Quantcast
Channel: Ivanti User Community : Document List - Antivirus and Antispyware
Viewing all 213 articles
Browse latest View live

How To: Defer AV Scanning When Device is In Use

$
0
0

Purpose

 

The purpose of this document is to outline how to control when Ivanti Antivirus performs a full virus scan in your environment. The controlling process for an antivirus scan is AVP.exe. This process, when performing a full scan consumes a significant amount of resources (CPU and Memory), placing undesirable slowness on the system. The ability to throttle resource consumption isn't available, however, we can place restrictions around when AVP.exe initiates a full scan. Enabling this feature must be done client side but the permission is not enabled by default. This document will outline the core side configuration as well as what needs to be configured on (1) of your endpoints before this functionality can be disseminated throughout your environment.

 

Step 1: Allow Permissions (Ivanti AV Agent Settings Core Configuration)

 

 

The initial configuration happens on the core within the Antivirus Agent Settings. To access this setting navigate to the following location and double click on the desired Antivirus setting to view the properties:

 

Tools | Configuration | Agent Settings

 

The default setting will reside under Public agent settings | Security | LANDESK Antivirus. You can enable the permissions on any Antivirus setting you elect. It is recommended that the Ivanti Administrator isolate the permission (provide least privilege) to individuals who need them.

CoreAVMain.jpg

From within the properties of the LANDESK Antivirus settings select Permissions and ensure the following options are checked:

CoreAVPermissions.jpg

 

  • Allow user to update definitions
  • Allow user to change settings
  • Allow user to schedule scans

Once selected, save the settings and create a Change Settings task to make your modifications available to the desired endpoint.

 

Step 2: Change Settings Task

 

If you modify a setting that is already assigned to an endpoint, the Ivanti client side local scheduler will automatically retrieve the updated settings when the vulnerability scanner (vulscan.exe) runs. The change settings task makes the change more immediate. You can also manually run vulscan /changesettings /showui on the desired client

 

To create a Change Settings Change Settings Task Open the Ivanti Management Suite console. Select Tools | Security and Compliance | Agent Settings. Select the  Create a Task option and choose Change Settings.

 

changesettings.jpg

 

This will display and Patch and Compliance - change setting task interface. Give the task a name and and under Type | LANDESK Antivirus click on "Keep agent's current settings" to display a drop-down menu of available settings. Select the setting you modified.

 

AVChangesettings.jpg

 

Under Task Settings select whether you want it to be a Policy-supported push, policy or push task. The default and recommended option is Policy-supported push.

 

TaskSettings.jpg

 

Select Targets and under Targeted items choose your desired option, select Add and choose your target. In this document, Targeted devices will be used.

 

targeteddevices.jpg

Save and start your task.

 

Step 3: Suspend Full Scan While Device is in Use (Client Side Configuration)

 

To access the Ivanti AV Client configuration, log into the endpoint you allowed the permissions on and open the Ivanti Antivirus application.

 

AV_ClientSideMain.png

 

Select the Settings tab | Full Scan and choose Run Mode

 

AVSettings.png

 

This will open a Full Scan interface. Select the Run Mode tab and under Run Mode choose "By Schedule". Ensure "Suspend scheduled scanning when the screensaver is off and the computer is unlocked" is selected. This function will prevent the AVP process from running when your device meets this criteria. You can further adjust the scheduling options to meet your needs, when done, choose "OK".

 

suspend.jpg

Step 4: Export Client Settings

 

Once you have your settings configured on the client, we must now export the configuration(.cfg) file and import the configuration to the core server. To do this conduct the following:

 

From within the Settings tab choose Advanced Settings and under Managed Settings select Save. Give the .cfg file a unique name and save it on a share accessible by the core server.

 

Export.jpg

 

Step 5: Import Client Settings to Core

 

Importing client Antivirus configurations into the Ivanti Management console will provide the ability to push customized *.cfg files to other clients.

 

Open Agent Settings | LANDESK Antivirus | Advanced Settings | Import Kaspersky settings. Ensure the following options are selected:

  • Import settings file from a Kaspersky antivirus client
  • use imported scan settings (Full Scan, Critical Area Scan, Custom Scan).

 

Under "Current configuration imported from" browse to the .cfg file you saved.

 

ImportedSettings.jpg

 

Save your setting and create a new change settings task, targeting your desired endpoints.


Issue: FTP blocked by LANDESK Antivirus

$
0
0

Description

 

This document applies to issues where FTP no longer functions after installing LANDESK Antivirus.

 

Cause

 

LANDESK Antivirus monitors port 21, in turn causing it to block active FTP.

 

Resolution

 

There are two options to resolve this issue. First would be to modify your FTP setup to be passive.

If modifying the FTP setup isn't possible then we need to change on setting on LANDESK AV.

 

Do this open Agent Settings -> LANDESK Antivirus.

Then open the Protection section and click on settings under Monitored Ports.

2014-11-20 13_01_31-LDMS 9.6 JHCore96 - VMware Workstation.png

 

Then locate the entry for FTP 21 and delete it.

2014-11-20 13_07_52-LDMS 9.6 JHCore96 - VMware Workstation.png

 

Finally schedule a settings update to the client and test.

What does a "//JIM" on the end of a Virus Detection mean in Security Activity?

$
0
0

In Security Activity some Items may be appended with a "//JIM" suffix on the end of the path and file name a shown in the photo.

 

This is normal under some detected items with our antivirus product.  The "//JIM" text means that the malicious object inside the file was detected by the script emulator.

You would re-mediate the file like you would any other type of detection.

Devices in "Computers not Recently Reporting Antivirus Configuration and Status"

$
0
0

Overview

When gathering reports in Security Activity you may run across a field "Computers Not Recently Reporting Antivirus Configuration and Status" and this has an alarming amount of clients that have populated. This refers to the last scan date your Antivirus definitions located in Patch and Compliance. This is not to be confused with Antivirus pattern files that contain detection logic for detecting and removing viruses.

 

Cause

This information is generated when clients are not scanning AV definitions that are located in Patch and Compliance under the Antivirus type. An example of this would be the definition AV-100. This issue can occur even when those definitions are not present on the core.

 

Resolution

Doing a Scan for AV definitions clears clients from that area will remove those clients from that list, this can be accomplished one of two ways.

 

Method 1: Change your Distribution and Patch settings to scan for Antivirus Updates

 

1. Locate the Patch and Distribution setting the clients are using located in your agent settings.

2. In the setting, on the left side look for and select "Scan options."

3. While having the "Type" radio button selected locate and select the check box labeled "Anitvirus updates."

4. Save your settings.

 

The next time a client that uses those settings runs a Vulscan it will pull the updated setting down and apply it. Once a Vulscan with those applied settings runs on the client(s) in Security Activity should disappear.

If a Distribution and Patch setting is set to scan for a group a new setting will need to be made and periodically scan to keep the information for showing up again in Security Activity.

Method 2: Run a local Vulscan with a "/scan=8" switch

1. One the local box do a start menu search "run"

2. Type in the following command "Vulscan /scan=8"

You can add /showui to the command so it generates a UI to show it's progress

How to gather Trace Log Files for LANDESK Antivirus

$
0
0

 

 

At times an issue with LANDESK Antivirus may require more in-depth analysis and troubleshooting.  LANDESK engineers may request an application runtime trace files for troubleshooting such cases.

These log files contain verbose information that can assist in finding the root cause of an issue.

 

How to generate an application trace file

 

Via Command Line

"avp.com traces on | off"

Note. Make sure your user account has administrator permissions.

 

OR

 

  1. Click Support in the bottom left corner of the main application window.
    AVSupportLink.jpg
  2. The Support window will open, click System tracing. This will open the Information for Technical Support window.
    SystemTracingLink.jpg
  3. Click Enable to start generating the trace files.
    EnabledTraces.jpg
  4. Stop LANDESK Antivirus by right-clicking the tray icon and selecting Exit and then restart AV by selecting LANDESK Antivirus from the LANDESK program group.

    (If the Exit option does not exist, the following sub-steps should be followed):
      4a. (In order to restart LANDESK Antivirus the following permissions must be set in the LANDESK Antivirus settings in the console and applied to the client):
    AVPermissions.jpg
      4b.
    In order to refresh settings simply refresh settings, select the "Create a Task" (calendar icon) drop-down in the Agent Settings tool, select "Change Settings" and then create a schedule. 
            Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the interface while it is running)

  5. Go through the steps that result in the issue observed.
  6. Click Disable to stop generating the trace file.

Note. Trace files are created in encrypted form with the .ENC1 extension and unique names: [Application-version]_[Creation_date]_[Creation_time_GMT]_[PID]
          This encryption ensures that the log files can only be viewed by an authorized support or development engineer.            

 

Where to find the generated trace files

 

  • C:\ProgramData\Kaspersky Lab\

traces.png

 

If there is an update task running (downloading pattern files), another log file gets generated in *.ENC format.

Important: The created trace files are encrypted and can only be viewed by an authorized support or development engineer.   

 

By default, the folders containing trace files are hidden. Make sure you have the "show hidden files" setting enabled in Windows or type the path into the File Explorer address bar to be able to access the trace files.

 

Sending trace files to LANDESK Technical Support

 

Unless requested otherwise, the following steps should be taken to send the trace files to LANDESK Technical Support:

  1. Compress the trace files into a .ZIP format with the filename LANDESKCase#_ldav_trace.zip (Where LANDESKCase# is the numerical LANDESK case number assigned to your incident)
  2. Upload the .ZIP file from to ftp://Landesk-public:b8Wk3EECl1Yri5@data3.kaspersky-labs.com
  3. Inform the LANDESK Support technician of the exact file name (please include case sensitivity if it differs from the recommendation above).

 

Trace log detail levels

 

Typically the default trace level should be used.  Exceptions will be specified by the support technician:

 

The following trace levels are available (from minimum to maximum details):

 

  • Critical (100). Logs critical errors only.
  • High (200). Logs all errors including critical.
  • Troubleshooting (300). Logs all errors and warnings.
  • Important (400). Logs all errors and warnings, plus additional information messages.
  • Normal (500).  Logs all errors and warnings, as well as additional information messages and normal operational data.  (This is the default log level)
  • Low (600). Logs all possible messages.

 

How to delete a trace file

 

In order to delete the trace files, you should exit LANDESK Antivirus, delete the trace file from the %ProgramData% folder and start the application again.

 

Useful references

How to troubleshoot LANDESK Antivirus

How to enable / disable trace files generation via registry

Error "GetBases.exe returned an error code: Update successful, but retranslation failed.(37) (25)" when downloading AV pattern files

$
0
0

Issue

AV definition download on the Core Server fails with "GetBases.exe returned an error code: Update successful, but retranslation failed.(37) (25)"

Cause

This is typically caused by a network, rights, disk, or other related error.   During the re-translation phase the updater tries to download the database files from the source and create a mirror for updating purposes.
If a network error occurs during this process it will throw this error.
The retranslation process  is the process of structuring downloaded signature files in a special order, using the special folder tree.   Thanks to it a client is able to update from this server. There might be something wrong with files operation, for instance, absence of rights to write/delete, files blocking etc. And the origin of this problem is outside of the updater.   To find out the origin of this issue the Updater SDK log file must be gathered and provided to LANDESK Support.

Solution

  • Check network for performance issues, etc.
  • Check free disk space.
  • Check rights on the core server.  The rights for the antivirus directories should match the rights of the parent directories (LDLOGON down).
  • It may be necessary to delete the following subdirectories to download all bases (pattern files) again.
    • ldlogon/antivirus8/win/basesEP10
    • ldlogon/antivirus8/win/pre.basesEP10
    • ldlogon/antivirus8/win/temp_bases8

 

If further troubleshooting is needed it is recommended to turn on advanced updater logging and to open a ticket with LANDESK Support:

 

How to turn on Enhanced Updater SDK logging:

https://community.landesk.com/docs/DOC-27009#jive_content_id_Advanced_Logging_for_the_Updater_SDK_for_troubleshooting_de…

Ivanti Antivirus Introduction

$
0
0

Introduction

Ivanti Antivirus is a sub component of the Ivanti Management suite.  The client side portion uses the Kaspersky Endpoint Security engine but most of the backend processes and controls are Ivanti’s own components. Ivanti Antivirus is a powerful security solution that can be configured and easily managed from the security console.

 

Licensing

Ivanti Antivirus is a separately licensed product for Management suite.  The first step in using is it to make sure you have purchased and have all the proper licensing in place for it to be enabled and working on your core server and clients.

Antivirus licensing has two parts, core licensing and client licensing.  Core licensing enables the components to actively be installed on clients, used and monitored on the core and to allow the downloading of definitions to the core.  This part of licensing in handled by the Core Server Activation utility.

 

Client side licensing is a separate “.key” file that gets emailed to you from Ivanti and imported into your core by you using the Console, Antivirus License Information dialog. This license is entirely independent of the Core licensing portion and only activates the client side portion of antivirus and contains an expiration date and information on the number of nodes you purchased.  It does not in any way modify the core’s antivirus licensing or its ability to download definitions.

The client key will expire eventually and you will need to get a new key from Ivanti and import it into the console when it does.

 

Antivirus Action Center

To access the Antivirus Action Center in the console select Tools > Security and Compliance > Security Activity.  Select the Settings drop down and select Landesk Antivirus Action Center.

 

This dialog gives the status of the Antivirus setup on the core you can install a new license key, view license information and download definitions from this dialog.

 

 

This dialog gives the status of the Antivirus setup on the core.  You can install a new license key, view license information and download definitions from this dialog.  For a more detailed explanation of each item, select the Help button.

 

Installation

Once your core is licensed and the client key imported, you are ready to begin installing Antivirus. This can be done in four ways.

  1. Through a standard Agent deployment and installation from the Core.
  2. Through a self-contained Agent executable
  3. By creating a Install/Update Security Components Task
  4. Running as Administrator the: vulscan.exe /installAV

Command manually on a client.

The installation first checks if an existing antivirus solution is present and attempts to remove it if possible. Afterwards, two components get installed during installation. The first is the Kaspersky Engine and GUI that gets rebranded to Ivanti Antivirus and the second is the Ivanti Antivirus service which handles the settings, updating and scanning and controls the GUI.  Installation handles the both on its own.  The client device will likely need rebooted to finish installation of Antivirus and in a few cases when updating an existing installation or removal of another antivirus solution sometimes a second reboot is needed.

 

Download Definitions On The Core

You can have the core be a central repository for the virus definitions or you can have the clients go right to the internet and download.  To start downloading Antivirus Updates Definitions on the core select Tools > Security and Compliance > Patch and Compliance and double-click on the Download Updates icon located on the menu bar.

 

 

This will open the Download Updates interface, ensure the Updates tab is selected.

 

 

The Landesk Antivirus tab in the same dialog has more options for antivirus.

 

 

Agent Settings

In Agent Settings under Security, Landesk Antivirus is where you will create the settings to configure antivirus on your clients.  In the settings, you can configure what antivirus components are enabled or disabled, how much bandwidth and CPU usage it will use as well as how updates to definitions and when to run scans are configured.

As you are creating or modifying agent settings use the help button for more in-depth explanation of what each does and how to configure it.

 

Security Activity

The Security Activity tab in the console is where you will monitor Antivirus activity.  To open it Select Tools > Security and Compliance > Security Activity. In here you can see which clients have outdated pattern files(definitions), the status of their license and virus activity can be view by device or by infection.

 

Additional Information and Getting Started Documentation:

Getting Started - https://community.ivanti.com/docs/DOC-39373

Antivirus/Antispyware General Information - https://community.ivanti.com/community/landesk/systems/antivirus

Antivirus Exclusions for a LANDESK Client

$
0
0

Description:

This document contains the list of applications and files that need to be excluded/trusted for LANDESK to function properly if you aren't using LANDESK AV.

If you are using LANDESK AV, these exclusions are already made for you.

 

For information about AV exclusions on the core server, see this doc: About Antivirus exclusions (exceptions) for the LANDESK Core Server

 

These are the files that need to be added as exclusions and as trusted applications.

 

32 bit:

 

  • C:\Program Files\LANDesk\LDClient\FindMBDevice.exe
  • C:\Program Files\LANDesk\LDClient\GatherProducts.exe
  • C:\Program Files\LANDesk\LDClient\HPScanner.exe
  • C:\Program Files\LANDesk\LDClient\issclipexec.exe
  • C:\Program Files\LANDesk\LDClient\issuser.exe
  • C:\Program Files\LANDesk\LDClient\LDpcu.exe
  • C:\Program Files\LANDesk\LDClient\LDCSTM32.exe
  • C:\Program Files\LANDesk\LDClient\lddetectsystem.exe
  • C:\Program Files\LANDesk\LDClient\LDISCN32.exe
  • C:\Program Files\LANDesk\LDClient\LDProvisionSecureErase.exe
  • C:\Program Files\LANDesk\LDClient\LDsensors.exe
  • C:\Program Files\LANDesk\LDClient\LDUrlMonInject64.exe
  • C:\Program Files\LANDesk\LDClient\LocalSch.exe
  • C:\Program Files\LANDesk\LDClient\policy.sync.exe
  • C:\Program Files\LANDesk\LDClient\rcgui.exe
  • C:\Program Files\LANDesk\LDClient\restartmon.exe
  • C:\Program Files\LANDesk\LDClient\SDCLIENT.exe
  • C:\Program Files\LANDesk\LDClient\SDISTPS1.exe
  • C:\Program Files\LANDesk\LDClient\softmon.exe
  • C:\Program Files\LANDesk\LDClient\startasuser.exe
  • C:\Program Files\LANDesk\LDClient\vulscan.exe
  • C:\Program Files\LANDesk\LDClient\HIPS\EncArchive.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\LDEncrypt.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\VigAlert.exe
  • C:\Program Files\LANDesk\LDClient\ HIPS\VIGUARD.exe
  • C:\Program Files\LANDesk\Shared Files\residentAgent.exe
  • C:\Program Files\LANDesk\Shared Files\serviceHost.exe

 

64 bit

  • C:\Program Files (x86)\LANDesk\LDClient\FindMBDevice.exe
  • C:\Program Files (x86)\LANDesk\LDClient\GatherProducts.exe
  • C:\Program Files (x86)\LANDesk\LDClient\HPScanner.exe
  • C:\Program Files (x86)\LANDesk\LDClient\issclipexec.exe
  • C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDpcu.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDCSTM32.exe
  • C:\Program Files (x86)\LANDesk\LDClient\lddetectsystem.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDISCN32.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDProvisionSecureErase.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDsensors.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LDUrlMonInject64.exe
  • C:\Program Files (x86)\LANDesk\LDClient\LocalSch.exe
  • C:\Program Files (x86)\LANDesk\LDClient\policy.sync.exe
  • C:\Program Files (x86)\LANDesk\LDClient\rcgui.exe
  • C:\Program Files (x86)\LANDesk\LDClient\restartmon.exe
  • C:\Program Files (x86)\LANDesk\LDClient\SDCLIENT.exe
  • C:\Program Files (x86)\LANDesk\LDClient\SDISTPS1.exe
  • C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
  • C:\Program Files (x86)\LANDesk\LDClient\startasuser.exe
  • C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe
  • C:\Program Files (x86)\LANDesk\LDClient\HIPS\EncArchive.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDEncrypt.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VigAlert.exe
  • C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VIGUARD.exe
  • C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
  • C:\Program Files (x86)\LANDesk\Shared Files\serviceHost.exe

Ivanti Endpoint Manager and Endpoint Security - Antivirus Landing Page

$
0
0

Ivanti Endpoint Manager and Endpoint Security - Antivirus

 

 

This article is not a complete list of documents and issues. You can continue to search the rest of the community or the portion specific to Ivanti Antivirus for Endpoint Manager if this page hasn't helped.

Mac Antivirus Basic Setup, Configuration and Installation

$
0
0

Mac Antivirus Basic Setup, Configuration and Installation

 

Core Definition Download

The core downloads definition updates for Macs just like it does for Windows PCs Antivirus.  These in-turn get downloaded to the Mac clients based on the agent settings you define for your clients.  To start downloading Mac Antivirus Updates Definitions on the core select Tools > Security and Compliance > Patch and Compliance and double-click on the Download Updates icon located on the menu bar.

This will open the Download Updates interface, ensure the Updates tab is selected.

Mac Antivirus Definition are located under Mac > Security > Antivirus. You will see the Ivanti AntivirusUpdates checkboxes.  Check the definition version(s) you need and Apply at the bottom of the dialog to make the selection applicable.

You can also download the definitions manually on the Landesk Antivirus tab by clicking the Get Latest Definitions button, making the selections and clicking Ok.

 

Installation and Removal

Installation and removal of the Mac Antivirus agent can be configured on the core.  Mac Antivirus can be installed when the agent gets installed by selecting the Landesk Antivirus option in the agent configuration.  This security feature will only be available if you are licensed for it.

 

Mac Antivirus can also be installed or removed through a security change task in the Security Activity tool. The Security Activity tool can be found by selecting Tools > Security and Compliance > Security Activity.

These items create a scheduled task that you can add devices to individually or by scope or query.

 

Agent Settings

Mac Antivirus settings are configured in Agent Settings > Security > Landesk Antivirus – Mac. Here, you can open an existing antivirus agent setting or create a new one. 

 

The following section will outline the properties of the Mac Antivirus agent settings.  To view the settings right click on an agent setting and select Properties

The General area just allows you to name your setting.  The Protection area allows you to specify what protection runs on the end clients and options on how they run.  Protection Scope here allows you to set what gets monitored through the drivers detected. By checking a box in this dialog, it enables monitoring on devices that use those drivers on the Mac.

You can also add exclusions to the Network Attack Blocker.  This is done by clicking the Exclusion button and entering the IP addresses that you want to exclude from being monitored

The Virus Scan area allows you to setup and configure Full Scans and Critical Area Scans, how they behave on the devices and schedule when they run.  The Help button can be accessed here for more detailed information on each item in the window to help you determine what options you want enabled or disabled on the clients.

The Threats area gives you options as to what malware is detected. Again, the Help button gives greater detail as to each of the options available.

 

In the Update area lets you define how and where you get definition updates, ether from the Core, Preferred Server or Internet directly. Checking the Update box and clicking the Change Schedule allows you to define when and how often the clients update definitions.

Important:  Due to the way the local daemon runs on the Mac OS as designed by Apple, Mac Antivirus will only update if a user is logged in.  The device can be locked, but a user must be logged in, for Mac Antivirus to download updates.

 

The Reports area allows configuring of how many days’ items are kept in the reporting section on the clients.  The Appearance area allows configuration of notifications and if you want an icon displayed on the menu bar on the mac clients.

Important:  Some settings you configure with agent settings will not be displayed in the Kaspersky GUI on the Mac client.  The most notable is the message that Automatic Updates are disabled.  Updates on the Mac are handled through a different mechanism other than the Kaspersky GUI so our agent settings can get them from a core instead of the internet and as such automatic updates are disabled directly in the GUI itself.

Ivanti Antivirus supported Operating Systems

How to remove quarantined files from a LANDesk Antivirus client.

$
0
0

Question:

 

How do I remove quarantined files from a LANDesk Antivirus client.

 

Answer:

 

Quarantined virus files are stored on the client computer in the following location:

 

     Windows 2000/XP/2003: C:\Documents and Settings\All Users\Application Data\LANDeskAV\Quarantine

 

     Windows Vista/Windows 7/Server 2008: C:\ProgramData\LANDeskAV\Quarantine

 

Quarantine files have a .QAR extension.

 

These files can be removed from this directory even while LANDesk Antivirus is running without any ill effect.

 

They can be removed through the LANDesk Client GUI by clicking the Antivirus shield icon, and then clicking "Show details" next to the Quarantined Items section.

 

 

To remotely remove these files, a script should be written to delete *.QAR from the remote Quarantine directory on the client.

 

A script can be written using a batch file, a LANDesk script, or other means.

How To: Troubleshoot LANDESK Antivirus

$
0
0

This article details the troubleshooting steps for LANDESK Antivirus.    For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management

 


 

LANDESK Antivirus Installation

 

Three different methods can be used to install LANDESK Antivirus on a client.

 

Installed as part of the Agent installation

    1. Select LANDESK Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
    2. Configure desired settings within the Agent Configuration - Security and Compliance - LANDESK Antivirus section.

 

Installed through an Install/Update Security Components task Open the Agent Settings tool within the LDMS console.

    1. Select the Create a Task dropdown and select Install/Update Security Components.
    2. Select desired Task Type, Select LANDESK Antivirus Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)

      Note: If experiencing installation issues, you can select the box "Troubleshoot LANDESK Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.

 

Run "vulscan /installav" from the command line of a client computer

If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")

 

Installation files

    • Bases.cab - Antivirus Bases (Pattern files)
    • Cleaner.cab - rules for detection of incompatible software
    • Incompatible.txt - list of incompatible software
    • Kes10SP1MR2_en.msp - MR2 patch
    • Kes10win.msi - MSI Installation package


Files not used by LANDESK Installation of Kaspersky Antivirus

    • aes_encryption_module.msi
    • Kes10win.kpd
    • Kes10win.kud
    • klcfginst.exe

 

 

Installation log files

HrLog FilenamePurposeLocation
ldav_install.logLogs installation activity controlled by LDAV.EXEC:\ProgramData\LANDESK\Log
installav.log (or installav#.log)Logs installation activity controlled by Vulscan.exeC:\ProgramData\LANDESK\Log
KESPatchMSI.log, KESPatch.logLogs installation of all Kaspersky patches appliedC:\ProgramData\LANDESK\Log
ucaevents.logLogs installation of KasperskyC:\Windows\Temp or %Temp% 
kl-setup-YYYY-MM-DD-HH-MM-SS.logLogs preparation, such as removal of incompatible programs, etc.C:\ProgramData\LANDESK\log  (Copied from Windows temp dir or %temp% after complete)
kl-update-YYYY-MM-DD-HH-MM-SS.logLogs initial bases (pattern files) updateC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)
kl-install-YYYY-MM-DD-HH-MM-SS.logLogs the main Kaspersky installationC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)

 

Installation troubleshooting tips: To easily open the log file directories at the client "Run" line type "vulscan log" to open the %programdata%/landesk/log directory or "vulscan av" to open the %programdata%\LANDESKAV folder

 

 

Most installation failures will be logged within the LDAV_INSTALL.LOG or in the KL*.log.  Installation activity is also recorded to the Security Activity tool within the LDMS console. 

 

The Windows Event viewer will show the following type of events as well:

Windows Installer reconfigured the product. Product Name: Kaspersky Endpoint Security 10 for Windows. Product Version: 10.2.5.3201. Product Language: 1033. Manufacturer: Kaspersky Lab. Reconfiguration success or error status: 0.

Doing a "Find" in the Event Viewer logs for "LANDESK" or "Kaspersky" can also be useful for finding successes or failures.

 

Installation requires a reboot if installing over an older version of LANDESK Antivirus or removing another 3rd party Antivirus. 

In addition it will require another reboot after the latest critical updates have been applied as part of updating the pattern files.

Possible Installation issues

  • Insufficient Memory - Install failures due to insufficient memory requirements can be viewed in the Security Activity Tool in the LDMS console and in the MSI_Install.log file

See Kaspersky Endpoint Security 10 for Windows (for workstations)

  • Conflicting 3rd Party Software

During installation, LANDESK Antivirus will detect the presence of incompatible 3rd-party software.  LANDESK Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL.  If conflicting software is found during the LANDESK Antivirus installation, one of two events will occur:

Conflicting software will be automatically removed - List of applications incompatible with Kaspersky Endpoint Security 10 for Windows

Installation will fail - Install failures due to incompatible software are viewable in KL*.log.

General Troubleshooting Flowchart

GeneralTroubleshooting.jpg

(Click for full size)

 

When the flowchart refers to "KES" this is referring to Kaspersky Endpoint Security and is interchangeable with "LDAV"

 

Troubleshooting System Watcher

 

At times it becomes necessary to troubleshoot system watcher.   System watcher is a vital component of LANDESK Antivirus and generally should not be disabled.

 

The following flowchart shows details about troubleshooting this antivirus component:

SystemWatcherTroubleshoot.png

   (Click for full size)

 

 

Troubleshooting Compatibility Issues

 

  1. Pause LDAV protection by clicking «Pause protection and control...» in LDAV tray menu.
  2. Try to reproduce problem.
    1. If problem is still reproduced, go to step 3.
    2. If problem is not reproduced anymore, restore LDAV protection and start turning off LDAV protection components one-by-one.
    3. Check whether issue persists after each step. Aim is to find faulty component. When component is found, gather traces with only this component enabled.
  3. Stop LDAV service by clicking «Exit» in LDAV tray menu.
  4. Try to reproduce problem.
    1. If problem is still reproduced, go to step 5.
    2. If problem is not reproduced, start LDAV and gather traces with all components disabled
  5. If you got to this step, this is a driver issue. Our aim is to find faulty driver. LDAV drivers are located in «C:\Windows\System32\drivers» folder.
  6. Disable LDAV self-defense. Then start disabling LDAV drivers by renaming them (you can change its extension from .sys to .bak, for example).
  7. Rename drivers one-by-one, reboot machine after each step and then check whether issue persists or not.

 

Please note, that drivers should be disabled in the following sequence:

Driver

klim6.sys

kltdi.sys (Windows 7/2008)

klwfp.sys (Windows 8 and later)

kneps.sys

klelam.sys

klif.sys

 

Uninstalling LANDESK Antivirus

 

The following methods can be used to uninstall LANDESK Antivirus:

 

  1. Schedule a "Remove Security Components" task from within the Security Activity tool in the LANDESK Console.  Select "LANDESK Antivirus" as a component to remove.
  2. Run "vulscan /removeav" from the client command line

 

If this fails it may be necessary to run the following:

 

The KAV Removal tool should be used in case uninstallation by other methods fail or there is suspicion that there are leftovers from previous installations.

 

KAVRemover automatically detects the installed Kaspersky product.   If detection fails the "-nodetect" command line switch should be used.

 

It is recommended to run KAVRemover in Safe Mode

 

Log files for Antivirus uninstall

  • %TEMP%\MSIXXXX.log
  • kl-update-YYYY-MM-DD-HH-MM-SS.log

 

The kl-update-yyyy-mm-dd-hh-mm-ss.log files will be picked up by GetSystemInfo if run.  The MSI log must be gathered manually.

 

Note: When attempting to remove and reinstall LANDESK Antivirus, an uninstall must be performed and then an install performed.  Reinstalling over top does not remove and reinstall the .MSI, it simply performs the LANDESK specific actions controlled by vulscan.exe and LDAV.EXE.      

Product Activation

 

How to troubleshoot LANDESK Antivirus license issues

 

       Note: The LANDESK Antivirus product does not contain the Kaspersky Device Control or Vulnerability Detection features as these features are covered by LANDESK Device Manager and LANDESK Patch Manager.

 

Directories

  • C:\ProgramData\LANDESKAV - Main directory for LANDESK Antivirus log files
  • C:\ProgramData\Kaspersky Labs - Directory for Kaspersky trace files
  • C:\Program Files (x86)\landesk\ldclient\antivirus - Main directory for LANDESK Antivirus service
  • C:\Program Files (x86)\landesk\ldclient\antivirus\install - Used to install LANDESK Antivirus and rebrand Kaspersky Endpoint Security
  • C:\Program Files (x86)\landesk\ldclient\antivirus\temp_bases8 - Used to update pattern files
  • C:\Program Files\ (x86)landesk\ldclient\antivirus\kav - Kaspersky Endpoint Security files
  • C:\ProgramData\Kaspersky Lab\KES10\Bases - Pattern files directory for Kaspersky Endpoint Security 8.
  • C:\Program Files\LANDESK\LDClient\Antivirus\KAV\Patches - Directory where Kaspersky patches are stored.  Look here to see if patches have been downloaded.

 

Files

 

.12FilenamePurposeLocation
LDAV.exeLANDESK Antivirus ServiceLDClient\Antivirus
LDAV.keyLicense file for LANDESK AntivirusLDClient\Antivirus

 

Registry Keys

 

r 1Key NamePurpose
HKLM\Software\KasperskyLabKaspersky Antivirus Settings
HKLM\Software\LANDESK\ManagementSuite\WinClient\AntivirusConfiguration Information, Last Scan Dates, Status Information
HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\LicenseLicense details
HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan\klbehaviorCurrent assigned LANDESK Antivirus settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\PatchesCurrently installed patches

 

 

Drivers Location

 

All of the drivers are stored in C:\Windows\System32\Drivers

 

There are typically six drivers:

 

  • KLELAM.SYS
  • KL1.SYS
  • KLFLT.SYS
  • KLIF.SYS
  • KLWFP.SYS
  • KNEPS.SYS

 

LANDESK Antivirus Database Tables, Inventory Information and Security Activity

 

LANDESK Antivirus: Database Tables, Inventory Information, and Security Activity

 

Settings

 

The LANDESK Antivirus scanner, as with the LANDESK Security vulnerability scanner, uses an XML file to configure its behavior.  Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml

 

The following registry key value indicates the ID of the AV behavior being used:

      • Key: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan  DWORD Value: KLBehavior

 

Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors.  In order to refresh settings, a Change Settings Task can be created on the Core Server.  In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule.  Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the UI while it is running)

Settings that cannot be configured through LANDESK Management Suite

 

Currently all settings available within the client side LANDESK Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using LANDESK Management Suite.  In order to utilize settings not available within the LANDESK Antivirus Settings within the LANDESK Management Suite Console, the following document outlines steps can be performed: 

How to import Kaspersky Agent settings to the LDMS Agent settings on the Core

 

 

Tasks

 

Scheduled tasks for Update, Full, and Critical Areas scans are created via Local Tasks. It will not create a task within LANDESK Antivirus.  As a result, the tasks within the Client UI will show "Manually".

Manually.png

To view the LANDESK Local Scheduled tasks from the LDCLIENT directory run LocalSch.exe /tasks | more 
Schedule.png

Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)

Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)

Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)

 

Gathering logging information for LANDESK support

 

Standard Log Files

 

  • C:\ProgramData\LANDESKAV\*.log
  • C:\ProgramData\LANDESK\Log\*.log
  • C:\ProgramData\vulscan\installav*.log
  • C:\ProgramData\Kaspersky Lab\*.log
  • C:\Windows\Temp\KL*.log, %TEMP%\KL*.log,
  • C:\Windows\Temp\Ucaevents.log, %TEMP%\Ucaevents.log
  • C:\Documents and Settings\All Users\Application Data\LANDESKAV\*.log
  • C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log


GetSystemInfo Report

 

This is a very important log file to get.   This should be the first log that is retrieved as it contains most of the log files above along with detailed information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.

 

GetSystemInfo Utility Download

 

    1. Extract the downloaded GetSystemInfo Utility .ZIP file
    2. Run GSI.EXE that you extracted from the .ZIP file
    3. Click the button green "Play" button to start gathering the report.
    4. Wait until the utility has completely scanned the system.  (This make take quite some time)
    5. Click OK to confirm the creation of a report.

 

A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.  Attach this report to your created case, or e-mail it to your LANDESK Support technician.  The GetSystemInfo report can then be reviewed and further analyzed by doing the following:

    1. Browse to http://www.getsysteminfo.com/
    2. From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
    3. After uploading the file you can analyze it yourself.
      GetSystemInfo.jpg
    4. This will bring up a tabbed interface with various information:
      GetSystemInfoTabs.jpg

Trace Log Files

 

The following article contains detailed information for gathering trace log files: How to gather trace log files for LANDESK Antivirus

Antivirus client configuration export

At times it may be required to export the configuration from the Antivirus client.   The following is the procedure to do so:

 

How To: Import/Export Kaspersky Agent Settings

 

Advanced Logging for the Updater SDK (for troubleshooting definition download issues)

 

1. Copy the attached UPDSDK.XML to the \ManagementSuite\LDLogon\Antivirus8 folder on the core server.

2. Download Antivirus pattern files

 

This will create an UpdaterSDK7.log file in the managementsuite folder.

 

Memory dump

In case of a blue screen, a memory dump will need to be gathered.

 

    1. Right-click "My computer" and choose "Properties"
    2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
    3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
    4. Make note of the path that the MEMORY.DMP file will be saved to.
    5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

A complete memory dump must be supplied, a mini dump does not supply sufficient information.

 

See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.

 

Submitting files for investigation by Kaspersky

 

How to report undetected viruses or false positives to LANDESK

How to turn off System Restore on a client or a group of clients

$
0
0

Often it is necessary to turn off System Restore.  This is especially true when a system has had the Restore Points compromised or corrupted due to malware.

 

To turn off System Restore on a particular client

1. Click Start.

2. Right-click My Computer, and then click Properties.

3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Note: You must have Administrator rights to see the System Restore tab.

4. Click Apply.

5. At the confirmation message, click Yes.

 

To turn off System Restore on a group of clients through Group Policy

1. Load the policy that you want to modify. For example, go to Start, Programs, Administrative Tools, Active Directory Users and Computers
    right-click a domain; select Properties; select the Group Policy tab; then create a new policy or edit an existing policy.
2. Navigate to Computer Configuration, Administrative Templates, System, System Restore.
3. Double-click "Turn off System Restore," set it to Enabled, then click OK.
4. Close the policy.

 

To turn off System Restore via Script
strComputer = "."

 

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")

 

Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Disable("")

(Thanks to user Zman for this tip)

 

For additional information regarding System Restore please see the following Microsoft article:

http://support.microsoft.com/kb/831829

Bad Rabbit ransomware - official statement from Kaspersky

$
0
0

Statement:

 

Here you will find official statement from Kaspersky about Bad Rabbit ransomware: https://securelist.com/bad-rabbit-ransomware/82851/.

 

Recommendations from Kaspersky:

 

Kaspersky Lab corporate customers are also advised to:

  • make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
  • update the antivirus databases immediately.

 

The abovementioned measures should be sufficient. However, as additional precautions we advise the following:

  • restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat in Kaspersky Endpoint Security.
  • configuring and enabling Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.

 

Kaspersky Lab products detect this threat with the following verdicts:

  • Trojan-Ransom.Win32.Gen.ftl
  • Trojan-Ransom.Win32.BadRabbit
  • DangerousObject.Multi.Generic
  • PDM:Trojan.Win32.Generic
  • Intrusion.Win.CVE-2017-0147.sa.leak

How To: Submit Requests Regarding Spyware Content

$
0
0

Description

There may be situations where spyware is either not completely detected, or not completely removed during the scan process.
Spyware is software or other code that is typically installed as part of another product installation, a visit to an infected web site, or other activities that enables a user to obtain covert information about another's computer activities by transmitting data covertly from the computer that the spyware is installed on.

 

Resolution

 

Submit a request to Ivanti Customer Support to have detection and remediation content added so that the spyware is properly detected and removed.

 

Process for submitting requests for Spyware content:

 

In order for Ivanti to add this undetected spyware the following process must be followed:

  1. If possible, the actual install executable that downloaded and/or installed the spyware.
  2. The executable that was installed on the computer. You can usually find this by looking in the running processes. Spyware generally takes up an unusual amount of memory or CPU usage.
  3. Any additional information about the suspected spyware. please include any information that you know.

    • A description of how it is installed, a website, email, or as part of a different installation.
    • A description of what it does: Does it launch additional sites?  Does it download other applications?  Etc.
    • A description of any malicious behavior, processor utilization, file corruption, etc,
    • Any other other observations.

  4. Compress any files that you collected in .ZIP format and password protect it with the password "infected".
  5. Upload the files to ftp://ftp.landesk.com/spyware
  6. Call LANDESK Support and create a support case. They will need to know the name of the file you uploaded.  In addition please provide a detailed description of the issue.

 

Our team will make a thorough assessment of the submitted information to determine if they should be identified and removed.

How to Troubleshoot "Databases are Corrupted" and Malfunction errors in LANDesk Antivirus

$
0
0

How to fix "Databases are Corrupted", "Databases are extremely out of date", and "Malfunction" errors

 

Table of Contents

"Databases are Corrupted" & "Databases are extremely out of date"

 

On a single machine

  1. Open and administrative command prompt
  2. Run the following commands:
    • cd\ - press Enter
    • cd "Program Files (x86)\LANDesk\LDClient\Antivirus" - press Enter
    • ldav.exe /updatefrominternet - press Enter

 

 

You should see activity in the GUI for your AV client, as seen below:

 

Once the update has finished, the error should be gone as seen below:

 

 

On multiple clients

 

  1. On your core, go to the ManagementSuite\ldlogon\avclient\install\setup directory and rename the “bases.cab” file to bases.cab.old.

    2. Re-initiate a download of the AV definitions from your Patch Manager (this will rebuild the bases.cab file on your core)

 

 

It would be a good idea to rebuild your agents and standalone installers at this point. This will ensure that the new bases.cab file will be included in any installation from this point forward.

 

    3. In your Security Activity section (Tools->Security and Compliance->Security Activity), create a new "LANDESK Antivirus task..." that updates the definitions without a scan. Next, configure a new Antivirus setting. Leave everything here set to default, but change the update source to "Internet Only". Name the setting and save it - but be sure to remember this name. Once you have saved it, select that setting from the list and hit the "Use selected" button in the bottom right. At this point, give the task an appropriate name and hit Save. This will create a Scheduled Task with that name. Schedule the task like any other task you would build out and assign machines to it accordingly. Remember, the settings we're using for this task ONLY apply to this particular task - they will not be used from this point forward...just one time for this task and then be discarded.

 

AV_Update_Internet_Only.gif

 

 

"Malfunction" error in AV Components

 

On occasion, AV components may malfunction. They will show in the GUI as seen below:

 

 

If you see this behavior on a single machine, please follow the steps in the "On a single machine" section above. You will want to reboot the machine once this has completed.

 

If you see this on multiple machines, follow the instructions from Step 3 in the "On multiple clients" section above. You will want to schedule reboots for the machines once this has successfully ran on the targeted clients.

 

If for any reason the steps above fail to resolve the issues presented, contact LANDesk Support and open a case to be investigated.

Issue: Web application not working with Ivanti Antivirus installed

$
0
0

Issue

 

With Ivanti Antivirus installed a Web Application is not working

 

Cause

 

Typically this is caused by a port being monitored by Ivanti Antivirus that the web application is using even though the application has been added to the trusted application list and by adding the URL to the trusted list.

 

Resolution

 

Change the monitored ports settings from "Monitor all ports" to "Monitor selected ports" ("Monitor selected ports is set by default") and then remove the port number that the web application uses.

 

This is done by doing the following steps:

 

  1. Open the Agent Settings tool in the Ivanti Endpoint Manager console.
  2. Move to the Security node in the tree on the left and expand it.
  3. Select "Ivanti Antivirus" and then select the Antivirus setting you wish to Edit.
  4. Go to the "Protection" section of the setting and then change the radio button under "Monitored" ports in the bottom right-hand section of the window.

MonitoredPorts.jpg

 

 

If all computers do not use this web application you can create a separate Ivanti Antivirus setting with the ports change and deploy that only to clients that use that web application.

Ivanti Antivirus: Database Tables, Inventory Information, and Security Activity

$
0
0

This document lists the tables in the Ivanti EPM Database that are related to the Ivanti Antivirus product:

Within this document you can click the images for a full-size version.

 

The following are the tables used for Ivanti Antivirus:

 

 

Antivirus table

 

The information from this table shows up in the Antivirus Licensing information in the Ivanti Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool.  This table records the inventory information for not only the Ivanti Antivirus product but also for other 3rd party Antivirus products.  This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the Ivanti Antivirus Service.  This information is sent under the following conditions:

 

  • After AV installation
  • After activating with a new license
  • After a scanning task is done
  • After pattern files are updated

 

In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.

 

When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")

 

For an Inventory Scan this information is gathered through LDAVHLPR.DLL.  Periodic updates of this .DLL are provided within Ivanti Patch Content to support gathering information on newer versions of Antivirus Software.  The information gathered can from each 3rd party vendor can vary.  Some information may not be applicable or available to gather through the Ivanti Inventory or Patch and Compliance scan processes.

 

AntivirusTableLeft.jpg

                    AntivirusTableRight.jpg

This information shows up in the Inventory of a client in this manner:

 

Inventory-Info.jpg

 

 

This table consists of the following columns:

ColumnNameDescription
Computer_IDNUnique database identifier for the computer associated to the Antivirus information in the next columns
Antivirus_IDNUnique database identifier for the Antivirus entry
ProductNameName of the Antivirus product
AutoProtectWhether the realtime scanner (AutoProtect) is enabled or not
ProductVersionVersion of the Antivirus product
EngineVersionVersion of the Antivirus engine
DefVersionVersion of the currently active definitions at the time of the last Inventory Scan or Security and Compliance Scan
PubDatePublication date of the antivirus definitions (pattern files) on the client
DefInstallDateTime and date that the current definition files (pattern files) were updated on the client
LastVirusScanLast time and date a regular virus scan was executed on the client
LastFullVirusScanLast time and date a full virus scan was executed on the client
LastQuickVirusScanLast time and date a quick virus scan was executed on the client.
AgentRunningSource of the server for the Pattern Files.  Typically this will only apply to Ivanti Antivirus
PatternServerSource of the server for the Pattern Files.  Typically this will only apply to Ivanti Antivirus
LicenseExpirationDateDate and time that the current antivirus product license expires
LicensePeriodLength of time in days remaining
License NumberProduct license number that the client is currently using
LicenseProductNameName of the licensed product
LicenseMaxCountTotal number of nodes that the license reported by the client is good for
StartFullVirusScanTime and date that the last full virus scan was started
StartQuickVirusScanTime and date that the last quick virus scan was started
FullVirusScanCancelledTime and date the last full virus scan was canceled
QuickVirusScanCancelledTime and date the last quick virus scan was canceled

 

AntivirusPatches table

 

This table lists the patches for the Antivirus product that are installed on the client.

 

This information is sent to the Core when an Inventory Scan runs.

 

AntiVirusPatches.jpg

 

Column NameDescription
Computer_IdnUnique database identifier for the computer associated to the Antivirus information in the next columns
AntivirusPatches_IdnUnique database identifier for the AntivirusPatches entry
DisplayNameHow the patch appears in the client interface (under the support link at the bottom of the LDAV UI)
InstalledDateDate and time that the patch was installed
MoreInfoURLIf applicable, the link to go to for more information about the patch
PatchNameName of the patch

 

This shows up in the Client Inventory in this location:

 

LANDESKPatchesClient.jpg

The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches

 

 

InfectedFiles table

 

This information shows up in the Security Activity tool under Ivanti Antivirus - Infections by Computer, and Ivanti Antivirus - Infections by Virus

 

InfectedFiles.jpg

 

This table consists of the following columns:

Column NameDescription
Computer_IdnUnique database identifier for the computer that was infected
InfectedFiles_IdnUnique database identifier for the file that was found that contained a virus
PathPath on the client computer where the infected file was found
VirusParticular virus found within the infected file
FailureDescription of the failure

 

 

QuarantinedFiles table

 

This information shows up in the Security Activity tool under Ivanti Antivirus - Quarantined Infections by computer and Ivanti Antivirus - Infections by virus

 

This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.

 

QuarantinedFiles.jpg


This table consists of the following columns:

 

Column NameDescription
Computer_IdnUnique database identifier for the computer associated to the Antivirus information in the next columns
QuarantinedFiles_IdnUnique database identifier for the files that were quarantined
FilenameName of the quarantined file
Status0 = Riskware, 1= Infected, 2 = Suspicious, 3 = Clean, 4 = User Added, 5 = Unknown, 6 = Cured
VirusVirus that was found in the quarantined file
OriginalLocationPath where the file was found on the client computer
GUIDFilenameGUID assigned to the filename
QuarantineDateDate and time that the file was quarantined

 

This information shows up in the Inventory of the client under Security - Quarantined Files.  Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus

SecurityAction table

This information shows up in the Security Activity Tool under Ivanti Antivirus - Activity, Activity by computer, and activity by virus.  In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.

SecurityActionLeft.jpg

                SecurityActionRight.jpg

Column NameDescription
SecurityAction_IdnUnique Database Identifier for this particular instance of a Security Action
Computer_IdnUnique Database Identifier for the computer that this Security Action relates to
ActionTakenAction that was taken
ActionCodeCode type of the action that was taken
ActionDateDate and time that the action occurred
ApplicationApplication Name
MD5HashMD5 Hash of the file if a file was involved
SHA1Hash SHA1 Hash of the file if a file was involved
SHA256HashSHA256 Hash of the file if a file was involved
TypeType code for the action that occurred
FilesizeSize in kilobytes of the file if a file was involved
FileDateFile Creation Date of the file if a file was involved
FileVersionFile Version of the file from within the file properties of a file if a file was involved
CompanyNameCompany Name from within the file properties of the file if a file was involved
ProductNameProduct Name from within the file properties of the file if a file was involved
ProductVersionProduct Version from within the file properties of the file if a file was involved
UserNameUser Logged in when the action occurred
ConfigGUIDUnique GUID of the Setting that was in use when the action occurred
LocationIDInformation being gathered on values

 

The information in this table makes up most of the Ivanti Antivirus information shown in the Security Activity tool.  This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.

 

The exception would be the licensing information which is stored in the Antivirus table and is sent by the Ivanti Antivirus Service on the client WSVulnerability web service on the core server.

The following are the codes returned to the core server and their meanings:

 

ResultCode
IS_VIRUS_REPAIR_FAILED10
IS_VIRUS_REPAIR_SUCCEEDED11
IS_VIRUS_QUARANTINE_FAILED12
IS_VIRUS_QUARANTINE_SUCCEEDED13
IS_SUSPICIOUS_QUARANTINE_FAILED14
IS_SUSPICIOUS_QUARANTINE_SUCCEEDED15
IS_SUSPICIOUS_NO_ACTION_TAKEN16
IS_RT_VIRUS_REPAIR_FAILED17
IS_RT_VIRUS_REPAIR_SUCCEEDED18
IS_RT_VIRUS_QUARANTINE_FAILED19
IS_RT_VIRUS_QUARANTINE_SUCCEEDED20
IS_RT_SUSPICIOUS_QUARANTINE_FAILED21
IS_RT_SUSPICIOUS_QUARANTINE_SUCCEEDED22
IS_APP_BLOCK_FAILED23
IS_APP_BLOCK_SUCCEEDED24
IS_AVSERVICE_FAILED_TO_START25
IS_VIRUS_FOUND26
IS_RT_VIRUS_FOUND27
IS_SUSPICIOUS_FOUND28
IS_RT_SUSPICIOUS_FOUND29
IS_REBOOT_NEEDED30
IS_REBOOT_NOT_NEEDED31
IS_INSTALLING_AV32
IS_REMOVING_AV33
IS_INSTALLED_AV34
IS_REMOVED_AV35
IS_FAILED_INSTALL_AV36
IS_FAILED_REMOVE_AV37
IS_AV_REBOOT_PENDING38
IS_LOGIN39
IS_LOGOFF40
IS_AUTH_SUCCEEDED41
IS_AUTH_WOULD_HAVE_FAILED42
IS_AUTH_FAILED43
IS_DECRYPT_SUCCEEDED44
IS_DECRYPT_FAILED_KEY_NOT_FOUND45

 

 

TrustedItem table

 

Trusted items are a list of objects that Ivanti Antivirus does not monitor or control.  This list is populated with a list of Ivanti EPM client files at the time of Ivanti Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.

You can add a trusted item and it will block Ivanti Antivirus access to that item, however you must be very sure that it does not represent any threat.

TrustedItem.jpg

 

Column NameDescription
Computer_IdnUnique database identifier of the computer that has this object in it's trusted applications list
TrustedItem_IdnUnique database identifier of the trusted object
ItemItem full path and name
StatusUser Added = 4, Admin Added = 6  (Admin added is either as part of installation or a settings update).
ObjectTypeFile = 0, Folder = 1, Extension = 2
AddedDateDate that the object was added
FolderFolder where the trusted item is

 

On the client side these are the entries from the Exclusion Rules or Trusted Applications

TrustedApplications.jpg

This information shows up in the Inventory of the client under Security - Trusted Items.  Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status

About Ivanti Antivirus running on a Server Operating System

$
0
0

Antivirus Functions included in server installs

  • File Anti-Virus
  • Firewall
  • Network Attack Blocker

 

The following components are not included on server installs:

  • Mail Anti-Virus
  • Web Anti-Virus
  • IM Anti-Virus
  • System Watcher

 

Mail, Web, IM, and System Watcher will appear disabled in the local UI on clients.

 

Antivirus Exclusions

Ivanti Antivirus should be carefully tested before applying to your production servers.

 

Ivanti Antivirus is intended to protect the server and its file system.  It is not designed to scan server applications like Microsoft Exchange.  Application servers typically need exclusions added to prevent Ivanti Antivirus from negatively affecting server performance.

 

If your server's application is not listed there, it is recommended to get a list of exclusions from the application's Vendor.

 

Ivanti also has its own list of exclusions if applying Ivanti Antivirus to a core server: About Antivirus exclusions (exceptions) for the Ivanti EPM Core Server

Viewing all 213 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>