frequently asked questions troubleshooting guide

IMbrella FAQ & Troubleshooting Guide

1

Frequently Asked Questions &

Troubleshooting Guide

Deerfield.com 4241 Old 27 South Gaylord, MI 49735

800.599.8856 [email protected]

http://www.deerfield.com

Additional IMbrella support material is available at: http://www.deerfield.com/support


2

Frequently Asked Questions .................................................................................... 4

Server System Requirements ...................................................................................... 4 How do I configure IMbrella to block or restrict Instant Messaging?........................ 4 What does the user see when his Instant Messaging is blocked? ............................... 4 How do I restrict by time of day or day of week?....................................................... 5 How do I restrict by user? ........................................................................................... 5 Are there any issues when installing IMbrella on a system running under Microsoft Terminal Server?......................................................................................................... 5 Does IMbrella run under Microsoft Terminal Server or Remote Desktop Connectivity? .............................................................................................................. 5 I purchased the product and received an activation code via email. How do I enter this Activation Code?.................................................................................................. 6 What is Network Scanner?.......................................................................................... 6 How do I invoke IMbrella Network Scanner? ............................................................ 6 How do I pick different PCs to monitor? .................................................................... 7 How does IMbrella IPFinder work? ........................................................................... 7 How can I skip Scan for f Instant Message Activity?................................................. 7 How does IMbrella work with a SWITCH to process instant messages? .................. 7 Does IMbrella work with DHCP networks? ............................................................... 8 What is the IMbrella service? ..................................................................................... 8 How do I start and stop IMbrella service? .................................................................. 8 How do I startup IMbrella service from the Service Control Manager? .................... 8 How do I prevent the IMbrella icon from appearing with other logins? .................... 9 Where are IMbrella errors recorded? .......................................................................... 9 How do I know if my users are using multiple Instant Messaging addresses?........... 9 I received an email report indicating that some users are spending excessive time in Instant Messaging. How do I change that? ................................................................. 9 How do I create and use a Group (of users)? ............................................................ 10 I see a mixture of usernames and IP addresses - why? ............................................. 10 What are the columns that I see when I look at Users / Inhouse Users? .................. 10 How do I reset the counts and other data in the Users / Inhouse Users list? ............ 12 What kind of computers can I monitor?.................................................................... 12 Do I need to change the settings of the desktops in use at my company? ................ 12 What is the impact of IMbrella on my network? ...................................................... 12 Will IMbrella catch viruses in files sent via Instant Messaging? ............................. 12 Can I see summary usage (so I don't violate my company's privacy policy?).......... 12 How are the Instant Messages stored? ...................................................................... 13 After using the product for a while, how do I replay a conversation? ...................... 13 What is a 'licensed user'?........................................................................................... 13 What is the difference between the Live Trial and the licensed product? ................ 13 What is the Archive to CD feature of IMbrella?....................................................... 13 How do I create an archive?...................................................................................... 14 How do I import a previously created Archive (Access) database? ......................... 14 How do I look at conversations that were written to a CD? ..................................... 15 Can I look at an archive without altering IMbrella's logging? .................................. 15


3

Does IMbrella send email? ....................................................................................... 16 How do I allow IMbrella to modify its own registry? .............................................. 16

Troubleshooting.......................................................................................................... 17

IMbrella Service reported License Expired or Invalid License ................................ 17 I'm seeing IP addresses as the user's name, instead of their Instant Message name. Why? ......................................................................................................................... 17 I received the error "Your registry has been reset"................................................... 17 Service is NOT set as Automatic Startup on system startup .................................... 17 None of the NIC (network) adapters are enabled ..................................................... 18 Network Scanner, or the IMbrella Service, will not start ......................................... 18 Problem Starting IMbrella Service: Not Started ....................................................... 19 IMbrella Service crashes as soon as it starts, or will not start, sometimes with error 2186........................................................................................................................... 19 The icon for IMbrella keeps re-appearing every few seconds with a message ......... 19 Step-by-step guide to solving why IMbrella isn't capturing instant messages ......... 20


4

Frequently Asked Questions

Server System Requirements IMbrella installs under Windows XP, Windows 2000 Pro, Window 2000 Server and Windows 2003 Server. It will not operate on Windows ME, Windows 95 or Windows 98. We have not tested it on Windows NT. By default IMbrella uses a Microsoft Access (Jet Engine) database. You do not need Microsoft Access installed on your server. From our tests, for small to medium size offices, a 1 GHz Pentium-class system should be sufficient. For large offices (watching hundreds of PCs), then you probably want to have a 2 GHz Pentium-class system. On the Stats / Network Status page, you can view the efficiency of your server. IMbrella computes the average throughput and determines how much extra processing power it has, or if it is missing any network data. If this number drops below 50%, it means that IMbrella can barely keep up with the traffic. If this number drops to 0%, you definitely need a more powerful CPU.

How do I configure IMbrella to block or restrict Instant Messaging? Product Menu Selection Blocker Block / Block Instant Messaging Blocker Plus Block / Block Instant Messaging GateKeeper GateKeeper / Configure Secure Enterprise GateKeeper / Configure Secure Enterprise Pro GateKeeper / Configure Compliance Enterprise GateKeeper / Configure

What does the user see when his Instant Messaging is blocked? Each Instant Messaging system acts differently when blocked by IMbrella. In all cases, if you re-ALLOW a user who was BLOCKED, the user should logout and exit from the Instant Message client (AOL, MSN, Yahoo!, ICQ, Trillian, etc.) and start it up again. MSN - MSN client does not shutdown, but responds with Message Not Delivered. Yahoo! - Yahoo client disconnects. AOL, ICQ - AOL, ICQ client disconnects.


5

How do I restrict by time of day or day of week? In all of the products except Blocker, you can specify the days of the week, and times within each day to allow instant messaging. Select menu Block / Schedule IM Usage, or GateKeeper / Schedule IM Usage. Click on each day to allow instant message usage, and specify the times of the day, then click Save. For example, to allow the entire day, specify 00:00-23:59.

How do I restrict by user? In GateKeeper, Secure Enterprise, Secure Enterprise Pro and Compliance Enterprise, you can ALLOW some users to instant message, and BLOCK others. Select menu GateKeeper / Configure. For each user, set the user to ALLOW or BLOCK, then click Save.

Are there any issues when installing IMbrella on a system running under Microsoft Terminal Server? If you are running Microsoft Terminal Services on your server, you will not be able to watch IMbrella Network Scanner.

Does IMbrella run under Microsoft Terminal Server or Remote Desktop Connectivity? If you are running Microsoft Terminal Services on your server as a way to manage it remotely (using Remote Desktop Connectivity), you will not be able to watch the IMbrella Network Scanner. However, if the IMbrella Service is running, it will operate properly. You can monitor the throughput of the IMbrella Service by using the IMbrella Console. Click on the Network Status icon. The Network Status screen is refreshed automatically and will show you the status of all IMbrella servers connected to a common IMbrella database. Note that when using Windows 2003, we've received a couple of reports that IMbrella crashes when operating in this mode. It is caused by IMbrella attempting to access the desktop to display the Network Scanner window. Since you cannot watch IMbrella Network Scanner under Terminal Services, you should modify the following registry keys to fully disable the IMbrella Service's attempt to display its status on the desktop:


6

HKEY_LOCAL_MACHINE/software/p2plog/p2plog/1.0/control/noConsole 1 HKEY_LOCAL_MACHINE/software/p2plog/p2plog/1.0/control/noIcon 1

I purchased the product and received an activation code via email. How do I enter this Activation Code? Click My Imbrella / Activate License. You can erase the existing "trial" activation code and enter your new activation code, in the format: AAAA-BBBB-CCCC-DDDD You must include the dashes ("-") in the license, just like you received in your email.

What is Network Scanner? IMbrella Network Scanner is an interactive window associated with the IMbrella Service. Network Scanner shows what the IMbrella Service is currently performing; the IMbrella Console shows what has already occurred (up to the last second). Network Scanner is primarily used for diagnosing IMbrella issues, such as: * Verifying that IMbrella can sniff traffic of all PCs on your network. * Seeing how much TCP/IP traffic is being processed by IMbrella. * Recording raw data for our engineers to resolve a problem.

How do I invoke IMbrella Network Scanner? Once the IMbrella Service is running, you can watch the Network Scanner either by: * Using the IMbrella Console, click Settings / Network Scanner / Watch Network Scanner * From the Windows desktop, click Start / Program / IMbrella / Watch Network Scanner In some cases, the IMbrella Service is unable to interact with your desktop windows and you will not be able to watch the Network Scanner. If you are running Microsoft Terminal Services on your server, or running Windows 2003 Server, you will not be able to watch Network Scanner. You DO NOT need to run IMbrella Network Scanner to use IMbrella; if the


7

IMbrella Service is running, IMbrella will operate properly. In this case, you need to: * First stop the IMbrella Service. * From the Windows desktop, click Start / Program / IMbrella / Run Non-Service Network Scanner

How do I pick different PCs to monitor? If the IMbrella computer is connected to a SWITCH (the typical TRIAL scenario), select Settings /Setup: PC List. If the IMbrella computer is connected to a hub, port monitor on a managed switch or on a proxy server, IMbrella will monitor and manage all of the PCs that it can "listen to".

How does IMbrella IPFinder work? IPFinder sends a broadcast to all of the computers in the Class C range of the computer's IP address (i.e. 192.168.1 to 192.168.1.255), and waits for the answer. IPFinder is invoked by the Wizard for Select PCs to Manage. IPFinder finds the PCs, and then lets you select which PCs you want to manage. You can change which PCs to manage by clicking on Settings / Modify Settings / Network Setup, and then click Re-run Network Setup Wizard.

How can I skip Scan for f Instant Message Activity? In the screen Scan for Instant Message Activity, click on radio button Skip scanning for Instant Message activity - I know which PCs use Instant Messaging. You must select the PCs that you want IMbrella to manage (the list shows the each PC's IP address and computer name).

How does IMbrella work with a SWITCH to process instant messages? IMbrella instructs the PCs that you select to use the computer Imbrella is installed on as a proxy for Internet traffic. This occurs automatically (when the IMbrella service is running). However, when you stop the IMbrella service, or shutdown the computer, the PCs will no longer use the IMbrella computer as a proxy for Internet traffic.


8

To re-establish the IMbrella proxy, simply restart the IMbrella service. The IMbrella service automatically starts when the computer is rebooted.

Does IMbrella work with DHCP networks? Yes, when you selected the PCs, IMbrella watches those PCs, regardless of the change in IP address. IMbrella continuously monitors changes in your network and tracks instant message activity on the PCs based on MAC address (of the PCs that were originally selected).

What is the IMbrella service? The IMbrella service is the engine that actually captures and controls the InstantMessaging conversations and writes it into the database, and processes restrictions and transgressions. It is implemented as a Windows service. The name of the IMbrella service is "p2pLogService" and it also runs a program "p2pLog.exe" When running, it shows a small red IMbrella icon on the lower right corner of your screen.

How do I start and stop IMbrella service? From the IMbrella Console, Settings / Start and Stop IMbrella Service. If IMbrella service is not running, click Start. It may take a few seconds for IMbrella service to start - if that happens, the IMbrella will display Start Pending. Click Refresh until IMbrella displays Running. As long as the IMbrella service is running, it will record instant message conversations. You do not need to be running the IMbrella Console for IMbrella to record instant messages. If IMbrella service was already running, you will see a small red IMbrella icon in the lower right corner of your screen. Click Stop to the IMbrella service. When you restart the computer on which IMbrella is installed, the IMbrella service will automatically start.

How do I startup IMbrella service from the Service Control Manager? First right click on My Computer and select Manage. Double click on Services and Applications and then click on Services in the left panel. Look for the p2pLogService in the right panel, and click on the Start button, or right click on p2pLogService and select Start. The service should start and remain running.


9

How do I prevent the IMbrella icon from appearing with other logins? The startup for the IMbrella icon (called TaskBar Icon) is stored in the directory: C:\Documents and Settings\All Users\Start Menu\Programs\Startup You can either delete this file, or move it to the directory associated with the login(s) where you want to see the icon. If you delete this file, you can still invoke Network Scanner from the IMbrella Console by clicking Settings / Modify Settings / Network Scanner / Watch Network Scanner.

Where are IMbrella errors recorded? IMbrella Service records its status and errors in the Windows Application Event Log. If the IMbrella Service (p2pLog.exe) terminates abnormally, it creates a log file (details), and is automatically restarted by the IMbrella Service. IMbrella Console records its progress and errors in the Windows Application Event Log. It records the step-by-step progress of certain tasks, such as importing, exporting or merging data. IMbrella Console and the all automated or scheduled (Scheduled Tasks) records their progress in the Task Log table. You can view the task log table by clicking Settings / Task Log. You can view the Windows Application Event Log from Windows (click Manage when you right click on My Computer), or you can view it from IMbrella Console. Click Settings / Modify Settings / Errors, and click Show.

How do I know if my users are using multiple Instant Messaging addresses? Click Users / Aliases. If your users are using Microsoft Terminal Server, all of the users will have the same IP address, so you cannot use this information on the screen reliably.

I received an email report indicating that some users are spending excessive time in Instant Messaging. How do I change that? This is controlled by the Alert by Excessive Time alert. Click Violations / Usage Computation to change the defaults. There is a calculator to help you determine the correct read and write speed for your organization.


10

How do I create and use a Group (of users)? Groups provide several purposes in IMbrella: You can turn monitoring ON or OFF for everyone in a group. Using Manager Privileges, you can restrict who can see the conversations for people in each group. For example, you can set a sales manager to view conversations only for his group, and a support manager to view conversations on for her group. Select Users / Groups to see the list of groups, and click Add Group. Enter the group name and description, then click Save. Double click on a group to open up that group, and select the users, then click Save. After you create a group, you can set all of the users to have their conversations be logged, or not logged. You can use Manager Privileges to control who can see the conversations from the members of the group.

I see a mixture of usernames and IP addresses - why? If IMbrella does not see the user's login, or other identifying message at the beginning of a conversation, it can only identify one party of the conversation, and uses the IP address to identify the other party. Eventually, IMbrella learns the other party's name, and begins to use it. IMbrella can go back into the database, and using the information it learned, fix up the older messages - it replaces the IP address with the proper user name. This occurs each time you start up the IMbrella Console, or with the SQL database, at midnight. To modify that setting, or perform a conversion immediately, click Settings / Database Maintenance / General.

What are the columns that I see when I look at Users / Inhouse Users? The primary columns are: User Display Name - Display name of the user. This is the name that the user will be known as in all reports, charts and tables. The display name defaults to the Instant Message address, but you can change


11

this manually, or have IMbrella use another method to determine the screen name. Click for more info on changing the display name. You must click Save if you make any changes. IM address - Instant Message address. In AOL lingo, that's a screen name. In MSN lingo, that's your email address. IM - Instant Message system (AIM - AOL, MSN, YIM - Yahoo, ICQ) Monitor? - Determines if this user is monitored by IMbrella. If Yes, then the user's messages are archived and his messages are analyzed for blacklisted words, and his instant message privileges can be suspended, and are subject to blocking. You can also put this user into a group, and toggle the entire group ON and OFF. Block? - Determines if this user is blocked from instant messaging. If BLOCK, then the user is not allowed to send or receive instant messages. When you click Show Stats, you will see recent statistics. You can clear these stats by clicking Reset Stats. Last Msg - Time and date of last message sent to or received by this user. Last Contact - Instant Message address of last person communicating with this user. # Msgs - Number of messages sent to or received by this user, since user was first monitored, or since last reset. When you click Expanded Info, you will see additional name information: IP - Last IP address where this user was seen. Email - Email address. Computer name - Name of computer based on IP address. Other buttons: Hourly Usage - Shows the hour -by-hour usage for this user. Contacts - Shows the contacts this user sends Instant Messages to.


12

How do I reset the counts and other data in the Users / Inhouse Users list? Click the Reset button. This will reset Last Msg time, Last Contact name, # Msgs, and IP address.

What kind of computers can I monitor? IMbrella can monitor instant messages sent to and from Windows PCs, Macintosh or Linux computers. IMbrella monitors every computer that uses an instant message client, such as AOL's AIM instant messenger, Microsoft's MSN instant messenger, Yahoo!'s instant messenger, ICQ instant messenger, Trillian's instant messenger, or many of the 3rd party instant messenger clients that use these protocols.

Do I need to change the settings of the desktops in use at my company? No, there are no changes required to the desktops. Instead, IMbrella installs on any admin PC with access to your network (see below) and analyzes ALL web traffic (via proprietary MessageStorm technology) to detect, manage and archive instant messages. IMbrella is invisible to your employees and requires no extra hardware, client applications or desktop maintenance.

What is the impact of IMbrella on my network? As a passive listener, there is no impact on the network, or on the time to deliver the messages to the recipient.

Will IMbrella catch viruses in files sent via Instant Messaging? IMbrella can be set to block file transfers via IM, the main channel for virus transmission.

Can I see summary usage (so I don't violate my company's privacy policy?) Yes. You can turn off archiving of messages and only record totals, or use our Detector product to watch for excessive usage. In any case, most companies have an Acceptable Use Policy that informs their constituency of the proper use of Instant Messaging.


13

How are the Instant Messages stored? All conversations are stored in a Microsoft Access (included) or SQL database. You can analyze the data based on the participants, time or date, or you can scan the conversations for keywords.

After using the product for a while, how do I replay a conversation? Using the tools provided with IMbrella, you can search for a specific participant, and see any (or all) of that user's conversations. Or you can see all activity for today. You can search through the archive for keywords, and view subsets of several conversations.

What is a 'licensed user'? Each employee (or desktop PC) managed by an IMbrella product counts as a user. An employee can have unlimited instant message "screen names." IMbrella lets you assign screen names to individual users.

What is the difference between the Live Trial and the licensed product? The live trial is limited to usage on 10 PCs and erases message contents after one hour. Licensed/purchased versions can manage an unlimited number of users at your firm.

What is the Archive to CD feature of IMbrella? IMbrella provides a compliance feature called 'Archive to CD' that creates a Microsoft Access database that can be copied for offsite storage. You must specify the directory where the file will be created. You can set IMbrella to perform this action every night (or less often). If you are using the default database, the following steps occur: 1. The entire live database is copied to a unique filename ("ARCHIVE-date.MDB") in the specified directory. If the file already exists, no action is performed. Hence, this can only be performed once a day. 2. The success (or failure) of the processing is noted in the Nightly Tasks table. If you are using an MSDE / SQL database, it will extract all messages and user information into the Microsoft Access database. Each time an archive from an MSDE /SQL database is created, the following steps occur: 1. An empty Microsoft Access database ("ARCHIVE-date.MDB") in the specified


14

directory is created. If the file already exists, no action is performed. Hence, this can only be performed once a day. 2. Either all messages (Archive All), or only those messages that have not been previously archived (Archive New) are inserted into this file. 3. The success (or failure) of the processing is noted in the Nightly Tasks table. You can create a CD of files in this directory for offsite storage, or you can email the file to a 3rd party compliance partner. Use an automated CD creation program, such as: Handybackup or NTI Backup Now to perform nightly automatic creation of a CD. (There are many such programs that can do scheduled backup to CD).

How do I create an archive? To create an archive of the entire database, click Archive All. To create an archive from the IMbrella Console, click Archive to CD, and then click Archive New (MSDE/SQL only). Normally the conversations are copied to the resultant archive Access database. In some Instant Messaging systems, (such as AOL), the conversations include formatting information or HTML tags. If you are using MSDE / SQL database, you can remove these tags so that the data is more readable in Access, by clicking on the Text only box. To create an archive automatically each night of only new conversations (MSDE/SQL only), use the following command as a Scheduled Task: \Program Files\IMbrella\Console\IMbrella.exe ARCHIVE-NEW To create an archive automatically each night of the entire database, use the following command as a Scheduled Task: \Program Files\IMbrella\Console\IMbrella.exe ARCHIVE-ALL

How do I import a previously created Archive (Access) database? This feature is often used to copy data from a secondary IMbrella server to a primary IMbrella server SQL database: 1. If the secondary server is using the default database, no additional conversation is required. If the secondary server is using SQL for its database, create an archive using the Archive to Microsoft Access feature on the secondary IMbrella server as described above. 2. Copy resultant Access database (the ".mdb" data file) from the secondary server to the primary IMbrella server.


15

3. Using the IMbrella Console, click Settings / Database Maintenance / Import Archive, specify the Access database file and click Perform Import. The import is done in two phases: 1. The user table (Users) is merged into the SQL database. If the Instant Message address exists on the SQL server, no additions or changes are made to the user table. If the Instant Message address does not exist, the user record is added to the SQL database. 2. The messages table (Archive) is added to the SQL database, with appropriate changes made to the user index fields (MyUserId and HisUserId). To automate this process, use the following command as a Scheduled Task: \Program Files\IMbrella\Console\IMbrella.exe IMPORT-ARCHIVE="filename" for example: \Program Files\IMbrella\Console\IMbrella.exe IMPORT-ARCHIVE="c:\temp\archiveJanuary.mdb"

How do I look at conversations that were written to a CD? The archive file was created by: * Archive to CD * Purge * A copy of the IMbrella database when using the default Microsoft Access database. On the server where IMbrella is installed, click Settings / Database Maintenance / Open Archive, and specify the Microsoft Access data file. If you want to access the conversations from another PC, install the IMbrella Remote Client first, and then click Settings / Database Maintenance / Open Archive, and specify the Microsoft Access data file.

Can I look at an archive without altering IMbrella's logging? To read an archive from the IMbrella Console, click Settings / Database Maintenance / Open Archive, and specify the Microsoft (Access) data file. To read an archive from the Remote Console, click Settings / Database Maintenance / Open Archive, and specify the Microsoft (Access) data file.


16

The IMbrella Console (or IMbrella Remote Console) will use this setting and the IMbrella Service will not be affected - it will continue to log messages to the default database. When you exit and restart the IMbrella Console, it will revert back to the same database as used by the IMbrella Service (stored in the registry).

Does IMbrella send email? With the IMbrella Console, you can send an email from most screens (in addition to exporting the information to Excel or Word). The email addresses) you supplied when you during the wizard used as the default email recipients. You can set IMbrella to automatically send an alert to you under the following conditions: * A blacklisted word is sent by an in-house user. * At the end of the day, if any blacklisted words were sent by an in-house user. * At the end of the day, if any in-house users spent an excessive amount of time sending and receiving Instant Messages. Automatic alerts use the IMbrella Internet-based alert service: your IMbrella sends a “blind ping” to an automated server, which activates an email alert to you. The content or participants of the IM conversations is NOT transmitted nor is any content or participant names stored on the IMbrella unattended servers.

How do I allow IMbrella to modify its own registry? If you have installed anti-spyware, it may prevent the IMbrella post-installation steps from updating the registry. We've seen that with several spybot programs. You have two choices - uninstall (or disable) the spyware, install IMbrella and then re-install (or re-enable) the spyware, or open up the privileges on the IMbrella registry tree. To open up privileges on the IMbrella registry tree: 1. Run the program REGEDT32 2. Open HKEY_LOCAL_MACHINE on Local Machine. 3. Open SOFTWARE and select p2pLog. 4. Click Security, then Permissions. 5. Select the name Administrators and click on the box Full Control. Then click OK and exit from REGEDT32. 6. Try running the IMbrella Post-Installation steps again. To do this: click Start / Programs / IMbrella / Post Insta llation Steps. 7. If you the install script still cannot update the registry, then select the name Users and click on the box Full Control.


17

Troubleshooting

IMbrella Service reported License Expired or Invalid License Your demo license has expired. Please contact [email protected] if you need to continue evaluating IMbrella. The demo license or activation code you entered is not valid. You can re-enter the demo license or activation code by clicking SETUP and selecting Activate License.

I'm seeing IP addresses as the user's name, instead of their Instant Message name. Why? IMbrella "learns" everyone's name AFTER it sees that person login (to AOL, MSN, etc.). When you first startup IMbrella, it records the conversation under their IP address until it learns their Instant Message name. After it learns their name, at midnight (or when you restart IMbrella Console, it will adjust the conversations so that the names are correct.

I received the error "Your registry has been reset" There is a program, such as spyware or Norton Systemworks that has reset your registry since the product was installed. During the post-installation steps, IMbrella creates the registry key: HKEY_LOCAL_MACHINE/Software/p2pLog/p2pLog/PostInstall and fills it in with the time and date (of when you ran the post-installation steps). IMbrella has detected that this registry key has been cleared. You need to determine which program on your server is resetting IMbrella's registry keys and resolve the problem.

Service is NOT set as Automatic Startup on system startup The IMbrella service is set as either Manual Start, or Disabled. This means that it will NOT startup when the system is started or rebooted.


18

To resolve this, click on My Computer and select Manage. Double click on Services and Applications and then click on Services in the left panel. Look for the p2pLogService (the IMbrella Service) in the right panel, and right click and select Properties. Change the Startup type to Automatic.

None of the NIC (network) adapters are enabled For some reason, none of the NIC (network) cards are set to be monitored. This can be caused by IMbrella never recognizing any NIC cards when first installed, or by changing a NIC card, or by disabling one or more NIC cards using the Settings / Modify Settings / Network Settings screen, or by a modification to the Windows Registry in the "p2pLog" section. If you cannot resolve this by enabling the NIC card in Settings / Modify Settings / Network Settings, submit a Trouble Ticket to our IMbrella support team.

Network Scanner, or the IMbrella Service, will not start If you cannot get either the IMbrella Service to start, or Network Scanner (from Start / Program / IMbrella / Network Scanner) to run, the reason is probably shown in the Windows Event Log under Application. Here are the most common reasons: * A connection to the Microsoft Access database cannot be made because: * IMbrella database is absent. Microsoft Access is NOT required on your server. * The access information for the database in the registry is wrong. * A connection to the SQL database cannot be made because: - MSDE/SQL Server is absent. - MSDE/SQL Server is not running. - The IMbrella database did not get installed into MSDE/SQL Server - The default username/password for the p2pLog database did not get created within MSDE/SQL Server. Network Scanner and IMbrella Service will exit if it cannot login to the database. Refer to the installation database and database support pages. Other reasons include: * The license has expired or is not valid. * Network Scanner runs, but IMbrella Service does not. The service did not install properly. Check the installation log file (Program Files/IMbrella/Logs/IMbrella_Install.log), or contact our support group.


19

Problem Starting IMbrella Service: Not Started For some reason, the IMbrella service will not start. Here are the most common reasons: * The IMbrella services is crashing as soon as it starts. * IMbrella was uninstalled from this computer, and then re-installed. In this case, the service is marked as DISABLED. Reboot the computer and try again. * Error code 1060: Service not installed. * You are running under Windows 2003 and using Microsoft Terminal Server. You need to change a registry setting for IMbrella.

IMbrella Service crashes as soon as it starts, or will not start, sometimes with error 2186 One common reason is that your hardware is new, and you need a newer version of the WinPCap driver. You can verify this by running the program IMbrella non-service Live View. Issue: Start / Programs / IMbrella / non-service Network Scanner. If non-service Network Scanner does not crash (and shows that its capturing traffic), then you can help us. We are actively trying to solve the error relating to the service starting on some computers - we cannot reproduce it at our site. Please contact us ASAP if you encounter it. If you are using Terminal Services under Windows 2003, you may encounter this problem.

The icon for IMbrella keeps re-appearing every few seconds with a message

Something is causing IMbrella program to terminate. The IMbrella Service is watches the program "p2pLog.exe". If IMbrella Service detects that p2pLog.exe has terminated, it will automatically restart it. The message that pops up is IMbrella status: Network traffic monitoring is being initialized, followed by Network traffic monitoring is active. This is usually due to either an invalid license, or corrupted information in the Windows registry.


20

Step-by-step guide to solving why IMbrella isn't capturing instant messages Assuming that the IMbrella server is plugged into a hub (such as a Netgear DS104), and the Netgear is plugged into your router, and the rest of your network is plugged into the Netgear, then the problem may be with the NIC card in your PC. From the Start menu on Windows desktop, click Start / Program / IMbrella / Watch Network Scanner

That will bring up Network Scanner Control Page.

On the Control Page, you'll see lots of numbers.

• Watch the Total Bytes number. • Surf the web a little, or send some instant messages from this PC. • Then do nothing from this PC, and surf from another PC (connected to the

hub).

One of two things will happen:

• If it moves up in proportion to the activity on your PC and rises very slowly when you do nothing, that means that only traffic from your PC is being watched.

• If it moves up quickly even when you are doing nothing, that means all traffic on the LAN is being watched, but IMbrella is rejecting or not processing the traffic from other PCs.


21

Only the traffic from your PC is being watched: Assuming that the IMbrella server is plugged into a hub (such as a Netgear DS104), and the Netgear is plugged into your router, and the rest of your network is plugged into the Netgear, then the problem may be with the NIC card in your PC. IMbrella works with WinPCap, a low-level driver that puts the NIC into "promiscuous mode" to listen to all TCP/IP passing by the NIC. Almost all cards can be put into promiscuous mode, but of course, there are always exceptions. To test if your card can be put into promiscuous mode, download the following software WinDump.zip. Unzip the file WinDump.exe and run it. It will open up a window and show you all packets coming and going on the network. Test it out by surfing the web or sending Instant Messages from your PC. Then go to another PC and surf the web or sending an Instant Message. If WinDump displays traffic when you surf from another PC, please contact [email protected] and we'll try to figure out what we're doing wrong. If WinDump does not display traffic, then the NIC card cannot be put into promiscuous mode. There's a new version of WinPCap available that may work better - contact us and we can set you up to try that new version. IMbrella is rejecting or not processing the traffic from other PCs: To determine which condition is occurring, do the following test: On the Control page, click the SUSPEND button. This will prevent IMbrella from collecting any more data. Remember to click the RESUME button later to capture new data. Next, click to the Network Access page in Network Scanner, and click on the IP column (the leftmost column), to show the IP addresses that IMbrella has seen so far. Verify that there the IP address of the PC you are testing with is in the list. If it's not, then TCP/IP packets from this PC are physically not in the data stream analyzed by IMbrella. Once you resolve that problem, IMbrella should be work properly. For example, in the following page, a customer knew there was instant messaging on PC 10.40.12.3. As you can see in this example, that IP address is absent from the list of IPs, so that PC's data is not in the TCP/IP stream analyzed by IMbrella.


22

In this case, the IT manager found the problem (the switch where the PC was connected) was not being watched. Once it was resolved, the IP address showed up in this last. Remember to click the RESUME button after this test is finished. IMbrella is rejecting the traffic from other PCs - Something Else If you see the IP address of the PC you are testing with in the IP list, and you have set IMbrella's setting for IP Address (in Setup / Modify Settings / IP Addresses), then check to see if packets are being Rejected. Looking again at the Network Access page:

Now scroll to the right:


23

Watch the numbers when you send messages from your PC, versus another PC on the hub. If the AIM, MSN, YIM counts go up from the other PC, then things should be working. If the Rej (Rejected) count goes up from the other PC, then IMbrella is not properly parsing the instant messages. Please contact us. If the Rej.IP (Rejected IP) count goes up from the other PC, then IMbrella is rejecting these packets because they have a different IP address than IMbrella is set to watch. Contact us if you are convinced that the IP address ranges should match up.