As LANDESK Antivirus is based on Kaspersky Endpoint Security 10 with additional features enabling it to be managed by LANDESK Management Suite, the following Kaspersky article is recommended for this subject:
List of applications incompatible with Kaspersky Endpoint Security 10 for Windows
Setting up a preferred server for replicating LANDesk Antivirus pattern file content.
LANDesk Antivirus takes advantage of all of the software distribution technologies built in to LANDesk Management Suite, including Preferred Package Servers.
This article discusses how to configure preferred package servers to host the LANDesk Antivirus pattern file content.
Create Web Share for Preferred Package Server
Note: This must be done on a server running web sharing services (such as IIS)
Create UNC share for LDLOGON directory
Configure the Preferred Server in LANDesk Management Suite
If you want to replicate the antivirus pattern file content from the Core Server to the Preferred Server using LANDesk Content Replication, use the following steps.
Note: LDLOGON/Antivirus8/Win/Bases8 is the only directory that needs replicated. LDLOGON/Antivirus8/Win also contains other folders: backups, dskm, loadbalancing, and temp_bases8. The backups directory is used to backup the bases8 folder. dskm, loadbalancing and temp_bases8 are used to download the files in bases8.
Sometimes malware shows up that does not have a pattern file yet. This is true for all viruses when they are first written. These are called "zero day" viruses. In order for a pattern to be created, the virus must be reported and sent LANDESK.
If there is a file(s) that is identified as suspicious, before submitting the file(s) for analysis make sure that all infected machines are scanning with the latest definition files. Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.
Current virus detection and pattern file activity can be viewed here: http://www.kaspersky.com/viruswatchlite
For a virus glossary, virus encyclopedia, and for searchable virus information, please visit http://www.viruslist.com. This site is maintained by Kaspersky Labs, who provides the Scanning Engine within the LANDESK Antivirus product.
Note: If the file you have is something you suspect is a "False Positive", or in other words a file that you believe does not contain malware but is being reported by LANDESK Antivirus as malware, the following instructions for submitting a False Positive to LANDESK Software should be followed:
LANDesk Antivirus false positive virus detection submission process
In addition, as an extra troubleshooting step, you can upload the suspicious file to https://www.virustotal.com. This website will compare the file against ~40+ Antivirus engines. If the majority say it is malware, it is likely malware, if the majority say it is not malware it is either likely not malware, or it is a very new virus variant that is not yet detected by the majority of Antivirus vendors.
Spyware is software or other code that is typically installed as part of another product installation, a visit to an infected web site, or other activities that enables a user to obtain covert information about another's computer activities by transmitting data covertly from the computer that the spyware is installed on.
Submit a request to LANDESK Customer Support to have detection and remediation content added so that the spyware is properly detected and removed.
Process for submitting requests for Spyware content:
In order for LANDESK to add this undetected spyware the following process must be followed:
- If possible, the actual install executable that downloaded and/or installed the spyware.
- The executable that was installed on the computer. You can usually find this by looking in the running processes. Spyware generally takes up an unusual amount of memory or CPU usage.
- Any additional information about the suspected spyware. please include any information that you know.
- A description of how it is installed, a website, email, or as part of a different installation.
- A description of what it does: Does it launch additional sites? Does it download other applications? Etc.
- A description of any malicious behavior, processor utilization, file corruption, etc,
- Any other other observations.
Compress any files that you collected in .ZIP format and password protect it with the password "infected". Upload the files to ftp://ftp.landesk.com/spyware Call LANDESK Support and create a support case. They will need to know the name of the file you uploaded. In addition please provide a detailed description of the issue.
Our team will make a thorough assessment of the submitted information to determine if they should be identified and removed.
How do I limit the end user ability to modify LANDESK Antivirus Settings, shut down the services, etc?
There are various places to limit the user ability to modify LANDESK Antivirus Settings.
There are various locations within the LANDESK Antivirus Settings where User Control can be modified.
To modify the LANDESK Antivirus settings:
1. Open the Security and Patch Manager Tool in the LANDESK Management Suite Console.
2. In the dropdown for the 3rd icon select "LANDESK Antivirus Settings"
3. Select the Antivirus Setting you wish to edit and click "Edit"
Note, the following screens will point out the different areas that can affect user feedback and/or interaction. For a full explanation of these settings, see the LANDESK Advanced Training article.
(This option should only be enabled for IT personnel or similar responsible users that routinely work with files that could be considered a security risk)
Note: For further information about scheduling regular Scans and Pattern file updates, see this article.
Typically these options should only be enabled on IT personnel computers or users with similar needs. If you want the ability for an Administrator to restore objects while at a users desk, enable all of the options, and include a password for restoring objects.
Agent Watcher is a configurable component within the Agent Configuration that enables monitoring, enforcement and reporting on critical LANDESK files and services. For further general information about Agent Watcher, please refer to the LANDESK Help File under the heading "LANDESK Agent Watcher" or within the User's Guide (Available as a download from this LANDESK Product Documentation page) in the "LANDESK Agent Watcher" chapter.
The following slide, taken from the LANDESK Advanced Antivirus training shows the different Security and Patch definitions that can be used to ensure that LANDESK Antivirus is running properly in your environment:
Windows User rights and Group Policy settings can be used to limit the user ability to stop services, etc.
Install LANDESK Application Control as part of LANDESK Endpoint Security to protect critical LANDESK Files
LANDESK® Host Intrusion Prevention System (HIPS) layers added security to thwart malicious attacks and rootkits using application control that prevents applications from executing in malicious ways right on your individual host systems. Use it to extend the power of LANDESK® Security Suite or LANDESK® Patch Manager and LANDESK® Antivirus. Even in it's most basic configuration, LANDESK HIPS provides protection for various critical system files, and also the LANDESK Client files.
For further information regarding LANDESK HIPS:
http://www.LANDESK.com/SolutionServices/product.aspx?id=788
http://community.LANDESK.com/support/community/security/hips
This article contains explanations on how to import settings of the Kaspersky Agent (on the client) to the LDMS agent settings on the Core Server.
Environment
LDMS 9.5 with LANDesk Antivirus 9.5 client (Based on Kaspersky Endpoint Security 8)
LANDesk Antivirus 9.5 Agent (Based on Kaspersky Endpoint Security 8)
Sometimes you might want to personalize the settings of your Antivirus agent, in the tab Settings for example, especially when you are not able to change it from the Core.
One setting that you will possibly want to change is the Exception List inside the Network Attack Blocker.
The IP adresses range you will want to exclude will be add locally to your agent, but if you want the same IP adresses exclusion list in your other LANDesk Antivirus 9.5 clients that you managed, you will need to export your Antivirus client settings and import them to your Core. Then, you will be able to deploy those settings to a group of machines.
Export your client's settings
Once you have configured the Antivirus client as needed, you will want to export the settings.
1- Configure the Network Attack Blocker (for example) :
2- Export the settings of the Agent (Advanced Settings > Save )
Import your client's settings to the core
3- Import the settings on the Core Server (Agent Settings > LANDesk Antivrus settings > Advanced Settings > Import )
Then you are ready to use those settings for your agents, in this example, your LANDesk Antivirus 9.5 agent will now have the Network Attack Blocker configured.
Import your client's settings to other clients directly
Occasionally, you might want to import these settings directly to other clients. To do so, open LANDesk Antivirus on the client:
This article discusses Antivirus exclusions (also known as exceptions) that are recommended for the LANDesk Core Server.
When installing Antivirus on the LANDesk Core server, it is recommended to set the Real-time Portection File Types to Scan option to "Scan infectable files only". This is set within the LANDesk Antivirus settings on the "Real-time Protection" tab.
For a list of what LANDesk Antivirus considers "Infectable files" see this article.
For the full scheduled virus scans, it is recommended to set the scan to "Scan all file types". This is set in the LANDesk Antivirus Settings in the "Virus scan" tab.
For general information about Antivirus Exclusions, see this article.
For specific information on configuring Antivirus Exclusions for specific server types (IIS, SQL, Exchange, Etc) see this article.
Some Antivirus products (LANDesk Antivirus included) have separate exclusions lists for real-time scanning and on-demand scanning. Most exclusions will apply only to Real-time Scanning, as scanning some directories during computer operation can severely impact performance.
Antivirus exclusions need to be set both in the "Real-time protection" tab and the "Virus Scan" tab within the LANDesk Antivirus settings.
Configuring Antivirus exclusions for a LANDesk Core Server
As most LANDesk Core servers house IIS for the web console, general Antivirus exclusion instructions should be followed that pertain to IIS:
Create the following exclusions:
If the SQL Database resides on the core server, the following instructions should be followed:
http://support.microsoft.com/kb/309422
LANDesk specific directories:
\Program Files\LANDesk\Managementsuite\brokerreq
\Program Files\LANDesk\Managementsuite\IncomingData
\Program Files\LANDesk\Managementsuite\ldscan
\Program Files\LANDesk\Managementsuite\log
\Program Files\LANDesk\Managementsuite\sdstatus
\Program Files\LANDesk\Managementsuite\xddfiles
\Program Files\LANDesk\Managementsuite\vulscanresults
\Program Files\LANDesk\Managementsuite\ldlogon\agentbehaviors
\Program Files\LANDesk\Managementsuite\ldlogon\vulnerabilitydata
LANDesk specific files:
\Program Files\LANDesk\ManagementSuite\LANDesk.ManagementSuite.Licensing.ActivateCore.exe
\Program Files\LANDesk\Managementsuite\ldlogon\ldiscn32.exe
General Exclusion information for Microsoft Operating Systems
Sometimes new Virus Definitions will detect legitimate files as a virus. These are called "False Positives".
For further information on how to recover if this false positive is causing issues in your environment, see this article.
In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.
If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected comptuers are scanning with the latest definition files. Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.
For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.
Open a Management Suite console
Go to Tools | Security | Security and Patch Manager
Expand Settings
Click on LANDESK Antivirus
Double click on the Antivirus settings the client is using.
Click on Real-Time Protection
Check the Allow user to disable Realtime scanning for up to ___ minutes option
Click on Quarantine/Backup
Check "Allow user to restore suspicious objects" and "Allow user to restore infected objects and risky software"
Click Ok
On the client Click Start | Run
Type Vulscan /changesettings /showui, this will download the setting changes you made.
Click Start | Run | LANDESK Management | LANDESK Antivirus
Click Disable next to Real-Time Protection
Click View details next to Quarantine or Backup depending on where the file is located.
Take note of the original location.
Highlight the file.
Click Restore.
Click Restore File.
Collect the file(s) from the Original Location and compile them into a password protected .ZIP file.
| IMPORTANT! |
|---|
The file must be password protected with a password of "infected". The compression type must be a .ZIP. Other compression types will not be accepted.The file should not be a self-extracting zip file. |
Place the file on LANDESK's site: http://avdrop.landesk.com/
Contact LANDESK Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)
Revert the changes made in steps 1-10.
Note: Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.
Information will be published shortly about future compatibility of LANDESK Antivirus and Windows 10.
Question:
Is it possible to install a standalone Antivirus agent?
Answer:
The closest thing to a standalone LANDesk Antivirus agent is configuring a LANDesk Agent Configuration to install only LANDesk Antivirus.
The following steps describe the best known method for installing a "standalone" LANDesk Antivirus agent. It assumes that you want to install the LANDesk Antivirus agent on a client computer that does not have access to the core server, and will access the Internet rather than the Core Server for antivirus pattern file updates.
Part One - Preparation
1. Ensure that you have the latest Antivirus Engine and Latest Antivirus Patches. Make sure to read this article as well.
2. Download the latest Antivirus Pattern Files
a. Open the Security and Patch Manager Tool in the LANDesk Management Suite console.
b. Click the "Download Updates" icon. (The first icon in the list)
c. Go to the "LANDesk Antivirus" tab and click "Get latest definitions
Part Two - LANDesk Antivirus Settings
1. In the Management Suite Console go to Tools - Configuation - Agent Settings.
2. Expand My Agent Settings, select LANDesk Antivirus.
3. Select the Antivirus Setting you wish to modify and select [Edit].
4. Review all settings on all tabs and make sure they are set as desired.
5. On the "Update" tab, set "Download Virus Definition Update from" to either "Internet only" or "Internet First. Fallback to core if internet is not available".
Note: These option will determine where the client will attempt to get it's Antivirus Pattern File updates from. If the client will have no access to the Core Server, select "Internet only". If the client will have occasional access to the Core, select "Internet First. Fallback to core if internet is not available.
6. Once all changes have been made to the LANDesk Antivirus settings, save the settings.
Part Three - Agent Configuration
Configurationname.exe (This is a silent installation executable)
Configurationname_with_status.exe (This will install the agent with a GUI showing the status during installation)
At this point you can run the Agent Configuration executable file you created on your Client computer.
Note: During the Antivirus installation process, the client attempts to contact the core server. If the core server is not available, the client will stop attempting to contact the core server and the installation will continue. The timeout when attempting to contact the server can add up to a 10 minute delay to the Antivirus installation process.
This article covers how to allow managing the Kaspersky Endpoint Security service.
The Kaspersky Endpoint Security service is self protecting by default. Leaving the service disabled is not advised.
In the event stopping the service is necessary:
Note: The outlined methods will allow for 'external management of the systems service'. This means it will allow users to manually stop the service. The following actions do not stop the service by itself.
With the Disable external management of the system service unchecked, the Service can be stopped as needed.
A recent 'remote zero day vulnerability' was discovered which impacts some Kaspersky products, including Kaspersky Endpoint Security (KES) 10.
KES 10 is included in LDMS versions 9.6 (all) and 9.5 SP1-CP_BASE-2013-1017
This vulnerability is addressed by applying the latest Antivirus Definitions as of 09/08/2015.
Download new AV Content, and push definitions to clients.
New AV Content will address the issue, and no further action is necessary.
http://www.ibtimes.com/kaspersky-fireeye-security-products-cracked-researchers-2085291
At times it is advantageous to see in one place on the core server the details of each computer's LANDESK Antivirus activity (Ex; Threats which have been detected on the Web, Disinfection impossible for some files etc...) which allows you to remotely monitor the events without being connected to each machine.
There are 2 methods;
This is a partial answer because it won't give you all the activity details possible in the LANDESK Antivirus tool. Click here to learn how to configure Alerts on an LDMS 9.6 Console.
This is the most complete way to gather onto one server or one workstation all the LANDESK Antivirus logs regarding all the Antivirus events occurring on all computers managed.
To do this, it needs to be done in 3 phases;
Now you are at the step where the LANDESK Antivirus activity are logged on the local Event Viewer logs of each computer under "Applications and Services Logs" - "Kasperky Event Log" (see printscreen below)
You need now to collect the "Kasperky Event Log" logs from each computer onto a "Central" server. This is called the Event Subscriptions method (see Event Subscriptions). To do that, here is a method to do that;
IMPORTANT NOTE: To ease up this process, the COLLECTOR machine should have the LANDESK Antivirus installed on it in order to filter only the "Kasperky Event Log" events coming from the SOURCE machines (See printscreen below).
The COLLECTOR machine could be the Core Server (see article How to install the LANDESK AntiVirus on core server ?)
This article will describe the technical process that the administrator and LANDESK Antivirus must take in order to successfully install and activate a LANDESK Antivirus key on a client.
Either log a case via support.landesk.com over the internet or by
The first step that needs to occur is to import a LANDESK Antivirus license into the core server. You should have received a .ZIP file containing your .KEY file and a .PDF file that details the license information.
The following should be done from a LANDESK Management Suite Console:
HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License
Thu, 17 Sep 2015 10:52:00 --- Antivirus table data --------------------------------------- Thu, 17 Sep 2015 10:52:00 ProductName: LANDESK Antivirus Thu, 17 Sep 2015 10:52:00 AutoProtect: On Thu, 17 Sep 2015 10:52:00 ProductVersion: 10.2.1.23 Thu, 17 Sep 2015 10:52:00 EngineVersion: 6.8.0.27 Thu, 17 Sep 2015 10:52:00 DefVersion: Thu, 17 Sep 2015 10:52:00 PubDate: 2015-09-17 07:31:00 (1442496660) Thu, 17 Sep 2015 10:52:00 DefInstDate: 2015-09-17 09:28:50 (1442503730) Thu, 17 Sep 2015 10:52:00 Empty CTime: 1969-12-31 17:00:00 (0) Thu, 17 Sep 2015 10:52:00 LastVirusScan: 2015-09-17 09:29:15 (1442503755) Thu, 17 Sep 2015 10:52:00 LastFullVirusScan: 2015-09-15 12:50:21 (1442343021) Thu, 17 Sep 2015 10:52:00 LastQuickVirusScan: 2015-09-17 09:29:15 (1442503755) Thu, 17 Sep 2015 10:52:00 StartFullVirusScan: 2015-09-15 12:47:44 (1442342864) Thu, 17 Sep 2015 10:52:00 StartQuickVirusScan: 2015-09-17 09:28:59 (1442503739) Thu, 17 Sep 2015 10:52:00 FullVirusScanCancelled: 0 Thu, 17 Sep 2015 10:52:00 QuickVirusScanCancelled: 0 Thu, 17 Sep 2015 10:52:00 AgentRunning: True Thu, 17 Sep 2015 10:52:00 PatternServer: YourCoreServerName Thu, 17 Sep 2015 10:52:00 LicenseExpirationDate: 2016-09-13 23:59:59 (1473832799) Thu, 17 Sep 2015 10:52:00 LicensePeriod: 362 Thu, 17 Sep 2015 10:52:00 LicenseNumber: XXXX-XXXXX-XXXXXXX Thu, 17 Sep 2015 10:52:00 LicenseProductName: Thu, 17 Sep 2015 10:52:00 LicenseMaxCount: 2000 Thu, 17 Sep 2015 10:52:00 -------------------------------------------------------------------------- Thu, 17 Sep 2015 10:52:00 In SendRequest: Action = SOAPAction: "http://tempuri.org/PutLdavTableData" Thu, 17 Sep 2015 10:52:00 SendRequest: SOAPAction: "http://tempuri.org/PutLdavTableData"
09/17/2015 09:52:00 INFO 13484:3 RollingLog : LdavTableData.Update: Updated a record for Antivirus_Idn = 1
At times an issue with LANDESK Antivirus may require more in-depth analysis and troubleshooting. LANDESK engineers may request an application runtime trace files for troubleshooting such cases.
These log files contain verbose information that can assist in finding the root cause of an issue.
Note. Make sure your user account has administrator permissions.
Note. Trace files are created in encrypted form with the .ENC1 extension and unique names: [Application-version]_[Creation_date]_[Creation_time_GMT]_[PID]
This encryption ensures that the log files can only be viewed by an authorized support or development engineer.
If there is an update task running (downloading pattern files), another log file gets generated in *.HST format.
Important: The created trace files are encrypted and can only be viewed by an authorized support or development engineer.
By default, the folders containing trace files are hidden. Make sure you have the "show hidden files" setting enabled in Windows or type the path into the File Explorer address bar to be able to access the trace files.
Unless requested otherwise, the following steps should be taken to send the trace files to LANDESK Technical Support:
Typically the default trace level should be used. Exceptions will be specified by the support technician:
The following trace levels are available (from minimum to maximum details):
In order to delete the trace files, you should exit LANDESK Antivirus, delete the trace file from the %ProgramData% folder and start the application again.
This article details the troubleshooting steps for LANDESK Antivirus. For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management
Three different methods can be used to install LANDESK Antivirus on a client.
Installed as part of the Agent installation
Installed through an Install/Update Security Components task Open the Agent Settings tool within the LDMS console.
Run "vulscan /installav" from the command line of a client computer
If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")
| Log Filename | Purpose | Location |
|---|---|---|
| ldav_install.log | Logs installation activity controlled by LDAV.EXE | %appdata%\LANDESKAV |
| msi_install.log | Logs installation of Kaspersky Endpoint Security .MSI | %appdata%\LANDESKAV |
| installav.log (or installav#.log) | Logs installation activity controlled by Vulscan.exe | %appdata%\vulscan |
| KESPatchMSI.log, KESPatch.log | Logs installation of all Kaspersky patches applied | %appdata%\Kaspersky Lab |
| KL*.log, Ucaevents.log | Logs installation of Kaspersky | C:\Windows\Temp or %Temp% |
Installation troubleshooting tips: To easily open the log file directories at the client "Run" line type "vulscan e" to open the %appdata%\vulscan directory or "vulscan av" to open the %appdata%\LANDESKAV folder
Most installation failures will be logged within the MSI_INSTALL.LOG or in the KL*.log. Installation activity is also recorded to the Security Activity tool within the LDMS console.
Installation requires a reboot if installing over an older version of LANDESK Antivirus or removing another 3rd party Antivirus.
In addition it will require another reboot after the latest critical updates have been applied as part of updating the pattern files.
The following methods can be used to uninstall LANDESK Antivirus:
How to troubleshoot LANDESK Antivirus license issues
| Filename | Purpose | Location |
|---|---|---|
| LDAV.exe | LANDESK Antivirus Service | LDClient\Antivirus |
| LDAV.key | License file for LANDESK Antivirus | LDClient\Antivirus |
| Key Name | Purpose |
|---|---|
| HKLM\Software\KasperskyLab | Kaspersky Antivirus Settings |
| HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus | Configuration Information, Last Scan Dates, Status Information |
| HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\License | License details |
| HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan\klbehavior | Current assigned LANDESK Antivirus settings |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\Patches | Currently installed patches |
The LANDESK Antivirus scanner, as with the LANDESK Security vulnerability scanner, uses an XML file to configure its behavior.
Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml
The following registry key value indicates the ID of the AV behavior being used:
Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors. In order to refresh settings, a Change Settings Task can be created on the Core Server. In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule. Alternatively "vulscan /changesettings" can be run from the client command line. (Add /showui to the command to view the UI while it is running)
Currently all settings available within the client side LANDESK Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using LANDESK Management Suite. In order to utilize settings not available within the LANDESK Antivirus Settings within the LANDESK Management Suite Console, the following document outlines steps can be performed:
How to import Kaspersky Agent settings to the LDMS Agent settings on the Core
Scheduled tasks for Update, Full Scan, and Critical Areas scan are created via LANDESK Local Scheduled Tasks. It will not create a task within LANDESK Antivirus. As a result, the tasks within the Client UI will show "Manually".
To view the LANDESK Local Scheduled tasks from the LDCLIENT directory run LocalSch.exe /tasks | more 
Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)
Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)
Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)
Windows XP/2003
Windows 7 and later
The following article contains detailed information for gathering trace log files: How to gather trace log files for LANDESK Antivirus
The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc. This utility can be very useful for determining the cause of certain issues.
GetSystemInfo Utility Download
A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip. Attach this report to your created case, or e-mail it to your LANDESK Support technician
The GetSystemInfo report can then be reviewed and further analyzed by doing the following
In case of a blue screen, a memory dump will need to be gathered.
Right-click "My computer" and choose "Properties"
Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
Make note of the path that the MEMORY.DMP file will be saved to.
Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
A complete memory dump must be supplied, a mini dump does not supply sufficient information.
See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.
When installing any security software it is important to ensure compatibility between other security products that may be installed on the system. This document provides details on how to determine if there are known compatibility issues before deploying LANDESK Antivirus.
To see a list of products that are incompatible with the version of your core server you can review the incompatible.txt file found in the %LDMS_HOME%\ldlogon\avclient\install\setup.
LANDESK Antivirus is based on Kaspersky Endpoint Security 10.
A full list of incompatible products is available here:List of applications incompatible with Kaspersky Endpoint Security 10 for Windows
If the install of LANDESK Antivirus finds incompatible software, it will be logged in the kl-setup-{date}.log file from the %temp% directory.
3768:0e9c 09:20:18.772 *** DetectFilter: found alien softaware Symantec LiveUpdate ***
3768:0e9c 09:20:18.808 *** Cleaner: EnumCompetitorSoftware type 1. Following software should be removed before installation might be continued 'Symantec LiveUpdate'. Error code: 1. ***
When performing an install of LDAV, a preliminary check of incompatible software/products will occur as outlined above. If possible, these products will uninstalled. In some circumstances, the application may not be able to be removed by the LDAV installation. If this occurs, the 3rd party software will need to be removed by other means. Below is a list of products that the LDAV install will attempt to remove:
At this time LANDESK Antivirus is not supported on Windows 10, howeverLANDESK will provide Windows 10 antivirus support in the future.
Due to LANDESK Antivirus using the Kaspersky Endpoint Security product engine, a supported antivirus product is pending an upcoming release from Kaspersky.
Kaspersky has released a beta version of code and our developers are actively working to integrate it into our LANDESK Antivirus product.
A release at that time will be offered for the next major version of LANDESK Management Suite and for prior LDMS versions that are still supported.
A precise release date is not yet available, however the LANDESK Community will be updated with details as further testing and development continues.
After installing LANDESK Antivirus the client UI shows "Protection partially enabled" (components running: 3 out of 6" and under Tasks it shows "Vulnerability Scan" as disabled.
LANDESK Antivirus is based on Kaspersky Endpoint Security. The license provided as part of LANDESK Antivirus does not install all components normally found in Kaspersky Endpoint Security.
The following Kaspersky protection components are not part of the LANDESK Antivirus license and are therefore not installed.
These are not a part of the LANDESK license because other LANDESK Management Suite components already offer these features.
Vulnerability Scan is a part of the "Vulnerability Monitor" sub-component of the "Application Control" component. During installation a registry is set to hide the Vulnerability scan task from the UI, however this setting will not take affect until after the client is rebooted.
Reboot the client system. If this still does not resolve the issue, run LDAV /REBRAND from the Program Files (x86)\LDCLIENT\Antivirus folder on the client system and then reboot.
Note: A similar issue is "KSN Reputation" service showing at the top of the LANDESK Antivirus client window. In this case, selecting the LANDESK Antivirus window and pressing Shift-F5 will refresh the window and remove this. If this still does not work, run the LDAV /REBRAND command.
This document lists the tables in the LANDESK Database that are related to the LANDESK Antivirus product:
Within this document you can click the images for a full-size version.
The following are the tables used for LANDESK Antivirus:
The information from this table shows up in the Antivirus Licensing information in the LANDESK Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool. This table records the inventory information for not only the LANDESK Antivirus product, but also for other 3rd party Antivirus products. This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the LANDESK Antivirus Service. This information is sent under the following conditions:
In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.
When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")
For an Invenotry Scan this information is gathered through LDAVHLPR.DLL. Periodic updates of this .DLL are provided within LANDESK Patch Content to support gathering information on newer versions of Antivirus Software. The information gathered can from each 3rd party vendor can vary. Some information may not be applicable or available to gather through the LANDESK Inventory or Security and Compliance scan processes.
This information shows up in the Inventory of a client in this manner:
This table consists of the following columns:
| ColumnName | Description |
|---|---|
| Computer_IDN | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| Antivirus_IDN | Unique database identifier for the Antivirus entry |
| ProductName | Name of the Antivirus product |
| AutoProtect | Whether the realtime scanner (AutoProtect) is enabled or not |
| ProductVersion | Version of the Antivirus product |
| EngineVersion | Version of the Antivirus engine |
| DefVersion | Version of the currently active definitions at the time of the last Inventory Scan or Security and Compliance Scan |
| PubDate | Publication date of the antivirus definitions (pattern files) on the client |
| DefInstallDate | Time and date that the current definition files (pattern files) were updated on the client |
| LastVirusScan | Last time and date a regular virus scan was executed on the client |
| LastFullVirusScan | Last time and date a full virus scan was executed on the client |
| LastQuickVirusScan | Last time and date a quick virus scan was executed on the client. |
| AgentRunning | Source of the server for the Pattern Files. Typically this will only apply to LANDESK Antivirus |
| PatternServer | Source of the server for the Pattern Files. Typically this will only apply to LANDESK Antivirus |
| LicenseExpirationDate | Date and time that the current antivirus product license expires |
| LicensePeriod | Length of time in days remaining |
| License Number | Product license number that the client is currently using |
| LicenseProductName | Name of the licensed product |
| LicenseMaxCount | Total number of nodes that the license reported by the client is good for |
| StartFullVirusScan | Time and date that the last full virus scan was started |
| StartQuickVirusScan | Time and date that the last quick virus scan was started |
| FullVirusScanCancelled | Time and date the last full virus scan was cancelled |
| QuickVirusScanCancelled | Time and date the last quick virus scan was cancelled |
This table lists the patches to the Antivirus product that are installed on the client.
This information is sent to the Core when an Inventory Scan runs.
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| AntivirusPatches_Idn | Unique database identifier for the AntivirusPatches entry |
| DisplayName | How the patch appears in the client interface (under the support link at the bottom of the LDAV UI) |
| InstalledDate | Date and time that the patch was installed |
| MoreInfoURL | If applicable, the link to go to for more information about the patch |
| PatchName | Name of the patch |
This shows up in the Client Inventory in this location:
The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches
This information shows up in the Security Activity tool under LANDESK Antivirus - Infections by Computer, and LANDESK Antivirus - Infections by Virus
This table consists of the following columns:
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer that was infected |
| InfectedFiles_Idn | Unique database identifier for the file that was found that contained a virus |
| Path | Path on the client computer where the infected file was found |
| Virus | Particular virus found within the infected file |
| Failure | Description of the failure |
This information shows up in the Security Activity tool under LANDESK Antivirus - Quarantined Infections by computer and LANDESK Antivirus - Infections by virus
This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.
This table consists of the following columns:
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| QuarantinedFiles_Idn | Unique database identifier for the files that was quarantined |
| Filename | Name of the quarantined file |
| Status | 0 = Riskware, 1= Infected, 2 = Suspicious, 3 = Clean, 4 = User Added, 5 = Unknown, 6 = Cured |
| Virus | Virus that was found in the quarantined file |
| OriginalLocation | Path where the file was found on the client computer |
| GUIDFilename | GUID assigned to the filename |
| QuarantineDate | Date and time that the file was quarantined |
This information shows up in the Inventory of the client under Security - Quarantined Files. Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus
This information shows up in the Security Activity Tool under LANDESK Antivirus - Activity, Activity by computer, and activity by virus. In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.
| Column Name | Description |
|---|---|
| SecurityAction_Idn | Unique Database Identifier for this particular instance of a Security Action |
| Computer_Idn | Unique Database Identifier for the computer that this Security Action relates to |
| ActionTaken | Action that was taken |
| ActionCode | Code type of the action that was taken |
| ActionDate | Date and time that the action occurred |
| Application | Application Name |
| MD5Hash | MD5 Hash of the file if a file was involved |
| SHA1Hash | SHA1 Hash of the file if a file was involved |
| SHA256Hash | SHA256 Hash of the file if a file was involved |
| Type | Type code for the action that occurred |
| Filesize | Size in kilobytes of the file if a file was involved |
| FileDate | File Creation Date of the file if a file was involved |
| FileVersion | File Version of the file from within the file properties of a file if a file was involved |
| CompanyName | Company Name from within the file properties of the file if a file was involved |
| ProductName | Product Name from within the file properties of the file if a file was involved |
| ProductVersion | Product Version from within the file properties of the file if a file was involved |
| UserName | User Logged in when the action occurred |
| ConfigGUID | Unique GUID of the Setting that was in use when the action occurred |
| LocationID | Information being gathered on values |
The information in this table makes up most of the LANDESK Antivirus information shown in the Security Activity tool. This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.
The exception would be the licensing information which is stored in the Antivirus table and is sent by the LANDESK Antivirus Service on the client WSVulnerability web service on the core server.
Trusted items are a list of objects that LANDESK Antivirus does not monitor or control. This list is populated with a list of LANDESK client files at the time of LANDESK Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.
You can add a trusted item and it will block LANDESK Antivirus access to that item, however you must be very sure that it does not represent any threat.
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier of the computer that has this object in it's trusted applications list |
| TrustedItem_Idn | Unique database identifier of the trusted object |
| Item | Item full path and name |
| Status | User Added = 4, Admin Added = 6 (Admin added is either as part of installation or a settings update). |
| ObjectType | File = 0, Folder = 1, Extension = 2 |
| AddedDate | Date that the object was added |
| Folder | Folder where the trusted item is |
On the client side these are the entries from the Exclusion Rules or Trusted Applications
This information shows up in the Inventory of the client under Security - Trusted Items. Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status
