Troubleshooting Ivanti Antivirus licensing issues

This article will describe the technical process that the administrator and Ivanti Antivirus must take in order to successfully install and activate a Ivanti Antivirus key on a client.

• • How to obtain an Ivanti Antivirus license key
  • Import License to Core
    • What could go wrong?
  • Update of licenses on Managed Clients
  • Manually updating the license
    • What could go wrong?
  • Reporting of Ivanti Antivirus information to the core server
    • What could go wrong?
  • When does Ivanti Antivirus check to see if the license key is valid?
    • When troubleshooting client activation issues, the following log files should be consulted:
  • Error: "Black list of keys is corrupted" is displayed in the Licensing window

How to obtain an Ivanti Antivirus license key

The license file is a file of the following type xxxxxxxx.key.  It contains service information required for the correct functioning of Ivanti Antivirus (Based on Kaspersky Endpoint Security 10) as well as the following data:

• Information about the vendor of this version (company name and contact information)
• Technical support information (who provides technical support and how to get it)
• License key release date
• License title and number
• Information about functionality of the components
• License expiration date

Login to the Support Portal then click "Other License keys" and enter the credentials used to activate the Core Server. Download the zip file which contains the new AV key file.

Import License to Core

The first step that needs to occur is to import an Ivanti Antivirus license into the core server.  You should have received a .ZIP file containing your .KEY file and a .PDF file that details the license information.

The following should be done from an Ivanti Endpoint Manager Console:

1. Extract the .ZIP file received from LANDESK Licensing or from your Sales Representative to a location you will remember.
2. On the Core Server open the following tool: Security and Compliance -> Agent Settings -> Gear (Settings) drop-down -> Ivanti Antivirus License information
   
3. The following window will open:
   
4. Browse to the .KEY file unzipped in Step 1.
   
   Now this window will contain the date the license was created, the license number, and the license information number.
   
   License Expiration Information can be viewed in several places:
   
   a. Security Activity tool under Ivanti Antivirus -> Licenses
   
   b. On the client in the Ivanti Antivirus program window under the "License" link at the bottom of the Window.
   
5. After the new license key is imported the file is renamed to LDAV.KEY and gets copied to the LDLOGON\AVCLIENT\INSTALL\KEY folder on the Core Server.

What could go wrong?

• Failure to write the LDAV.KEY to the LDLOGON\AVClient\Install\Key folder on the core server.  (Check rights, Console.exe.log, etc)

Update of licenses on Managed Clients

1. When the next Security and Compliance (vulscan) scan is run on the client, the vulscan self update feature downloads LDAV.KEY and places it into the LDCLIENT directory.
2. Vulscan.exe copies LDAV.KEY to the LDCLIENT\Antivirus\Install\Key folder on the client.
3. Every 5 minutes the Ivanti Antivirus Service compares the hash between the LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY.  (Note: To have this update instantly you can restart the Ivanti Antivirus service)
   (LDAV.KEY in the LDCLIENT\Antivirus folder is the active key that the product uses)
4. If a difference is found between LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY the license activation process will occur.  This involves invoking the Kaspersky licensing process that imports the key information into the product.
5. The license information is stored in one of the following registry keys on the client depending on whether the OS is 32-bit or 64-bit
   

   HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License

                  

Manually updating the license

It is possible to manually update the Ivanti Antivirus license.  This can be useful for remote users who can't connect via VPN or CSA to pull down the new key from the core server automatically.

1. On the core server, locate the current ldav.key file in C:\Program Files\LANDesk\ManagementSuite\ldlogon\AVClient\Install\key
2. Copy this key to the client (or send it to your remote user by secure email, FTP etc.) and place it in C:\Program Files (x86)\LANDesk\LDClient\Antivirus\install\key
3. Wait 5 minutes for the Ivanti Antivirus Service to compare the keys, or simply restart the service.

What could go wrong?

• Failure to download the LDAV.KEY from the core server.  (This should be noted in the Vulscan.log file on the client).
• Failure to copy the LDAV.KEY file from the LDCLIENT directory to the LDCLIENT\Antivirus\Install\Key folder on the client (This should be noted in the Vulscan.log file on the client)
  This could be caused by the LDAV.KEY file being read-only.
• Failure for the Ivanti Antivirus service to copy the LDAV.KEY from LDCLIENT\Antivirus\Install\Key folder to the LDCLIENT\Antivirus folder on the client (This would show in the \ProgramData\LANDESK\Log\LDAV.log file)
• Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
• Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
• Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
  (Does that computer exist in the database?)
  Run a full inventory scan if it cannot be found.

Reporting of Ivanti Antivirus information to the core server

1. Antivirus information is sent to the core server using the PutLDAVTableData method using the WSVulnerabilityCore web service when Vulscan runs or every 5 minutes by the Ivanti Antivirus Service. 
   
   The following information is sent and is shown in the Vulscan.log in the following manner::
   
   

   Thu, 17 Sep 2015 10:52:00 --- Antivirus table data ---------------------------------------
   Thu, 17 Sep 2015 10:52:00 ProductName: LANDESK Antivirus
   Thu, 17 Sep 2015 10:52:00 AutoProtect: On
   Thu, 17 Sep 2015 10:52:00 ProductVersion: 10.2.1.23
   Thu, 17 Sep 2015 10:52:00 EngineVersion: 6.8.0.27
   Thu, 17 Sep 2015 10:52:00 DefVersion: 
   Thu, 17 Sep 2015 10:52:00 PubDate: 2015-09-17 07:31:00 (1442496660)
   Thu, 17 Sep 2015 10:52:00 DefInstDate: 2015-09-17 09:28:50 (1442503730)
   Thu, 17 Sep 2015 10:52:00 Empty CTime: 1969-12-31 17:00:00 (0)
   Thu, 17 Sep 2015 10:52:00 LastVirusScan: 2015-09-17 09:29:15 (1442503755)
   Thu, 17 Sep 2015 10:52:00 LastFullVirusScan: 2015-09-15 12:50:21 (1442343021)
   Thu, 17 Sep 2015 10:52:00 LastQuickVirusScan: 2015-09-17 09:29:15 (1442503755)
   Thu, 17 Sep 2015 10:52:00 StartFullVirusScan: 2015-09-15 12:47:44 (1442342864)
   Thu, 17 Sep 2015 10:52:00 StartQuickVirusScan: 2015-09-17 09:28:59 (1442503739)
   Thu, 17 Sep 2015 10:52:00 FullVirusScanCancelled: 0
   Thu, 17 Sep 2015 10:52:00 QuickVirusScanCancelled: 0
   Thu, 17 Sep 2015 10:52:00 AgentRunning: True
   Thu, 17 Sep 2015 10:52:00 PatternServer: YourCoreServerName
   Thu, 17 Sep 2015 10:52:00 LicenseExpirationDate: 2016-09-13 23:59:59 (1473832799)
   Thu, 17 Sep 2015 10:52:00 LicensePeriod: 362
   Thu, 17 Sep 2015 10:52:00 LicenseNumber: XXXX-XXXXX-XXXXXXX
   Thu, 17 Sep 2015 10:52:00 LicenseProductName:
   Thu, 17 Sep 2015 10:52:00 LicenseMaxCount: 2000
   Thu, 17 Sep 2015 10:52:00 --------------------------------------------------------------------------
   Thu, 17 Sep 2015 10:52:00 In SendRequest: Action = SOAPAction: "http://tempuri.org/PutLdavTableData"
   Thu, 17 Sep 2015 10:52:00 SendRequest: SOAPAction: "http://tempuri.org/PutLdavTableData"
2. This will appear in the WSVulnerabilityCore.dll log on the core as follows:
   

   09/17/2015 09:52:00 INFO 13484:3     RollingLog : LdavTableData.Update:  Updated a record for Antivirus_Idn = 1

3. This information is placed into the Antivirus table in the Ivanti IEM database.

What could go wrong?

• Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
• Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
• Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
  (Does that computer exist in the database?)
  Run a full inventory scan if it cannot be found.

When does Ivanti Antivirus check to see if the license key is valid?

• During Ivanti Antivirus installation
• When the Ivanti Antivirus service is started
• Every 5 minutes after Ivanti Antivirus service is started
• After pattern file update is performed

When troubleshooting client activation issues, the following log files should be consulted:

• LDAV.LOG - Shows activation activity from the Ivanti Antivirus service start or the 5 minute interval check
• LDAV_UPDATE.LOG - Shows activation activity if Ivanti Antivirus is activated during pattern file update
• LDAV_INSTALL.LOG - Shows activation activity if Ivanti Antivirus is activated during the installation
• Vulscan.log - Shows download and copy of key file
• WSVulnerabilityCore.dll log - Shows reporting of Ivanti Antivirus information as received from Vulscan or the Ivanti Antivirus service

Error: "Black list of keys is corrupted" is displayed in the Licensing window

What is a "black" list of keys

Black list of keys is a database that contains information about key files that can no longer be used for activation of Ivanti Antivirus. The keys are blocked due to following reasons:

• Malfunctioning.
• The key was activated on a computer with incorrect system time or date.
• The key was stolen.
• The key was available on pirate servers for free download.

The database of such keys is located in a file named black.lst, which is downloaded and saved with the regular updates. The file is required for correct functioning of Ivanti Antivirus products.

The 'black list' of key files is a file named black.lst. This file is downloaded and saved along with databases (anti-virus, anti-spam, network attacks).Ivanti Antivirus cannot function without a 'black list' file.

Kaspersky Lab software stops functioning and notifies hereof:

• if there is no black.lst file on your PC;
• if the file black.lst is damaged;
• if the Kaspersky Anti-Virus you have installed is using a key file from the 'black list';

If there is no black.lst file on your PC or it is damaged, start an update task to download it again. Otherwise Ivanti Antivirus protection will not function.

Resolution

1. Create a new Ivanti Antivirus setting that allows the user to change the settings.
   
   
2. Push a Change Settings task to the client(s) and change these updated settings to the affected clients.
   (You can change the existing setting as well, but this opens up the risk that during your time that you are repairing this issue all client computers using this setting will allow the user to change settings)
3. Go to Advanced Settings within the Ivanti Client UI and uncheck "Enable Self Defense".
   
   
4. Delete the blst*.xml file(s) from C:\Program Files (x86)\LANDESK\LDClient\Antivirus\temp_bases8\landesk\updates on the client.
5. Update the Antivirus pattern files on the core server.
6. Update the pattern files on the client.
7. Change the AV settings back to the original to not allow the user the user to change settings.

If this resolution does not help, it may be necessary to reinstall Ivanti Antivirus on the client computer.   This can be done through an "Install/Update Security Settings" task from within the Agent Settings tool.

This document serves as a best practices step by step document for setting up, configuring and maintaining Ivanti Antivirus.  This is meant as a quick-start guide and does not go into advanced options.

After installation of the Core Server and/or purchase of the Ivanti Antivirus product the following steps must be performed prior to deploying Ivanti Antivirus to LDMS clients.

The following Ivanti Antivirus Action Center dialog helps guide the Administrator to install and configure Ivanti Antivirus appropriately:

This dialog appears after selecting the Ivanti Antivirus component the first time as part of an Agent Configuration.  It also can be accessed by using the Settings drop-down menu in the Security Activity tool.

Step 1 - Acknowledge removal of other antivirus software

The Ivanti Antivirus installation process will attempt to remove other security software on the computer that is known to conflict with the Ivanti Antivirus product.  Often having more than one security solution installed will result in one or both products malfunctioning, thus reducing the overall security of the system.  This check is to ensure that the administrator is aware that this software will be removed before they can proceed.

Action: Check the box under "Acknowledge that other antivirus software will be removed" .

Step 2 - Import IIvanti Antivirus License

A Ivanti Antivirus and Ivanti Antivirus subscription must be purchased in order to be able to use the product and receive updates (pattern files and product updates).  Antivirus & Malware Detection Software | Ivanti

If you have purchased Ivanti Antivirus and have misplaced your license information:

Either log a case via support.landesk.com or Contact Ivanti Support by phone.

 

If contacting by phone do the following:

 

1. Select Option 1 for Product Activation/Licensing.
2. Select option 1 again for LDMS/LDSS Licensing support.
3. Give the Support Engineer your company account name and your contact information.
4. The Support Engineer will provide a Ivanti Antivirus license key via e-mail.  This .key file will be within a .zip file and will include a .PDF file with the license details.

Actions:

1. In the Ivanti Antivirus Action Center dialog under "Ivanti Antivirus license key required" click on "Import new license"
2. Unzip the file provided that contains your license.
3. Browse to the .KEY file, select it, and then click "Import"
4. Click "Close"

The current license information should appear in the two lower sections of the Ivanti Antivirus Action Center window.  This information includes the creation date, license number, license information number, activated nodes, maximum count, and the earliest expiration found in your environment (as reported in Ivanti inventory).

Step 3 - Check whether any clients are nearing license expiration

This check ensures that you do not deploy agents using a license key that is near expiration and also warns of existing clients in the environment that have a license that is nearing expiration.  This warning threshold can be set.  The default is 7 days.

Further client license information can be viewed in the Security Activity tool in the Licenses section.

Step 4 - Download Antivirus Definitions (Pattern Files) and schedule regular pattern file downloads

This check ensures that pattern files have been recently updated.  This will tell you how long ago definitions were downloaded.  In addition, this warning threshold can be changed.  The default for the threshold is 3 days.

Download Latest Updates

1. In the Ivanti Antivirus Action Center click "Go to download updates"
   This will open the Ivanti Antivirus tab of the Download Updates tool.  This tool can be opened again by click on the first icon (Download updates) in the Security Activity tool.
2. Click "Get latest definitions".  This process may take a while especially if it is the first time updating to the latest definitions (pattern files).
   
       (Click for full size)
   
   
3. Ensure the number of pattern file backups are set to what you desire.   By default, this is 5.

Turn off notification in the Action Center for Antivirus versions you do not have

1. Go to each tab Antivirus pattern versions that you do not have in your environment and uncheck the box that says "Notify using Ivanti Antivirus action center".
   

   Note: In order for the green check box to appear in the Ivanti Antivirus action center for the "Antivirus definitions are up to date" section, you must have either downloaded the definitions for that version or unchecked the "Notify using Ivanti Antivirus action center" box.

Schedule Regular pattern files downloads to the core server

1. Click on the "Updates" tab of the "Download Updates" tool.
2. Ensure that only Windows / Security / Antivirus / Ivanti Antivirus Updates is selected.
3. Click "Schedule Download"
4. Rename the task name to "Download Antivirus Definitions" or "Download Antivirus Pattern files"

This will open the Scheduled Tasks tool and this can be configured to run daily.  (If you want to schedule it to run twice a day or more, multiple scheduled tasks can be created to start at different times)

        (Click for full size)

Clients are configured to download their pattern files from the Core server and fall back to the Internet (direct download from Kaspersky) by default.  This can be configured within the Ivanti Antivirus settings (within the Agent Settings tool and Security with the following 4 options:

• Core only
• Core first.  Fall back to Internet if core is not available.
• Internet only.
• Internet first.  Fall back to core if Internet is not available.

        (Click for full size)

Step 5 - Add and Configure Ivanti Antivirus within the Agent Configuration

1. Open the Agent Configuration tool within the Configuration tool group.
2. Under the Start section select the Ivanti Antivirus agent component check box.
3. Under the Distribution and Patch subgroup open the Security and Compliance subgroup and then select Ivanti Antivirus.
4. Select Configure next to Ivanti Antivirus Settings.
5. Either create a New configuration or Edit an existing configuration
   
   Within this document, we will only focus on scheduling regular pattern file updates and virus scans.  Other configuration options will be left as default.  These should be reviewed prior to saving the configuration.  It assumed that Real-time Protection will be turned on.  Further details about these settings can be found here: KL 102.10: Kaspersky Endpoint Security and Management
   
   
6. Click on the Scheduled Tasks section.
7. It is recommended to do the following:

• Configure Updates to run daily.
• Configure Full Scan to run weekly.
• Configure Critical Areas Scan to run daily.

          (Click for full size)

It is advised to have the scheduled updates run prior to the scan tasks so that the latest definitions possible are used.

Step 6 - Monitor Antivirus Activity

The Security Activity in the Security and Compliance tool group can be used to monitor client Antivirus activity as shown here:

Step 7 - Adding Antivirus information to column sets

In order to ensure that real-time protection is running, the product is up to date, and that the latest virus definitions are being used it is recommended to add Antivirus information to your column set.

Follow these instructions to create the correct column set:

1. Under the "Administration" tool group open the "Column set configuration" tool.
2. Right-click "My Column Sets" or "Public Column Sets" and select "New Column Set"
3. In the top pane scroll down to and expand "Security" and then "Antivirus Software" and then "Antivirus"
4. Double click the following in order:
   • Product Name
   • Product Version
   • Definition Publish Date
   • Auto Protect
5. In the top pane go to the top of the tree and then look downward for the "Ivanti Management" node.
6. And expand the "Agent Settings" sub-node and double-click "Unique ID"
7. Go upward in the tree and find top-level node "Common Base Agent 8" and expand it.
8. Double-click on "Version".

At this point, your columns should look like this:

There are a few more steps to complete to make the data more presentable:

Changing Alias Names

First, change the alias names.  This is done by double-clicking the existing names under "Alias"

Here are the suggestions:

A few more changes will be necessary to show the correct data.  Several columns can apply to different items, so we need to qualify which entry we are looking for.  As an example, Unique ID can apply to any number of settings, so we will need to qualify that we want the Antivirus Setting.

Qualifying the data

When a field is pointed to that has more than one sub-field, you must use the qualify option

Steps to qualify the data we are looking for:

1. Click on the "Qualifier" field next to "Computer"."Ivanti Management"."Agent Settings"."Unique ID"
2. Click the "Qualify" button and select "Ivanti Antivirus"

Resulting Column Set

Additional Documents

How to troubleshoot Ivanti Antivirus license issues

How to troubleshoot Ivanti Antivirus

How to report undetected malware to Ivanti

Ivanti Antivirus false positive virus detection submission process

Further articles can be found at the Ivanti Antivirus landing page.

This document assumes you know how to copy and rename files from the core's LDLOGON share via UNC to the client, rename files and run command lines.

1. On the client, create a folder called: "C:\Program Files (x86)\LANDesk\LDClient\temp_av" and "C:\Program Files (x86)\LANDesk\LDClient\antivirus"
2. On the client, navigate to the core's LDLOGON share via UNC and copy the contents of the avclientbd folder to the temp_av and antivirus folders you made in step 1.
3. If you are installing on a 64bit OS.  Go to the antivirus folder and delete the LDAV.exe and LDAVBD.dll files.  Rename LDAV64.exe to LDAV.exe and LDAVBD64.dll to LDAVBD.dll.
4. As administrator run the following command:  "C:\Program Files (x86)\LANDesk\LDClient\Antivirus\LDAV.exe" /install
5. Wait 15 mins for the install to complete.  The Ivanti Antivirus 2017 icon Should appear in the system tray.
6. Reboot the device.  After reboot, you can delete the temp_av folder but leave the antivirus folder on the client.

Mac Antivirus Basic Setup, Configuration and Installation

Core Definition Download

The core downloads definition updates for Macs just like it does for Windows PCs Antivirus.  These in-turn get downloaded to the Mac clients based on the agent settings you define for your clients.  To start downloading Mac Antivirus Updates Definitions on the core select Tools > Security and Compliance > Patch and Compliance and double-click on the Download Updates icon located on the menu bar.

This will open the Download Updates interface, ensure the Updates tab is selected.

Mac Antivirus Definition are located under Mac > Security > Antivirus. You will see the Ivanti AntivirusUpdates checkboxes.  Check the definition version(s) you need and Apply at the bottom of the dialog to make the selection applicable.

You can also download the definitions manually on the Landesk Antivirus tab by clicking the Get Latest Definitions button, making the selections and clicking Ok.

Installation and Removal

Installation and removal of the Mac Antivirus agent can be configured on the core.  Mac Antivirus can be installed when the agent gets installed by selecting the Landesk Antivirus option in the agent configuration.  This security feature will only be available if you are licensed for it.

Mac Antivirus can also be installed or removed through a security change task in the Security Activity tool. The Security Activity tool can be found by selecting Tools > Security and Compliance > Security Activity.

These items create a scheduled task that you can add devices to individually or by scope or query.

Agent Settings

Mac Antivirus settings are configured in Agent Settings > Security > Landesk Antivirus – Mac. Here, you can open an existing antivirus agent setting or create a new one. 

The following section will outline the properties of the Mac Antivirus agent settings.  To view the settings right click on an agent setting and select Properties. 

The General area just allows you to name your setting.  The Protection area allows you to specify what protection runs on the end clients and options on how they run.  Protection Scope here allows you to set what gets monitored through the drivers detected. By checking a box in this dialog, it enables monitoring on devices that use those drivers on the Mac.

You can also add exclusions to the Network Attack Blocker.  This is done by clicking the Exclusion button and entering the IP addresses that you want to exclude from being monitored

The Virus Scan area allows you to setup and configure Full Scans and Critical Area Scans, how they behave on the devices and schedule when they run.  The Help button can be accessed here for more detailed information on each item in the window to help you determine what options you want enabled or disabled on the clients.

The Threats area gives you options as to what malware is detected. Again, the Help button gives greater detail as to each of the options available.

In the Update area lets you define how and where you get definition updates, ether from the Core, Preferred Server or Internet directly. Checking the Update box and clicking the Change Schedule allows you to define when and how often the clients update definitions.

Important:  Due to the way the local daemon runs on the Mac OS as designed by Apple, Mac Antivirus will only update if a user is logged in.  The device can be locked, but a user must be logged in, for Mac Antivirus to download updates.

The Reports area allows configuring of how many days’ items are kept in the reporting section on the clients.  The Appearance area allows configuration of notifications and if you want an icon displayed on the menu bar on the mac clients.

Important:  Some settings you configure with agent settings will not be displayed in the Kaspersky GUI on the Mac client.  The most notable is the message that Automatic Updates are disabled.  Updates on the Mac are handled through a different mechanism other than the Kaspersky GUI so our agent settings can get them from a core instead of the internet and as such automatic updates are disabled directly in the GUI itself.

This document lists the tables in the Ivanti EPM Database that are related to the Ivanti Antivirus product:

Within this document you can click the images for a full-size version.

The following are the tables used for Ivanti Antivirus:

Antivirus table

The information from this table shows up in the Antivirus Licensing information in the Ivanti Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool.  This table records the inventory information for not only the Ivanti Antivirus product but also for other 3rd party Antivirus products.  This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the Ivanti Antivirus Service.  This information is sent under the following conditions:

• After AV installation
• After activating with a new license
• After a scanning task is done
• After pattern files are updated

In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.

When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")

For an Inventory Scan this information is gathered through LDAVHLPR.DLL.  Periodic updates of this .DLL are provided within Ivanti Patch Content to support gathering information on newer versions of Antivirus Software.  The information gathered can from each 3rd party vendor can vary.  Some information may not be applicable or available to gather through the Ivanti Inventory or Patch and Compliance scan processes.

This information shows up in the Inventory of a client in this manner:

This table consists of the following columns:

AntivirusPatches table

This table lists the patches for the Antivirus product that are installed on the client.

This information is sent to the Core when an Inventory Scan runs.

This shows up in the Client Inventory in this location:

The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches

InfectedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Infections by Computer, and Ivanti Antivirus - Infections by Virus

This table consists of the following columns:

QuarantinedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Quarantined Infections by computer and Ivanti Antivirus - Infections by virus

This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.

This table consists of the following columns:

This information shows up in the Inventory of the client under Security - Quarantined Files.  Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus

SecurityAction table

This information shows up in the Security Activity Tool under Ivanti Antivirus - Activity, Activity by computer, and activity by virus.  In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.

The information in this table makes up most of the Ivanti Antivirus information shown in the Security Activity tool.  This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.

The exception would be the licensing information which is stored in the Antivirus table and is sent by the Ivanti Antivirus Service on the client WSVulnerability web service on the core server.

The following are the codes returned to the core server and their meanings:

TrustedItem table

Trusted items are a list of objects that Ivanti Antivirus does not monitor or control.  This list is populated with a list of Ivanti EPM client files at the time of Ivanti Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.

You can add a trusted item and it will block Ivanti Antivirus access to that item, however you must be very sure that it does not represent any threat.

On the client side these are the entries from the Exclusion Rules or Trusted Applications

This information shows up in the Inventory of the client under Security - Trusted Items.  Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status

Security Activity

When an event happens with Ivanti Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.

How actions are sent from the Client to the core server

Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise, every time Vulscan runs it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.

If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file

If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

───────────────────────────────────────

The following SQL query will return all of the Endpoint Security related activity.

select * from patchhistory where Actioncode IN (10,11,12,13,14,15,16,17,18.19.20.21,22,23,24,25,26,27,28.... etc through to 45)

This document is intended to introduce you to the new Ivanti Antivirus (Bitdefender Engine) Antivirus 2017 client GUI on the devices you install it on and the agent settings that control the new antivirus on the devices.  This document assumes you know how to access the Ivanti Antivirus New agent settings within the console.

Agent Settings

General This area allows you to configure basic configuration settings.

• Maintenance Password Allows you to set and configure the password to interact with administrative features on the client.
• Notifications  Allows you to set what the user sees on the client GUI.

File Protection Configure the level of protection you want on the clients as well as configure what files/areas you want excluded.

Network/Traffic  This section allows you to configure network monitoring on the end clients.  The Network Scan section allows you to configure the web browser tools clients see in the GUI when a browser is open.

Scheduled Tasks  This area allows you to set an Update schedule as well as Full and Critical(Quick) Scan schedule to run at specific times.  If your clients do not seem to be updating definition be sure this area has one setup as on is not set by default.  Once checked, click each items Change Schedule Button to set the schedule for the item.

Full Scan and Quick Scan  This area allows you to configure actions to take on detected items during a full scan. AS well as alter the priority and user options on the clients.

Update servers  Allows you to add and set the order of where clients get the updates.

Client Graphical User Interface(GUI)

Below is the client interface as presented to the user when double clicking the Icon in the system tray.

Modules Button

This button allows you access to the modules and Quarantine area on the client.  You cannot disable or enable modules here it is only informational.  Clicking Quarantine will open the Quarantine area and allow you to manage any files that are in there.

Filters

The Filters button allows you to customize what is displayed in the readout list in the main window.

The top row of buttons will display only the items for that particular module.  You can have more than one selected.

The Date Range allows you to only view items that occurred within the range.

Last you can set the filter by status of an item Success, Warning, or Serious.  Clicking Reset Filters at the top removes all filters.

ScanTasks

Scan Tasks allows a user to run a predefined scan or create and save a custom scan.

Clicking New Custom Scan allows you to create your own custom scan and save it to the Scan Tasks Menu.  Once your scan settings are the set, give the scan a name in the bottom field and click the star button to save it.  The scan now appears on the Scan Tasks menu.  You can remove it by clicking the trash button.

Clicking Custom then Settings opens a dialog to customize the scan further.

Description

Sometimes malware shows up that does not have a pattern file yet.  This is true for all viruses when they are first written.  These are called "zero day" viruses.

In order for a pattern to be created, the virus must be reported and sent to Ivanti

How to Report and Send an Infected or Suspicious File

If there is a file(s) that is identified as suspicious, before submitting the file(s) for analysis make sure that all infected machines are scanning with the latest definition files. Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

1. Collect the infected virus file(s) and compile them into a password protected .ZIP file.
   
   The password must be "infected" and the file format must be in a .ZIP format
2. Navigate to http://avdrop.landesk.com and drag and drop the password protected .ZIP file to the site.
3. If you would like a return contact from Ivanti Support with the verdict of the file(s) you have submitted, please Contact Ivanti Support and open a Support Case. 
   It is recommended to use the Support Portal to do this.

Current virus definition release activity can be viewed here: Virus Watch | Kaspersky Lab

For a virus glossary, virus encyclopedia, and for searchable virus information, please visit http://www.viruslist.com.   This site is maintained by Kaspersky Labs, who provides the Scanning Engine within the Ivanti Antivirus product.

In addition, as an extra troubleshooting step, you can upload the suspicious file to https://www.virustotal.com.   This website will compare the file against ~40+ Antivirus engines.   If the majority say it is malware, it is likely malware, if the majority say it is not malware it is either likely not malware, or it is a very new virus variant that is not yet detected by the majority of Antivirus vendors.

Environment:

LDMS9.5 SP1

Issue:

When a user logs in he receives the error "previous application startup failed".

Despite this error, Antivirus is working normally.

Solution:

Please  remove all .dmp files from the folder:
Disk:\Documents and Settings\All Users\Application Data\Kaspersky Lab\

Description:

This document contains the list of applications and files that need to be excluded/trusted for LANDESK to function properly if you aren't using LANDESK AV.

If you are using LANDESK AV, these exclusions are already made for you.

For information about AV exclusions on the core server, see this doc: About Antivirus exclusions (exceptions) for the Ivanti EPM Core Server

These are the files that need to be added as exclusions and as trusted applications.

32 bit:

• C:\Program Files\LANDesk\LDClient\FindMBDevice.exe
• C:\Program Files\LANDesk\LDClient\GatherProducts.exe
• C:\Program Files\LANDesk\LDClient\HPScanner.exe
• C:\Program Files\LANDesk\LDClient\issclipexec.exe
• C:\Program Files\LANDesk\LDClient\issuser.exe
• C:\Program Files\LANDesk\LDClient\LDpcu.exe
• C:\Program Files\LANDesk\LDClient\LDCSTM32.exe
• C:\Program Files\LANDesk\LDClient\lddetectsystem.exe
• C:\Program Files\LANDesk\LDClient\LDISCN32.exe
• C:\Program Files\LANDesk\LDClient\LDProvisionSecureErase.exe
• C:\Program Files\LANDesk\LDClient\LDsensors.exe
• C:\Program Files\LANDesk\LDClient\LDUrlMonInject64.exe
• C:\Program Files\LANDesk\LDClient\LocalSch.exe
• C:\Program Files\LANDesk\LDClient\policy.sync.exe
• C:\Program Files\LANDesk\LDClient\rcgui.exe
• C:\Program Files\LANDesk\LDClient\restartmon.exe
• C:\Program Files\LANDesk\LDClient\SDCLIENT.exe
• C:\Program Files\LANDesk\LDClient\SDISTPS1.exe
• C:\Program Files\LANDesk\LDClient\softmon.exe
• C:\Program Files\LANDesk\LDClient\startasuser.exe
• C:\Program Files\LANDesk\LDClient\vulscan.exe
• C:\Program Files\LANDesk\LDClient\HIPS\EncArchive.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDEncrypt.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\VigAlert.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\VIGUARD.exe
• C:\Program Files\LANDesk\Shared Files\residentAgent.exe
• C:\Program Files\LANDesk\Shared Files\serviceHost.exe
• C:\Program Files\LANDesk\Shared Files\Proxyhost.exe

64 bit

• C:\Program Files (x86)\LANDesk\LDClient\FindMBDevice.exe
• C:\Program Files (x86)\LANDesk\LDClient\GatherProducts.exe
• C:\Program Files (x86)\LANDesk\LDClient\HPScanner.exe
• C:\Program Files (x86)\LANDesk\LDClient\issclipexec.exe
• C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDpcu.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDCSTM32.exe
• C:\Program Files (x86)\LANDesk\LDClient\lddetectsystem.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDISCN32.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDProvisionSecureErase.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDsensors.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDUrlMonInject64.exe
• C:\Program Files (x86)\LANDesk\LDClient\LocalSch.exe
• C:\Program Files (x86)\LANDesk\LDClient\policy.sync.exe
• C:\Program Files (x86)\LANDesk\LDClient\rcgui.exe
• C:\Program Files (x86)\LANDesk\LDClient\restartmon.exe
• C:\Program Files (x86)\LANDesk\LDClient\SDCLIENT.exe
• C:\Program Files (x86)\LANDesk\LDClient\SDISTPS1.exe
• C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
• C:\Program Files (x86)\LANDesk\LDClient\startasuser.exe
• C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe
• C:\Program Files (x86)\LANDesk\LDClient\HIPS\EncArchive.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDEncrypt.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VigAlert.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VIGUARD.exe
• C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
• C:\Program Files (x86)\LANDesk\Shared Files\serviceHost.exe
• C:\Program Files (x86)\LANDesk\Shared Files\ProxyHost.exe

Issue

Ivanti Antivirus not detecting a suspicious file as being infected by a virus.

Cause

This issue can be caused by one or more of the following:

• Outdated Antivirus scanning engine
• Outdated Antivirus pattern (bases) files
• Real-time engine not running
• File or directory is added to an exclusion list or trusted items list
• No antivirus pattern file for this particular virus strain variation

Resolution

Outdated Antivirus scanning engine

For optimal performance, detection remediation of viruses, it is advised to be running the latest Antivirus Engine and to have the latest Antivirus patches installed.  To find out how to check the current Antivirus engine version on clients, see this article.

Outdated Antivirus pattern (bases) files

Ensure that the latest antivirus pattern (bases) files are installed on the core and the client.  Without the latest antivirus pattern files, the Antivirus engine may not be able to detect the latest viruses.

For further Information about ensuring the core and client are using the latest pattern files, see this article.

Real-time engine not running

If the real-time engine is not running, viruses will not be detected as files are accessed.  To ensure that the real-time engine is running, the Ivanti Antivirus icon in the system tray should be a yellow shield.  If it is a gray shield with a red line through it, the Antivirus Engine is not running.  To start the real-time engine, double-click the Ivanti Antivirus shield icon and then click "Enable" next to "Real-time protection".  It the real-time engine still fails to start, there are Multiple ways to access support.  Be prepared to gather and send the Ivanti Antivirus log files detailed here.

File or directory is added to an exclusion or trusted items list

If a file or directory is added to the Antivirus exclusions list or the trusted Items list, it will be ignored during an Antivirus scan.  Ensure that the suspicious file or the directory that contains the file is not on an exclusion list or trusted items list.

For further information about Antivirus Exclusions, see this article.

"Scan for risky software in addition to viruses" option not turned on in Ivanti Antivirus Settings

Some malware that is not a traditional virus (i.e., spyware, FTP, IRC, remote control utilities, etc) and is labeled "Risky Software" will not be scanned for and remediated if the "Scan for risky software in addition to viruses" option is not turned on in Ivanti Antivirus Settings.  In order to turn on this option, go to the Ivanti Antivirus Settings - General Tab and check the box next to this option.

Note: If these items are all checked and Ivanti Antivirus still fails to find malware, please submit the suspicious file(s) to Ivanti Support by following this article.

       

• Description
  • Vendor information supported at the time of the writing of this article
  • LDAVHLPR.DLL
    • Steps to install the Third Party Antivirus content patch
  • Adding Antivirus information to column sets
    • Changing Alias Names
    • Qualifying the data
    • Resulting Column Set

Description

This document describes the Antivirus information contained in the Inventory for a Managed Ivanti EPM client.

The inventory information is located in the following section in the  Ivanti EPM inventory:

Vendor information supported at the time of the writing of this article

Avast, AVG, Avira, BitDefender, Bullguard, CA Total Defense, eScan, ESET NOD32, eTrust, Gdata, Kaspersky, McAfee, Microsoft Forefront, Microsoft Windows Defender, Panda Antivirus, Shavlik Antivirus, Sophos, Symantec, Trend Micro, and VIPRE.

Example: information returned about Windows Defender.

LDAVHLPR.DLL

Antivirus information gets updated when an Inventory scan runs or when a vulnerability scan runs.

LDAVHLPR is delivered through the Ivanti Software updates mechanism in the Patch and Compliance Tool under Download Updates ->

It is important to ensure that the LDAVHLPR.DLL from the "Third Party Antivirus Content LANDESK Updates requirement" definition is installed.

Steps to install the Third Party Antivirus content patch

1. Double-click on the definition to open it's properties
2. Right-click on the Rule and click "Download Patch"
3. The download window will come up and when it finishes click "Close"
4. Right click the Rule again and select "Open Patch Folder"
5. Double-click the downloaded patch.
6. Extract the contents of the patch to a directory of your choice on the core and then run Setup.exe.

In addition there is one more location where Antivirus-related information exists:

This information is at the top level in the inventory and then near the bottom of the right-hand pane.

This is referring to the definition date that is downloaded in the Patch and Compliance tool.

Adding Antivirus information to column sets

In order to ensure that real-time protection is running, the product is up to date, and that the latest virus definitions are being used it is recommended to add Antivirus information to your column set.

Follow these instructions to create the correct column set:

1. Under the "Administration" tool group open the "Column set configuration" tool.
2. Right-click "My Column Sets" or "Public Column Sets" and select "New Column Set"
3. In the top pane scroll down to and expand "Security" and then "Antivirus Software" and then "Antivirus"
4. Double click the following in order:
   • Product Name
   • Product Version
   • Definition Publish Date
   • Auto-Protect
5. In the top pane go to the top of the tree and then look downward for the "LANDESK Management" node.
6. And expand the "Agent Settings" sub-node and double-click "Unique ID"
7. Go upward in the tree and find top-level node "Common Base Agent 8" and expand it.
8. Double-click on "Version".

At this point, your columns should look like this:

To make reading this window easier it should be dragged to a larger size and the Column headers double clicked to make them auto-fit. There are a few more steps to complete to make the data more presentable:

Changing Alias Names

First, change the alias names.  This is done by double-clicking the existing names under "Alias" Here are the suggestions:

A few more changes will be necessary to show the correct data.  Several columns can apply to different items, so we need to qualify which entry we are looking for.  As an example, Unique ID can apply to any number of settings, so we will need to qualify that we want the Antivirus Setting.

Qualifying the data

When a field is pointed to that has more than one sub-field, you must use the qualify option Steps to qualify the data we are looking for:

1. Click on the "Qualifier" field next to "Computer"."LANDesk Management"."Agent Settings"."Unique ID"
2. Click the "Qualify" button and select "LANDesk Antivirus"

Resulting Column Set

There may be times that a computer is listed 2 or more times.   This can occur if more than one antivirus solution is detected as installed.  If you look in the inventory at this information you will find Security -> Antivirus -> 0 and Antivirus -> 1 (two separate subnodes) with Antivirus information. This is demonstrated by the computers highlighted in red above.

1. Connect through mac finder>Go>Connect to Server and SMB into the cores LDLogon share.

2. Navigate to avclientmac.  Extract the contents of "KESMacClient.zip" to the mac.  Open the extacted folder and the last file listed is "install\setup\wksmac.zip".  Extract the contents of this file and copy "kesmac.dmg" to the desktop.

3. Go back to LDLogon on the core.  In the "mac" folder copy "macav.pkg" to the desktop.

4. Go to LDLogon again.  In the "avclient\install\key" and copy the "ldav.key" file to the mac desktop.

5. Open "kesmac.dmg" and run the package installer inside it.

     Note that High Sierra will require this: How to install Kaspersky Endpoint Security 10 for Mac on macOS High Sierra (version 10.13)

6. When it completes open "Terminal" and using the cd command navigate to:

     /Library/Application Support/Kaspersky Lab/KAV/Binaries

7: Next run the command: sudo kav addkey /Path to Key/ldav.key

Where "Path to Key" is the path to your users accounts desktop folder.

8.  Open Kaspersky and check that it is now licensed properly.

9. Run the "macav.pkg" on the desktop and allow it to complete.

This article discusses Antivirus exclusions (also known as exceptions) that are recommended for the Ivanti EPM Core Server.

When installing Antivirus on the Ivanti EPM Core server, it is recommended to set the Real-time Protection File Types to Scan option to "Scan infectable files only".  This is set within the Ivanti Antivirus settings on the "Real-time Protection" tab.

For general information about Antivirus Exclusions, see this article.

For specific information on configuring Antivirus Exclusions for specific server types (IIS, SQL, Exchange, Etc) see this article.

Some Antivirus products (Ivanti Antivirus included) have separate exclusions lists for real-time scanning and on-demand scanning.  Most exclusions will apply only to Real-time Scanning, as scanning some directories during computer operation can severely impact performance.

Antivirus exclusions need to be set both in the "Protection" tab within the Ivanti Antivirus settings.  Within this section, there is a "Real-time" tab and a "Virus Scan" tab.

Configuring Antivirus exclusions for an Ivanti Core Server

As most Ivanti Core servers house IIS for the web console, general Antivirus exclusion instructions should be followed that pertain to IIS:

Create the following exclusions:

• The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files)
  (For XP and Server 2003 use "%systemroot%\IIS Temporary Compressed Files")
• The  %systemroot%\system32\inetsrv folder
• Files that have the .log extension
  

If the SQL Database resides on the core server, the following instructions should be followed:

http://support.microsoft.com/kb/309422

Ivanti specific directories:

\Program Files\LANDESK\Managementsuite\brokerreq

\Program Files\LANDESK\Managementsuite\IncomingData

\Program Files\LANDESK\Managementsuite\ldscan

\Program Files\LANDESK\Managementsuite\log

\Program Files\LANDESK\Managementsuite\sdstatus

\Program Files\LANDESK\Managementsuite\xddfiles

\Program Files\LANDESK\Managementsuite\vulscanresults

\Program Files\LANDESK\Managementsuite\ldlogon\agentbehaviors

\Program Files\LANDESK\Managementsuite\ldlogon\vulnerabilitydata

Ivanti specific files:

\Program Files\LANDESK\ManagementSuite\LANDESK.ManagementSuite.Licensing.ActivateCore.exe

\Program Files\LANDESK\Managementsuite\ldlogon\ldiscn32.exe

General Exclusion information for Microsoft Operating Systems

http://support.microsoft.com/kb/822158

• • Description
  • How to report and send files being detected incorrectly as a virus
  • Restore File for Reporting
    • LDMS 9.6/2016
    • Submit the File

Description

Sometimes new Virus Definitions will detect legitimate files as a virus.  These are called "False Positives".
For further information on how to recover if this false positive is causing issues in your environment, see this article.
In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.

How to report and send files being detected incorrectly as a virus

If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected computers are scanning with the latest definition files.
Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.

Restore File for Reporting

In order to submit the file for review as a False Positive, the file will need to be restored from Quarantine. The following steps outline how to provide LDAV the necessary permissions to perform this task.

Disable Real-time protection to prevent the file being immediately quarantined again, then restore the file to be submitted.

LDMS 9.6/2016

1. Open a Management Suite console

2. Go to  Tools| Security and Compliance | Agent Settings

3. Expand Agent Settings | Security | Ivanti Antivirus

4. Double click on the Antivirus settings the client is using.

5. Click onPermissions

6. Check theAllow user to disable Realtime scanning for up to ___ minutes option

7. Check Allow user to restore objects

8. ClickSave

9. On the client ClickStart | Run

10. TypeVulscan /changesettings /showui, this will download the setting changes you made.

11. Open the Ivanti Antivirus GUI

    • Start | Programs | Ivanti Management | Ivanti Antivirus

             or

• Click the LDAV Icon in the system tray if enabled

12. Click Protection | File Anti-Virus | and click Stop

Note: If prompted with a Warning! window, click Yes

This action will impact your computer's protection. Do you want to continue?

Application name: Ivanti Antivirus

Manufacturer: "Kaspersky Lab"

Action: Settings modification

13. With File Anti-Virus disabled, click Quarantine

14. Take note of the Folder path, as this is where the file will restore to.

15. Highlight the file and click Restore

16. Take a screenshot of the false positive detection.  Compile the "infected" file(s) and the screenshot into a password protected .ZIP file, with password 'infected'.  Name the file "FalsePositive(UniqueName).zip".  (Where "UniqueName" is a filename of your choosing).
    

    *****Be very careful to name the zip file with a prefix of "FalsePositive" otherwise Kaspersky will treat this as a false negative submission and your case will be significantly delayed*****

Submit the File

1. Place the file on Ivanti's site:http://avdrop.landesk.com/

2. Contact Ivanti Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)

3. Revert the changes made to the agents settings.

4. Current virus definition release activity can be viewed here: http://www.kaspersky.com/viruswatchlite?

Note:Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.

Ivanti Support Contact information

Troubleshooting Ivanti Antivirus licensing issues

This article will describe the technical process that the administrator and Ivanti Antivirus must take in order to successfully install and activate a Ivanti Antivirus key on a client.

• • How to obtain an Ivanti Antivirus license key
  • Import License to Core
    • What could go wrong?
  • Update of licenses on Managed Clients
  • Manually updating the license
    • What could go wrong?
  • Reporting of Ivanti Antivirus information to the core server
    • What could go wrong?
  • When does Ivanti Antivirus check to see if the license key is valid?
    • When troubleshooting client activation issues, the following log files should be consulted:
  • Error: "Black list of keys is corrupted" is displayed in the Licensing window

How to obtain an Ivanti Antivirus license key

The license file is a file of the following type xxxxxxxx.key.  It contains service information required for the correct functioning of Ivanti Antivirus (Based on Kaspersky Endpoint Security 10) as well as the following data:

• Information about the vendor of this version (company name and contact information)
• Technical support information (who provides technical support and how to get it)
• License key release date
• License title and number
• Information about functionality of the components
• License expiration date

Login to the Support Portal then click "Other License keys" and enter the credentials used to activate the Core Server. Download the zip file which contains the new AV key file.

Import License to Core

The first step that needs to occur is to import an Ivanti Antivirus license into the core server.  You should have received a .ZIP file containing your .KEY file and a .PDF file that details the license information.

The following should be done from an Ivanti Endpoint Manager Console:

1. Extract the .ZIP file received from LANDESK Licensing or from your Sales Representative to a location you will remember.
2. On the Core Server open the following tool: Security and Compliance -> Agent Settings -> Gear (Settings) drop-down -> Ivanti Antivirus License information
   
3. The following window will open:
   
4. Browse to the .KEY file unzipped in Step 1.
   
   Now this window will contain the date the license was created, the license number, and the license information number.
   
   License Expiration Information can be viewed in several places:
   
   a. Security Activity tool under Ivanti Antivirus -> Licenses
   
   b. On the client in the Ivanti Antivirus program window under the "License" link at the bottom of the Window.
   
5. After the new license key is imported the file is renamed to LDAV.KEY and gets copied to the LDLOGON\AVCLIENT\INSTALL\KEY folder on the Core Server.

What could go wrong?

• Failure to write the LDAV.KEY to the LDLOGON\AVClient\Install\Key folder on the core server.  (Check rights, Console.exe.log, etc)

Update of licenses on Managed Clients

1. When the next Security and Compliance (vulscan) scan is run on the client, the vulscan self update feature downloads LDAV.KEY and places it into the LDCLIENT directory.
2. Vulscan.exe copies LDAV.KEY to the LDCLIENT\Antivirus\Install\Key folder on the client.
3. Every 5 minutes the Ivanti Antivirus Service compares the hash between the LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY.  (Note: To have this update instantly you can restart the Ivanti Antivirus service)
   (LDAV.KEY in the LDCLIENT\Antivirus folder is the active key that the product uses)
4. If a difference is found between LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY the license activation process will occur.  This involves invoking the Kaspersky licensing process that imports the key information into the product.
5. The license information is stored in one of the following registry keys on the client depending on whether the OS is 32-bit or 64-bit
   

   HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License

                  

Manually updating the license

It is possible to manually update the Ivanti Antivirus license.  This can be useful for remote users who can't connect via VPN or CSA to pull down the new key from the core server automatically.

1. On the core server, locate the current ldav.key file in C:\Program Files\LANDesk\ManagementSuite\ldlogon\AVClient\Install\key
2. Copy this key to the client (or send it to your remote user by secure email, FTP etc.) and place it in C:\Program Files (x86)\LANDesk\LDClient\Antivirus\install\key
3. Wait 5 minutes for the Ivanti Antivirus Service to compare the keys, or simply restart the service.

What could go wrong?

• Failure to download the LDAV.KEY from the core server.  (This should be noted in the Vulscan.log file on the client).
• Failure to copy the LDAV.KEY file from the LDCLIENT directory to the LDCLIENT\Antivirus\Install\Key folder on the client (This should be noted in the Vulscan.log file on the client)
  This could be caused by the LDAV.KEY file being read-only.
• Failure for the Ivanti Antivirus service to copy the LDAV.KEY from LDCLIENT\Antivirus\Install\Key folder to the LDCLIENT\Antivirus folder on the client (This would show in the \ProgramData\LANDESK\Log\LDAV.log file)
• Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
• Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
• Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
  (Does that computer exist in the database?)
  Run a full inventory scan if it cannot be found.

Reporting of Ivanti Antivirus information to the core server

1. Antivirus information is sent to the core server using the PutLDAVTableData method using the WSVulnerabilityCore web service when Vulscan runs or every 5 minutes by the Ivanti Antivirus Service. 
   
   The following information is sent and is shown in the Vulscan.log in the following manner::
   
   

   Thu, 17 Sep 2015 10:52:00 --- Antivirus table data ---------------------------------------
   Thu, 17 Sep 2015 10:52:00 ProductName: LANDESK Antivirus
   Thu, 17 Sep 2015 10:52:00 AutoProtect: On
   Thu, 17 Sep 2015 10:52:00 ProductVersion: 10.2.1.23
   Thu, 17 Sep 2015 10:52:00 EngineVersion: 6.8.0.27
   Thu, 17 Sep 2015 10:52:00 DefVersion: 
   Thu, 17 Sep 2015 10:52:00 PubDate: 2015-09-17 07:31:00 (1442496660)
   Thu, 17 Sep 2015 10:52:00 DefInstDate: 2015-09-17 09:28:50 (1442503730)
   Thu, 17 Sep 2015 10:52:00 Empty CTime: 1969-12-31 17:00:00 (0)
   Thu, 17 Sep 2015 10:52:00 LastVirusScan: 2015-09-17 09:29:15 (1442503755)
   Thu, 17 Sep 2015 10:52:00 LastFullVirusScan: 2015-09-15 12:50:21 (1442343021)
   Thu, 17 Sep 2015 10:52:00 LastQuickVirusScan: 2015-09-17 09:29:15 (1442503755)
   Thu, 17 Sep 2015 10:52:00 StartFullVirusScan: 2015-09-15 12:47:44 (1442342864)
   Thu, 17 Sep 2015 10:52:00 StartQuickVirusScan: 2015-09-17 09:28:59 (1442503739)
   Thu, 17 Sep 2015 10:52:00 FullVirusScanCancelled: 0
   Thu, 17 Sep 2015 10:52:00 QuickVirusScanCancelled: 0
   Thu, 17 Sep 2015 10:52:00 AgentRunning: True
   Thu, 17 Sep 2015 10:52:00 PatternServer: YourCoreServerName
   Thu, 17 Sep 2015 10:52:00 LicenseExpirationDate: 2016-09-13 23:59:59 (1473832799)
   Thu, 17 Sep 2015 10:52:00 LicensePeriod: 362
   Thu, 17 Sep 2015 10:52:00 LicenseNumber: XXXX-XXXXX-XXXXXXX
   Thu, 17 Sep 2015 10:52:00 LicenseProductName:
   Thu, 17 Sep 2015 10:52:00 LicenseMaxCount: 2000
   Thu, 17 Sep 2015 10:52:00 --------------------------------------------------------------------------
   Thu, 17 Sep 2015 10:52:00 In SendRequest: Action = SOAPAction: "http://tempuri.org/PutLdavTableData"
   Thu, 17 Sep 2015 10:52:00 SendRequest: SOAPAction: "http://tempuri.org/PutLdavTableData"
2. This will appear in the WSVulnerabilityCore.dll log on the core as follows:
   

   09/17/2015 09:52:00 INFO 13484:3     RollingLog : LdavTableData.Update:  Updated a record for Antivirus_Idn = 1

3. This information is placed into the Antivirus table in the Ivanti IEM database.

What could go wrong?

• Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
• Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
• Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
  (Does that computer exist in the database?)
  Run a full inventory scan if it cannot be found.

When does Ivanti Antivirus check to see if the license key is valid?

• During Ivanti Antivirus installation
• When the Ivanti Antivirus service is started
• Every 5 minutes after Ivanti Antivirus service is started
• After pattern file update is performed

When troubleshooting client activation issues, the following log files should be consulted:

• LDAV.LOG - Shows activation activity from the Ivanti Antivirus service start or the 5 minute interval check
• LDAV_UPDATE.LOG - Shows activation activity if Ivanti Antivirus is activated during pattern file update
• LDAV_INSTALL.LOG - Shows activation activity if Ivanti Antivirus is activated during the installation
• Vulscan.log - Shows download and copy of key file
• WSVulnerabilityCore.dll log - Shows reporting of Ivanti Antivirus information as received from Vulscan or the Ivanti Antivirus service

Error: "Black list of keys is corrupted" is displayed in the Licensing window

What is a "black" list of keys

Black list of keys is a database that contains information about key files that can no longer be used for activation of Ivanti Antivirus. The keys are blocked due to following reasons:

• Malfunctioning.
• The key was activated on a computer with incorrect system time or date.
• The key was stolen.
• The key was available on pirate servers for free download.

The database of such keys is located in a file named black.lst, which is downloaded and saved with the regular updates. The file is required for correct functioning of Ivanti Antivirus products.

The 'black list' of key files is a file named black.lst. This file is downloaded and saved along with databases (anti-virus, anti-spam, network attacks).Ivanti Antivirus cannot function without a 'black list' file.

Kaspersky Lab software stops functioning and notifies hereof:

• if there is no black.lst file on your PC;
• if the file black.lst is damaged;
• if the Kaspersky Anti-Virus you have installed is using a key file from the 'black list';

If there is no black.lst file on your PC or it is damaged, start an update task to download it again. Otherwise Ivanti Antivirus protection will not function.

Resolution

1. Create a new Ivanti Antivirus setting that allows the user to change the settings.
   
   
2. Push a Change Settings task to the client(s) and change these updated settings to the affected clients.
   (You can change the existing setting as well, but this opens up the risk that during your time that you are repairing this issue all client computers using this setting will allow the user to change settings)
3. Go to Advanced Settings within the Ivanti Client UI and uncheck "Enable Self Defense".
   
   
4. Delete the blst*.xml file(s) from C:\Program Files (x86)\LANDESK\LDClient\Antivirus\temp_bases8\landesk\updates on the client.
5. Update the Antivirus pattern files on the core server.
6. Update the pattern files on the client.
7. Change the AV settings back to the original to not allow the user the user to change settings.

If this resolution does not help, it may be necessary to reinstall Ivanti Antivirus on the client computer.   This can be done through an "Install/Update Security Settings" task from within the Agent Settings tool.

This document lists the tables in the Ivanti EPM Database that are related to the Ivanti Antivirus product:

Within this document you can click the images for a full-size version.

The following are the tables used for Ivanti Antivirus:

Antivirus table

The information from this table shows up in the Antivirus Licensing information in the Ivanti Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool.  This table records the inventory information for not only the Ivanti Antivirus product but also for other 3rd party Antivirus products.  This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the Ivanti Antivirus Service.  This information is sent under the following conditions:

• After AV installation
• After activating with a new license
• After a scanning task is done
• After pattern files are updated

In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.

When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")

For an Inventory Scan this information is gathered through LDAVHLPR.DLL.  Periodic updates of this .DLL are provided within Ivanti Patch Content to support gathering information on newer versions of Antivirus Software.  The information gathered can from each 3rd party vendor can vary.  Some information may not be applicable or available to gather through the Ivanti Inventory or Patch and Compliance scan processes.

This information shows up in the Inventory of a client in this manner:

This table consists of the following columns:

AntivirusPatches table

This table lists the patches for the Antivirus product that are installed on the client.

This information is sent to the Core when an Inventory Scan runs.

This shows up in the Client Inventory in this location:

The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches

InfectedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Infections by Computer, and Ivanti Antivirus - Infections by Virus

This table consists of the following columns:

QuarantinedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Quarantined Infections by computer and Ivanti Antivirus - Infections by virus

This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.

This table consists of the following columns:

This information shows up in the Inventory of the client under Security - Quarantined Files.  Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus

SecurityAction table

This information shows up in the Security Activity Tool under Ivanti Antivirus - Activity, Activity by computer, and activity by virus.  In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.

The information in this table makes up most of the Ivanti Antivirus information shown in the Security Activity tool.  This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.

The exception would be the licensing information which is stored in the Antivirus table and is sent by the Ivanti Antivirus Service on the client WSVulnerability web service on the core server.

The following are the codes returned to the core server and their meanings:

TrustedItem table

Trusted items are a list of objects that Ivanti Antivirus does not monitor or control.  This list is populated with a list of Ivanti EPM client files at the time of Ivanti Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.

You can add a trusted item and it will block Ivanti Antivirus access to that item, however you must be very sure that it does not represent any threat.

On the client side these are the entries from the Exclusion Rules or Trusted Applications

This information shows up in the Inventory of the client under Security - Trusted Items.  Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status

Security Activity

When an event happens with Ivanti Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.

How actions are sent from the Client to the core server

Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise, every time Vulscan runs it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.

If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file

If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

───────────────────────────────────────

The following SQL query will return all of the Endpoint Security related activity.

select * from patchhistory where Actioncode IN (10,11,12,13,14,15,16,17,18.19.20.21,22,23,24,25,26,27,28.... etc through to 45)

Issue

Antivirus 2017(Bitdefender)  Failed to install,  Now other attempts to install also fail.

Cause

If antivirus fails to install on a device it leaves traces behind that will not allow subsequent installs to process properly.

Resolution

Cleaning up the traces of the failed install will allow subsequent installs to process properly.

Step 1

Delete the folders and all contents inside:

C:\Program Files (x86)\LANDesk\LDClient\antivirus

C:\Program Files (x86)\LANDesk\LDClient\temp_av

Step 2

Check the client Services for an existing Landesk(R) Antivirus Service.  It also may not exist in certain cases, this can happen and is normal.  If it does exist and the install failed it likely isn't running and will fail to start. 

In the registry delete the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAV

You will likely need to reboot once you delete the registry key.

Step 3

Try installing Antivirus 2017 again.

• Action Required
  • Server Update Process
  • To update Antivirus 2017 clients
  • How to determine update success
    • Verifying success using Patch and Compliance Manager
    • Verifying success using Reporting
    • Viewing success within the client UI
    • Viewing success through updated file data
    • View Inventory scan data
• Installing through Software Distribution as an alternative
  • For 64-bit clients
  • For 32-bit clients

Action Required

Your Action Required to Update Antivirus Certificate

If you are running the Ivanti AV 2017 (Bitdefender) Antivirus software from Ivanti, your security certificate for Windows will expire September 17, 2018. Once the certificate expires, the AV agent will stop working.

All the current Ivanti Endpoint Manager (EPM) releases (2016.3, 2017.3 SU5 and 2018.1 SU1) have the Ivanti AV 2017 auto-update option turned off, this configuration is hard-coded and cannot be changed by the EPM admin. This prevents the Ivanti AV 2017 agent to get updated to the latest supported version. As a result of not having an updated agent with a current certificate, the agent will stop working on September 17, 2018. To solve this issue Ivanti has created a process that will enable the auto-update on the core and on all Ivanti AV 2017 agents. Once enabled the agents will update themselves to the latest version ensuring a valid certificate is used.

How does the auto-update mechanism work?

Once new AV binaries are released by Bitdefender, Ivanti will test them and will release them to all our Ivanti AV 2017 customers. Once released, any core that runs Ivanti AV 2017 will get updated with the new binaries and as a result, the latest AV agent binaries will be downloaded to the core. All AV agents running on all endpoints will automatically update themselves using the binaries stored on the core or if configured from the binaries stored on the Bitdefender cloud. Note that these changes only affect the AV agent and not the EPM agent.

To update your core and client systems, you will need to take immediate action as described below.

Server Update Process

1. Download http://patch.landesk.com/patches/IvantiAVUpdate_082018_x64.zip
2. Extract the files into a temporary location on the EPM core server.
3. Navigate to that directory and run update.exe
4. Watch Windows Task Manager for update.exe to finish processing
   
   

(Update.exe must finish on the core server prior to updating the clients)

Note: you can check the version of the update server on the EPM Core, to see if the update was applied:

    - Go to the Windows Task Manager, in 'Details' right click on 'EPUpdateService', select 'Properties', then 'Details'

    - Before the update the version is 6.2.x.x

    - After the update the version will be 6.6.x.x

Download new Antivirus installation files through Patch and Compliance Manager

1. Open the Download Updates dialog within Patch and Compliance Manager
2. Under Windows -> Software Updates select Ivanti xx.x Software Updates and Ivanti Antivirus Core Installation Files
3. Click Download Now
   This will download a new IVANTIAV2017UPDATE_AUG2018 definition and new epsecurity_x86 and epsecurity_x64 Antivirus 2017 product files.
   (Note: These files will only be used for new Antivirus 2017 installations)

To update Antivirus 2017 clients

1. Select "Ivanti Update" in the type dropdown in the top left of Patch and Compliance Manager
2. Right-click "Ivanti2017UPDATE_AUG2018" and select "Download associated patches"
3. Click "Show all associated patches", multi-select the two patches that show up and click "Download"
   
4. Right-click "LDAV2017UPDATE_AUG2018" and select "Repair"
5. This will open the "Repair Task" dialog.  Make any changes to settings you wish on this page or just click "Save".
6. This will open the Scheduled Tasks tool and you can drag any clients you wish to update to this task
7. Right-click the task and set the desired start time.

After you feel comfortable with the updates that are proceeding in your clients you can set the definition to Auto-fix by right-clicking "LDAV2017UPDATE_AUG2018" and selecting Auto-fix and then the auto-fix options you would like

How to determine update success

Verifying success using Patch and Compliance Manager

You can use the Type drop-down in Patch and Compliance Manager to filter by only Ivanti Updates

You can then expand the Scan folder and go to the "Detected" folder.  This will show all computers that still have the old version installed.

Verifying success using Reporting

You can use some of the following reports to view success criteria as well.

Note: Gather Historical Information may be necessary to provide up to date information

Viewing success within the client UI

s

Right-click the system tray Antivirus icon and choose "About"

Viewing success through updated file data

Within Task Manager processes view right-click the Endpoint Update Service and verify that the version shows 6.6.x.x

View Inventory scan data

Run an Inventory Scan on your devices that includes software.

The results will show within Security -> Antivirus Software -> Antivirus

The product version will show version 6.6.x.x

A query can be created from this inventory data, or a custom column set can be created to show the product version as part of the columns for each computer in the network view.

Installing through Software Distribution as an alternative

For 64-bit clients

1. Download http://patch.landesk.com/patches/IvantiAVUpdate_082018_x64.zip
2. Create a subdirectory under your Software Distribution folder called something like "AVSeptemberUpdate64-bit
3. Unzip the files (update.exe and ldavbd.dll) and place them into this folder
4. Open the Distribution Packages tool within the Distribution tool group.
5. Under My Packages or Public Packages right-click and select New Windows Package - Executable
6. Name your package something along the lines of "Antivirus 2017 September Update 64-bit" and give a description to the package if desired
7. In the Primary File section enter the path to your package directory and select the update.exe file
8. In the Additional Files section browse to your package directory and select ldavbd.dll
9. Click Save

For 32-bit clients

1. Download http://patch.landesk.com/patches/IvantiAVUpdate_082018_x86.zip
2. Create a subdirectory under your Software Distribution folder called something like "AVSeptemberUpdate32-bit
3. Unzip the files (update.exe and ldavbd.dll) and place them into this folder
4. Open the Distribution Packages tool within the Distribution tool group.
5. Under My Packages or Public Packages right-click and select New Windows Package - Executable
6. Name your package something along the lines of "Antivirus 2017 September Update 64-bit" and give a description to the package if desired
7. In the Primary File section enter the path to your package directory and select the update.exe file
8. In the Additional Files section browse to your package directory and select ldavbd.dll
9. Click Save

This package can then be sent to the Antivirus 2017 clients.

Issue

AV definition download on the Core Server fails with "GetBases.exe returned an error code: Update successful, but retranslation failed.(37) (25)"

Cause

Solution

• Check network for performance issues, etc.  The following sites need to be accessible by the core:
  • http://downloads.kaspersky-labs.com/
  • http://downloads[1 to 9].kaspersky-labs.coms
  • http://dnl-[01 to 19].geo.kaspersky.com/
  • Example: http://dnl-05.geo.kaspersky.com
• Check free disk space on the core where AV files are being saved.
• Check rights on the core server.  The rights for the antivirus directories should match the rights of the parent directories (LDLOGON down).
• It may be necessary to delete the following subdirectories to download all bases (pattern files) again.
  • ldlogon/antivirus8/win
  • ldlogon/antivirus8/mac

If further troubleshooting is needed it is recommended to turn on advanced updater logging and to open a ticket with LANDESK Support:

How to turn on Enhanced Updater SDK logging:

https://community.landesk.com/docs/DOC-27009#jive_content_id_Advanced_Logging_for_the_Updater_SDK_for_troubleshooting_de…

• Description
• Troubleshooting
  • Verify your settings
  • Check for a potential licensing issue
  • Check your license capabilities
  • Address your licensing issue

Description

Updates fail to download after scheduling or doing a run now task through the Download Updates tool. In this document, we will address AV definition downloads, but the principles apply to every sort of definition download.

Troubleshooting

Verify your settings

1. Verify that you have the correct Definition types checked in the Updates tab of Download Updates. For instance, if you are trying to download the latest AV definitions, you will want to select that in the window.

2. If it is a scheduled download task that is failing to run, go into the task and make sure that you have the Repeat every checkbox selected as by default a scheduled download will run only once.

3. Check the Patch and Compliance tab in your task and make sure that what you want to download is listed in the Definition types and Languages. If you want to change anything in the Patch and Compliance tab, you will need to schedule a new task with your desired definition type and language selected as is shown in step 1.

Check for a potential licensing issue

1. Check the VAminer.log.detail log to see if your core thinks you have a license to download your desired definitions.
2. In the Download Updates window, select to Download now then in the resulting screen select View log.
3. Select the checkbox to show detailed information then navigate to the log path shown.
   
4. Open the log then do a search for the word "license." It will be apparent if your core does not think that you are licensed for the product you are trying to download. You will see an error similar to the following:

16688:LoadingPatchSources : processing: Ivanti AV 10.0

16688:LoadingPatchSources : Skipping source 'Ivanti AV 10.0' ('/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=Virus4_Win97') that is not licensed for feature 'LANDeskAVSubscription'

You should see something similar to the following for your particular product if you are correctly licensed:

INFO  11088:LoadingPatchSources : LANDeskAV: Valid license (Exp: 12/31/2020)

INFO  11088:LoadingPatchSources : IvantiAVSubscription: Valid license (Exp: 12/31/2020)

If you do not see a license issue and are still not able to download your desired definitions, please reach out to support. If you do see a license issue, proceed with the following steps.

Check your license capabilities

1. Open one of the following locations:

• In the Start Menu of your system, go to Activate Ivanti Core Server > Activations > Licenses.
• In your core, go to Configure > Product Licensing...

    2. Check to make sure that you have the correct license capability and the correct version. For instance, if you were using Ivanti Antivirus on a 2018.1 core, you would look for product names including "Antivirus" and Version 11.0.

    3. If everything looks correct above and the downloads are still not working or if you have the correct product name but your core's version is not in your product licensing list, please contact support. If you do not see your product name above but are sure that you have the correct license, proceed to the following steps.

Address your licensing issue

1. Close your core completely.
2. Go to Program Files(or Program Files (x86))\Landesk and move or delete the contents of the Authorization Files directory.
3. Reactivate your core.

If you still are unable to download definitions after following all of the above steps, please contact support and send them your vaminer.details.log.

Affected Products

LDMS 2016.1

EPM 2017.3

EPM 2018.1