll" />
<file name="credssp.dll" loadFrom="%SystemRoot%\system32\credssp.dll" />
<file name="ncrypt.dll" loadFrom="%SystemRoot%\system32\ncrypt.dll" />
<file name="dnsapi.dll" loadFrom="%SystemRoot%\system32\dnsapi.dll" />
<file name="iphlpapi.dll" loadFrom="%SystemRoot%\system32\iphlpapi.dll" />
<file name="winnsi.dll" loadFrom="%SystemRoot%\system32\winnsi.dll" />
<file name="rasadhlp.dll" loadFrom="%SystemRoot%\system32\rasadhlp.dll" />
<file name="swdrm.dll" loadFrom="%SystemRoot%\system32\swdrm.dll" />
<file name="advapi32.dll" loadFrom="%SystemRoot%\system32\advapi32.dll" />
<file name="crypt32.dll" loadFrom="%SystemRoot%\system32\crypt32.dll" />
<file name="kernel32.dll" loadFrom="%SystemRoot%\system32\kernel32.dll" />
<file name="wldap32.dll" loadFrom="%SystemRoot%\system32\wldap32.dll" />
<file name="ws2_32.dll" loadFrom="%SystemRoot%\system32\ws2_32.dll" />* Wait for a maximum of "--wait minutes" for the processes 'waptagent.exe', 'waptsetup.exe', 'waptagent.tmp', and 'waptsetup.tmp' to stop before launching the installation of waptagent.exe. If they have not stopped after this time, they are forcibly stopped.
* We wait for the ongoing tasks of the wapt service to finish for a maximum of 10 minutes before stopping it
Tranquil IT
Hello,
you can install the agent with the parameters "/VERYSILENT /MERGETASKS=useWaptServer" via a GPO script in the meantime.
Normally, the message should only appear once on the first boot if the "Install the waptupgrade package as soon as the agent sees it" option is checked, or at worst, it should only install when the machine is shut down.
The only computers that give me trouble are those without the waptupgrade package, missing from my console, or with a non-functional agent.
Despite this bug, 100% of the clients in the console have the agent up to date.
you can install the agent with the parameters "/VERYSILENT /MERGETASKS=useWaptServer" via a GPO script in the meantime.
Normally, the message should only appear once on the first boot if the "Install the waptupgrade package as soon as the agent sees it" option is checked, or at worst, it should only install when the machine is shut down.
The only computers that give me trouble are those without the waptupgrade package, missing from my console, or with a non-functional agent.
Despite this bug, 100% of the clients in the console have the agent up to date.
The initial deployment via GPO works in launching waptdeploy via "cmd.exe /C " ..."
The reason for the decline in behavior in some parks is not yet known...
The reason for the decline in behavior in some parks is not yet known...
Code: Select all
Script : c:\windows\system32\cmd.exe
Arguments : /C ""<chemin>\waptdeploy.exe" --hash=0731eee77445637c17c97f88cd5a53f0d39fac54549b9c3276b91b9195f57c16 --minversion=2.6.1.17765 --wait=15 --waptsetupurl=https://wapt.testdeploy.lan//api/v3/get_waptagent_exe/{{ip}}/waptagent.exe "
Exemple de l'argument (à adapter) :
/C ""\\testdeploy.lan\sysvol\testdeploy.lan\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup\waptdeploy.exe" --hash=0731eee77445637c17c97f88cd5a53f0d39fac54549b9c3276b91b9195f57c16 --minversion=2.6.1.17765 --wait=15 --waptsetupurl=https://wapt.testdeploy.lan//api/v3/get_waptagent_exe/{{ip}}/waptagent.exe "
Tranquil IT
The latest version of waptagent.exe (2.6.1.17765) is incorrectly flagged as a Trojan by an antivirus program: WithSecure (
Trojan.TR/Crypt.XPACK.Gen3). However, this is a separate issue from waptdeploy, but not from waptsetup.exe (https://www.virustotal.com/gui/file/592 ... 37e083b088).
Trojan.TR/Crypt.XPACK.Gen3). However, this is a separate issue from waptdeploy, but not from waptsetup.exe (https://www.virustotal.com/gui/file/592 ... 37e083b088).
Tranquil IT
Hello,
I'm following up on the incorrect flagging of waptagent.exe.
I assume it's normal that waptexit.exe, which originates from waptagent.exe 2.6.1.17787 , also has its signature tagged as a threat, and that it can be safely whitelisted?
VirusTotal checks for
waptexit.exe:
Avast
FileRepMalware [Misc]
AVG
FileRepMalware [Misc]
Avira (no cloud)
TR/Crypt.XPACK.Gen3
DeepInstinct
MALICIOUS
Google
Detected
Ikarus
Trojan.Crypt
Sophos
Mal/Generic-S
Symantec
Trojan.Gen.MBT
Trellix ENS
Artemis!691222F8E96B
WithSecure
Trojan.TR/Crypt.XPACK.Gen3
Thank you
I'm following up on the incorrect flagging of waptagent.exe.
I assume it's normal that waptexit.exe, which originates from waptagent.exe 2.6.1.17787 , also has its signature tagged as a threat, and that it can be safely whitelisted?
VirusTotal checks for
waptexit.exe:
Avast
FileRepMalware [Misc]
AVG
FileRepMalware [Misc]
Avira (no cloud)
TR/Crypt.XPACK.Gen3
DeepInstinct
MALICIOUS
Detected
Ikarus
Trojan.Crypt
Sophos
Mal/Generic-S
Symantec
Trojan.Gen.MBT
Trellix ENS
Artemis!691222F8E96B
WithSecure
Trojan.TR/Crypt.XPACK.Gen3
Thank you
-
dcardon
- WAPT Expert
- Messages: 1929
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hi Kevin,
unfortunately, antivirus programs aren't always very intelligent... We're currently making some small modifications to avoid triggering false positives. For example, the latest change we tested is not compressing the Unicode character set. Indeed, when there's code with high entropy (which is the case with compressed code), some antivirus programs interpret it as encrypted/obfuscated code that could be hiding malicious code...
The strange thing is that the same 64-bit waptexit binary [1] is detected by VirusTotal [2]... Even though it's exactly the same code, just the compilation target is different... (historically, the wapt Windows agent is 32-bit, but we plan to switch it to 64-bit by default soon, so we compile everything on both targets by default, even though waptsetup.exe is still 32-bit only for now).
Life is tough...
Just so you know: our binaries are signed in the build chain using a hardware HSM (with a private key generated locally on the hardware HSM and not exportable), so if it's properly signed, it comes out of our build chain.
As a side note, a few years ago we had to change the default icon of the FPC/Lazarus application (a little cat paw) because it was flagged as suspicious, since someone once wrote a virus using that language...
The best thing to do is to submit a new version to your antivirus vendor to request a re-evaluation.
Denis
[1] https://wapt.tranquil.it/releases/wapt- ... ptexit.exe
[2] https://www.virustotal.com/gui/file/7eb ... d02d421503
unfortunately, antivirus programs aren't always very intelligent... We're currently making some small modifications to avoid triggering false positives. For example, the latest change we tested is not compressing the Unicode character set. Indeed, when there's code with high entropy (which is the case with compressed code), some antivirus programs interpret it as encrypted/obfuscated code that could be hiding malicious code...
The strange thing is that the same 64-bit waptexit binary [1] is detected by VirusTotal [2]... Even though it's exactly the same code, just the compilation target is different... (historically, the wapt Windows agent is 32-bit, but we plan to switch it to 64-bit by default soon, so we compile everything on both targets by default, even though waptsetup.exe is still 32-bit only for now).
Life is tough...
Just so you know: our binaries are signed in the build chain using a hardware HSM (with a private key generated locally on the hardware HSM and not exportable), so if it's properly signed, it comes out of our build chain.
As a side note, a few years ago we had to change the default icon of the FPC/Lazarus application (a little cat paw) because it was flagged as suspicious, since someone once wrote a virus using that language...
The best thing to do is to submit a new version to your antivirus vendor to request a re-evaluation.
Denis
[1] https://wapt.tranquil.it/releases/wapt- ... ptexit.exe
[2] https://www.virustotal.com/gui/file/7eb ... d02d421503
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
