Symptom

When opening Ivanti Antivirus (Kaspersky Engine) you see a message indicating that your application is not activated.

Cause

This issue can happen when your client only installs the Kaspersky Antivirus and does not install the Ivanti Antivirus.

Resolution

• To resolve this problem on one client, run the following command in a runbox on the client:
  

  vulscan /installav /showui

• To resolve this issue on multiple clients, go to your Tools > Security and Compliance > Security Activity center on your core then click to create an Install/Update security components task. Select Ivanti Antivirus then schedule the task and add your clients to the task.

• • Description
  • How to report and send files being detected incorrectly as a virus
  • Restore File for Reporting
    • LDMS 9.6/2016
    • Submit the File

Description

Sometimes new Virus Definitions will detect legitimate files as a virus.  These are called "False Positives".
For further information on how to recover if this false positive is causing issues in your environment, see this article.
In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.

How to report and send files being detected incorrectly as a virus

If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected computers are scanning with the latest definition files.
Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.

Restore File for Reporting

In order to submit the file for review as a False Positive, the file will need to be restored from Quarantine. The following steps outline how to provide LDAV the necessary permissions to perform this task.

Disable Real-time protection to prevent the file being immediately quarantined again, then restore the file to be submitted.

LDMS 9.6/2016

1. Open a Management Suite console

2. Go to  Tools| Security and Compliance | Agent Settings

3. Expand Agent Settings | Security | Ivanti Antivirus

4. Double click on the Antivirus settings the client is using.

5. Click onPermissions

6. Check theAllow user to disable Realtime scanning for up to ___ minutes option

7. Check Allow user to restore objects

8. ClickSave

9. On the client ClickStart | Run

10. TypeVulscan /changesettings /showui, this will download the setting changes you made.

11. Open the Ivanti Antivirus GUI

    • Start | Programs | Ivanti Management | Ivanti Antivirus

             or

• Click the LDAV Icon in the system tray if enabled

12. Click Protection | File Anti-Virus | and click Stop

Note: If prompted with a Warning! window, click Yes

This action will impact your computer's protection. Do you want to continue?

Application name: Ivanti Antivirus

Manufacturer: "Kaspersky Lab"

Action: Settings modification

13. With File Anti-Virus disabled, click Quarantine

14. Take note of the Folder path, as this is where the file will restore to.

15. Highlight the file and click Restore

16. Take a screenshot of the false positive detection.  Compile the "infected" file(s) and the screenshot into a password protected .ZIP file, with password 'infected'.  Name the file "FalsePositive(UniqueName).zip".  (Where "UniqueName" is a filename of your choosing).
    

    *****Be very careful to name the zip file with a prefix of "FalsePositive" otherwise Kaspersky will treat this as a false negative submission and your case will be significantly delayed*****

Submit the File

1. Place the file on Ivanti's site:http://avdrop.landesk.com/

2. Contact Ivanti Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)

3. Revert the changes made to the agents settings.

4. Current virus definition release activity can be viewed here: http://www.kaspersky.com/viruswatchlite?

Note:Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.

Ivanti Support Contact information

Issue

An error of "Error - 1004" appears when attempting to update the pattern files in Ivanti Antivirus 2017 (Bitdefender Engine)

"Error - 1004" means "Cannot connect to proxy or server".   in other words, the client cannot contact the pattern file update server in order to get its updates.

                                                                 (click for full size)

Cause

The Antivirus 2017 client cannot access the Core Server that has the Bitdefender Update Server installed, and/or it cannot access the Bitdefender update server on the internet.

• The client does not have the update servers properly configured in their Antivirus 2017 settings.
• The client does not have the registry key that points to the behavior that it is to follow.
• The client cannot access the update servers (see Resolution for ports and host names needed).

This error is almost *always* caused by a Proxy Server or other Network Appliance that is not allowing the proper traffic.  Check and double check this scenario.  More often than not we will receive a call to support where we have been told there is no network appliance to block traffic or no form of a proxy server and it turns out there is something like that blocking traffic.

Resolution

Ensure the update servers are configured properly in the Antivirus 2017 settings

1. On the Core Server go to the Security and Compliance tool group and go to the Agent Settings tool.
2. In Agent Settings scroll down to the bottom and open All Agent Settings.
3. Open the Security section of the tree and select Ivanti Antivirus 2017
4. Find the desired Antivirus 2017 setting your failing client is using and open it.
5. In the left-hand pane go to "Update Servers"
6. Ensure that your core name or IP is listed followed by the port number of 7074 as seen below.  In addition, ensure that av-update.ivanti.com (or the IP address 152.195.13.12) is listed.  You can move the order of these depending on what you want the client to contact first - the core update server or the internet update servers.  For troubleshooting purposes, you may want to temporarily swap the order and then run "Vulscan /changesettings /showui" from the client in order to test connectivity.
   
   

                                                                          (click for full size)

Ensure the client has the AV setting written to the registry

A bug existed that caused the AVNewBehavior behavior information not to be written to the client registry.  This can be verified and resolved by doing the following:

On the client open the registry editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Vulscan\OtherBehaviors and look for an "avnewbehavior" setting.

If this does not exist you will need to run a Change Settings task and push it to the agent which will cause this key to be written.  Do the following to accomplish this.

1. In the Management Console open the Patch and Compliance tool group and then open the Agent Settings tool.
2. Click the Calendar icon in the toolbar and select "Change Settings"
   
   
   
   
3. Give the setting a meaningful name under the "Name: " section.
4. In the right-hand pane select the drop-down to the right of "Ivanti Antivirus 2017" and select the desired Antivirus 2017 setting.
   
   
   
   
5. Click "Save".   This will open the Scheduled Tasks window.
6. Add your desired computers to the task and start it when desired.

Ensure that the "avnewbehavior" key is written to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Vulscan\OtherBehaviors

Ensure the proper ports are open and the hostnames are reachable for the update servers

Here are a few facts about this connection:

• TCP Port 7074 needs to be open from the client to the core
• TCP Port 7074 needs to be open from the core to the client
• In order to update files from the internet, the client needs to be able to access av-update.ivanti.com at IP address 152.195.13.12

A Wireshark capture can be performed on the client and the core to ensure that the expected traffic is taking place.

In a normal conversation from the client to an update server, the following takes place:

1. The client requests av64bit-eps/versions.id
2. The client requests bdvaccine64/versions.id
3. The client requests avc3-sig-busi/versions.id
4. The client requests avc3-exec-busi/versions.id
5. The client requests atc-sig-busi/versions.id

The client analyzes the versions.id files and compares them to the versions that it already has downloaded.  If something newer is found the client continues to download that content.

Normal Traffic to/from the Core Server on port 7074 during an update process:

Filter: tcp.port == 7074

                                                                    (click for full size)

Normal traffic to/from Bitdefender update server over the internet:

Filter: ip.dst == 152.195.13.12 || ip.src == 152.194.13.12

                                                                             (click for full size)

Reinstall Ivanti Antivirus 2017

A task can be created to force a reinstallation of Antivirus 2017.  The following steps should be followed:

1. In the Patch and Compliance tool group go to Agent Settings
2. Click the Calendar icon on the toolbar and select "Install/Update Security Components"
3. Select your Antivirus 2017 you wish to use for the install in the drop-down on the right-hand side.
4. Click "Force reinstall of Ivanti Antivirus components even if the same version is already installed".
   

                                                                                       (click for full size)

For each version of the product you require to have an active license.

If you purchased a license or a renewal for a lower or higher version of the product you are entitled for usage of the AV solution for the entire product (however, some restrictions may apply*).

You will always require to have two products for the AV license for it to work correctly.

We currently offer two Antivirus solution engines: Ivanti Antivirus (Kaspersky) and Ivanti Antivirus 2017 (BitDefender).

Below is the list of license names and corresponding versions of EPM that should be active on your Core Server.

For detailed information on each of the available Antivirus solutions please visit our Community articles for Kaspersky (Ivanti Antivirus) and BitDefender (Ivanti Antivirus 2017).

You can view your current licenses by launching the Core Server Activation application or from inside the Management Console: Configure -> Product Licensing…

*BitDefender solution is only available from version of the product 2017.3 SU2 and higher.

Note: If you are upgrading to 2018.X version of the product from 2017.X and lower please verify the licenses and if you are missing contact our Licensing Team Support for license upgrade.

Other useful documents:

How to check your Ivant Endpoint Manager (EPM) product version

Ivanti Endpoint Manager and Endpoint Security - Antivirus Frequently Asked Questions

This article describes the new features in Ivanti Antivirus 2017.

New Features

• Agent Configuration
• URL Exclusions for Network Scan
• Device Scanning Option
• Reporting and Security Activity Reports
• Agent Auto-Update
• Core Server Antivirus Update Auto-Update

Agent Configuration

Deploying Ivanti Antivirus 2017 as part of the Agent Configuration is now possible.

• Allows for selecting either Ivanti Antivirus (Kaspersky Engine) or Ivanti Antivirus 2017 (Bitefender Engine) not both at the same time.
  
  
  
  
• If Ivanti Antivirus (Kaspersky Engine) is already installed on the endpoint, and the Agent Configuration is set to install Bitdefender, it will remove Ivanti Antivirus (Kaspersky Engine) before Ivanti Antivirus 2017 (Bitdefender Engine) is installed.

HTTP Traffic Scan Exclusions

• Allows for setting exclusions (skips scanning of the target name or address) by IP Address, URL or Application name.   Wildcards are supported.

On-Demand Device Scanning

The ability for a user to scan a CD/DVD or USB media has been added.  Realtime protection will guard against any files executed from the drive already, however this new feature will allow scanning the entire volume.

Improved Reporting and Security Activity

The following Security Activity items are now populated:

• Infections by Computer
• Infections by Virus
• Quarantined Infections by Computer
• Quarantined infections by Virus
• Trusted Items by computer

Core Server Auto-update option

Within the Download Updates -> Ivanti Antivirus 2017 tab there is now the option to "Automatically update the Ivanti Antivirus Update Server".  This means that if Bitdefender releases a new engine version the Antivirus Update server on the Core Server will be automatically updated.

Other Features

• UninstallWinClient now removes Ivanti Antivirus 2017
• Antivirus 2017 can be built into a self-contained executable
  • Keep in mind, if both 32-bit and 64-bit setup files are included in self-contained executable it will be a total of 1.4 gig, if only 64-bit is included it will be a total of 700 gig.   So if you have no 32-bit clients in your environment you should choose 64-bit.  If you have both you are advised to build two self-contained executable agents.

New Features in Endpoint Securit in Endpoint Manager 2018.3

There are two new features in Endpoint Security in Endpoint Manager 2018.3

• Trust by default all applications signed by "Ivanti, Inc."
• New Setting - "Enable local application file list"

Trust by default all applications by "Ivanti, Inc."

• All processes digitally signed by "LANDesk, Inc." are trusted by default (hard-coded) on all EPM versions.
• On 2018.3 in addition, we trust the "Ivanti, Inc." signature.

New option - "Enable Local File Application List"

• The "local application file list" is a per-computer list, which is not manageable from the core – it can be useful in some environments, but makes the product harder to manage, since the administrator may have to remote control the agent to edit this list.  It's now disabled by default.

Assumptions

This document assumes you know the path to LDLogon on your core(if not the default as shown in this document).  IT also assumes you know how to move and modify files in the windows explorer and work with regedit and uninstalling and installing programs.

Possible Issue if Update is Not Applied

it is possible that clients may end up at a later version than the Core Server if they get their updates from the internet.  If this happens you get the error "Installed engines version if newer than the one on the update server.  Error - 2013"

Step 1

Logon to the core itself and navigate to: C:\Program Files\LANDesk\ManagementSuite\ldlogon\avclientbd

Make a backup copy of epsecurity_x64.exe and epsecurity_x86.exe

Step 2

In a web browser download:

http://download.bitdefender.com/oem/Ivanti/BEST/2018.08.09_6.6.3.61/epsecurity_x64_6.6.3.61.exe

Rename the file to epsecurity_x64.exe and copy it to: C:\Program Files\LANDesk\ManagementSuite\ldlogon\avclientbd

Next download:

http://download.bitdefender.com/oem/Ivanti/BEST/2018.08.09_6.6.3.61/epsecurity_x86_6.6.3.61.exe

Rename the file to epsecurity_x86.exe and copy it to: C:\Program Files\LANDesk\ManagementSuite\ldlogon\avclientbd

Step 3

Be sure to uncheck: Ivanti Antivirus Core Installation Files in your download settings or the files will get overwritten on the next download.

Step 4

On the core itself, click the Start menu and go to Ivanti Antivirus.  Click Repair or Uninstall.  Follow directions in the dialog to uninstall from the core.

Step 5

After uninstall finishes, navigate to: C:\Program Files\LANDesk\ManagementSuite\ldlogon\avclientbd\updateserverinstall

Launch the AVsetup.exe.  Follow directions in the dialog to install Antivirus 2017 on the core. Once it finishes you can open Regedit and go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Endpoint Security\DisplayVersion

To verify the new version engine is installed.

Step 6

Any new clients will now get the newest engine by installing Antivirus 2017 through the Install/Update Security components task or by running the command: vulscan /installavnew /showui

on the client.

To upgrade existing clients to the new engine download and run the attached endpoint-update.bat file on the clients.  This will force the clients to update to the newest engine and will require a restart.

This document is intended to introduce you to the new Ivanti Antivirus (Bitdefender Engine) Antivirus 2017 client GUI on the devices you install it on and the agent settings that control the new antivirus on the devices.  This document assumes you know how to access the Ivanti Antivirus New agent settings within the console.

Agent Settings

General This area allows you to configure basic configuration settings.

• Maintenance Password Allows you to set and configure the password to interact with administrative features on the client.
• Notifications  Allows you to set what the user sees on the client GUI.

File Protection Configure the level of protection you want on the clients as well as configure what files/areas you want excluded.

Network/Traffic  This section allows you to configure network monitoring on the end clients.  The Network Scan section allows you to configure the web browser tools clients see in the GUI when a browser is open.

Scheduled Tasks  This area allows you to set an Update schedule as well as Full and Critical(Quick) Scan schedule to run at specific times.  If your clients do not seem to be updating definition be sure this area has one setup as on is not set by default.  Once checked, click each items Change Schedule Button to set the schedule for the item.

Full Scan and Quick Scan  This area allows you to configure actions to take on detected items during a full scan. AS well as alter the priority and user options on the clients.

Update servers  Allows you to add and set the order of where clients get the updates.

Client Graphical User Interface(GUI)

Below is the client interface as presented to the user when double clicking the Icon in the system tray.

Modules Button

This button allows you access to the modules and Quarantine area on the client.  You cannot disable or enable modules here it is only informational.  Clicking Quarantine will open the Quarantine area and allow you to manage any files that are in there.

Filters

The Filters button allows you to customize what is displayed in the readout list in the main window.

The top row of buttons will display only the items for that particular module.  You can have more than one selected.

The Date Range allows you to only view items that occurred within the range.

Last you can set the filter by status of an item Success, Warning, or Serious.  Clicking Reset Filters at the top removes all filters.

ScanTasks

Scan Tasks allows a user to run a predefined scan or create and save a custom scan.

Clicking New Custom Scan allows you to create your own custom scan and save it to the Scan Tasks Menu.  Once your scan settings are the set, give the scan a name in the bottom field and click the star button to save it.  The scan now appears on the Scan Tasks menu.  You can remove it by clicking the trash button.

Clicking Custom then Settings opens a dialog to customize the scan further.

How to fix "Databases are Corrupted", "Databases are extremely out of date", and "Malfunction" errors

Table of Contents

"Databases are Corrupted" & "Databases are extremely out of date"

On a single machine

1. Open and administrative command prompt
2. Run the following commands:
   • cd\ - press Enter
   • cd "Program Files (x86)\LANDesk\LDClient\Antivirus" - press Enter
   • ldav.exe /updatefrominternet - press Enter

You should see activity in the GUI for your AV client, as seen below:

Once the update has finished, the error should be gone as seen below:

On multiple clients

1. On your core, go to the ManagementSuite\ldlogon\avclient\install\setup directory and rename the “bases.cab” file to bases.cab.old.

    2. Re-initiate a download of the AV definitions from your Patch Manager (this will rebuild the bases.cab file on your core)

    3. In your Security Activity section (Tools->Security and Compliance->Security Activity), create a new "LANDESK Antivirus task..." that updates the definitions without a scan. Next, configure a new Antivirus setting. Leave everything here set to default, but change the update source to "Internet Only". Name the setting and save it - but be sure to remember this name. Once you have saved it, select that setting from the list and hit the "Use selected" button in the bottom right. At this point, give the task an appropriate name and hit Save. This will create a Scheduled Task with that name. Schedule the task like any other task you would build out and assign machines to it accordingly. Remember, the settings we're using for this task ONLY apply to this particular task - they will not be used from this point forward...just one time for this task and then be discarded.

View this GIF for more information.

"Malfunction" error in AV Components

On occasion, AV components may malfunction. They will show in the GUI as seen below:

If you see this behavior on a single machine, please follow the steps in the "On a single machine" section above. You will want to reboot the machine once this has completed.

If you see this on multiple machines, follow the instructions from Step 3 in the "On multiple clients" section above. You will want to schedule reboots for the machines once this has successfully ran on the targeted clients.

Description

When downloading definitions for your Ivanti Antivirus (Kaspersky), you see an error similar to the following:

GetBases.exe returned an error code: 255 (FF)

Processing Kaspersky Antivirus Updates

Comparing English Definitions

Attempting to download 1 ENU definitions

Troubleshooting

This error can be caused when the Microsoft Visual C++ 2015 Redistributable (x86) is not installed or is corrupted. To fix this, install the Microsoft Visual C++ 2015 Redistributable (x86) Download Microsoft Visual C++ 2015 Redistributable Update 3 RC from Official Microsoft Download Center. Make sure to install the (x86) version, not only (x64).

If this is already installed, try running a repair from Add/Remove Programs against the feature and see if that resolves the issue.

If none of these steps work, please content support at support.ivanti.com.

Ivanti Antivirus Alerts

Ivanti Antivirus Alerts must be configured within the Alerting tool in the Endpoint Manager Console.

By default the following alerts are configured:

Default Ruleset

The Default ruleset is the Alerting ruleset used by a client unless another ruleset is specifically specified in the Agent Configuration.

The default actions can be modified for the rulesets.

For a complete overview of how to configure Ivanti Alerts, see this article.

Ivanti Antivirus integrates with the Ivanti Alert Handlers.   If one of the alerting events takes place, it is handed off to the Ivanti Alerting handler and the action is logged in the ALERT.LOG located in Program Files\Shared Files on the client computer.   This alert is also logged in the AVService.log file.  Depending on the action defined in the Alert Ruleset, it may then Log an event in the Alert Log on the core, run a program on the Core, run a program on the Client, send an e-mail (through a mail server as configured in the alert), or send an SNMP trap.

If the action is set to "Log handler configuration", this activity can be seen in the "Logs" tool in the EPM console.

For Syslog support select the action "Send to syslog server".   In addition, Splunk is supported.

Core Alert Ruleset

The Ivanti Antivirus - virus outbreak detected" alert is used in conjunction with the Alert Settings as configured in Security and Patch Manager.

To configure this alert:

1. Open the Security and Compliance tool on the core server.
2. Select the third icon drop-down and then select "Alert Settings"
   
3. Select the "Antivirus" tab.

This panel sets the threshold for when a virus outbreak will trigger an alert.  This is calculated from the Antivirus Activity.  With the default settings, if there are 50 Antivirus events within 10 hours, the "Virus Outbreak Alert" is triggered.    The Core Server is the computer that processes this alert action.  The Antivirus activity is sent through a separate mechanism than the Ivanti Alerts.  This is gathered regularly in ActionHistory.XML and sent to the core server every few minutes.   This is also sent every time the Vulnerability Scanner runs.

Antivirus Activity can be viewed within the Security Activity tool.

Within the Security Activity window, the section "Computers not recently reporting Antivirus Configuration and Status" is populated by data gathered during a Vulnerability scan, but only if the "Antivirus Updates" category is being scanned for.   For more regarding this, see this article.

Scheduled Removal Task

This is the best way to remove Antivirus from clients.  In the console go to the Security Activity tab and click the Create a task Icon and click Remove security components.

Give the task a name if you wish and check Ivanti Antivirus for Kaspersky removal(Ivanti Antivirus 2017 is for Bitdefender).

Save the task.  Now you can add clients and run the task as you would any other scheduled task.

Manual Removal on the Cilent

Logon to the client device and as administrator run the following command:

"C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe" /removeav /showui

The /showui is optional and displays a progress window.

Force Removal

If the above two options fail you will need to force remove Kaspersky.

1. Download and run the Kaspersky removal tool from here:

     Removal tool for Kaspersky Lab applications (kavremover)

2. After the removal tool runs and completes, don't reboot yet but open regedit.

3. navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

     Delete the key named: LDAV.

4. Reboot the device.

5. After the reboot, delete the C:\Program Files (x86)\LANDesk\LDClient\antivirus folder and all its contents.