Purpose

The purpose of this document is to outline how to control when Ivanti Antivirus performs a full virus scan in your environment. The controlling process for an antivirus scan is AVP.exe. This process, when performing a full scan consumes a significant amount of resources (CPU and Memory), placing undesirable slowness on the system. The ability to throttle resource consumption isn't available, however, we can place restrictions around when AVP.exe initiates a full scan. Enabling this feature must be done client side but the permission is not enabled by default. This document will outline the core side configuration as well as what needs to be configured on (1) of your endpoints before this functionality can be disseminated throughout your environment.

Step 1: Allow Permissions (Ivanti AV Agent Settings Core Configuration)

The initial configuration happens on the core within the Antivirus Agent Settings. To access this setting navigate to the following location and double click on the desired Antivirus setting to view the properties:

Tools | Configuration | Agent Settings

The default setting will reside under Public agent settings | Security | LANDESK Antivirus. You can enable the permissions on any Antivirus setting you elect. It is recommended that the Ivanti Administrator isolate the permission (provide least privilege) to individuals who need them.

From within the properties of the LANDESK Antivirus settings select Permissions and ensure the following options are checked:

• Allow user to update definitions
• Allow user to change settings
• Allow user to schedule scans

Once selected, save the settings and create a Change Settings task to make your modifications available to the desired endpoint.

Step 2: Change Settings Task

To create a Change Settings Change Settings Task Open the Ivanti Management Suite console. Select Tools | Security and Compliance | Agent Settings. Select the  Create a Task option and choose Change Settings.

This will display and Patch and Compliance - change setting task interface. Give the task a name and and under Type | LANDESK Antivirus click on "Keep agent's current settings" to display a drop-down menu of available settings. Select the setting you modified.

Under Task Settings select whether you want it to be a Policy-supported push, policy or push task. The default and recommended option is Policy-supported push.

Select Targets and under Targeted items choose your desired option, select Add and choose your target. In this document, Targeted devices will be used.

Save and start your task.

Step 3: Suspend Full Scan While Device is in Use (Client Side Configuration)

To access the Ivanti AV Client configuration, log into the endpoint you allowed the permissions on and open the Ivanti Antivirus application.

Select the Settings tab | Full Scan and choose Run Mode

This will open a Full Scan interface. Select the Run Mode tab and under Run Mode choose "By Schedule". Ensure "Suspend scheduled scanning when the screensaver is off and the computer is unlocked" is selected. This function will prevent the AVP process from running when your device meets this criteria. You can further adjust the scheduling options to meet your needs, when done, choose "OK".

Step 4: Export Client Settings

Once you have your settings configured on the client, we must now export the configuration(.cfg) file and import the configuration to the core server. To do this conduct the following:

From within the Settings tab choose Advanced Settings and under Managed Settings select Save. Give the .cfg file a unique name and save it on a share accessible by the core server.

Step 5: Import Client Settings to Core

Importing client Antivirus configurations into the Ivanti Management console will provide the ability to push customized *.cfg files to other clients.

Open Agent Settings | LANDESK Antivirus | Advanced Settings | Import Kaspersky settings. Ensure the following options are selected:

• Import settings file from a Kaspersky antivirus client
• use imported scan settings (Full Scan, Critical Area Scan, Custom Scan).

Under "Current configuration imported from" browse to the .cfg file you saved.

Save your setting and create a new change settings task, targeting your desired endpoints.

Description

This document applies to issues where FTP no longer functions after installing LANDESK Antivirus.

Cause

LANDESK Antivirus monitors port 21, in turn causing it to block active FTP.

Resolution

There are two options to resolve this issue. First would be to modify your FTP setup to be passive.

If modifying the FTP setup isn't possible then we need to change on setting on LANDESK AV.

Do this open Agent Settings -> LANDESK Antivirus.

Then open the Protection section and click on settings under Monitored Ports.

Then locate the entry for FTP 21 and delete it.

Finally schedule a settings update to the client and test.

In Security Activity some Items may be appended with a "//JIM" suffix on the end of the path and file name a shown in the photo.

This is normal under some detected items with our antivirus product.  The "//JIM" text means that the malicious object inside the file was detected by the script emulator.

You would re-mediate the file like you would any other type of detection.

Overview

When gathering reports in Security Activity you may run across a field "Computers Not Recently Reporting Antivirus Configuration and Status" and this has an alarming amount of clients that have populated. This refers to the last scan date your Antivirus definitions located in Patch and Compliance. This is not to be confused with Antivirus pattern files that contain detection logic for detecting and removing viruses.

Cause

This information is generated when clients are not scanning AV definitions that are located in Patch and Compliance under the Antivirus type. An example of this would be the definition AV-100. This issue can occur even when those definitions are not present on the core.

Resolution

Doing a Scan for AV definitions clears clients from that area will remove those clients from that list, this can be accomplished one of two ways.

Method 1: Change your Distribution and Patch settings to scan for Antivirus Updates

1. Locate the Patch and Distribution setting the clients are using located in your agent settings.

2. In the setting, on the left side look for and select "Scan options."

3. While having the "Type" radio button selected locate and select the check box labeled "Anitvirus updates."

4. Save your settings.

The next time a client that uses those settings runs a Vulscan it will pull the updated setting down and apply it. Once a Vulscan with those applied settings runs on the client(s) in Security Activity should disappear.

Method 2: Run a local Vulscan with a "/scan=8" switch

1. One the local box do a start menu search "run"

2. Type in the following command "Vulscan /scan=8"

At times an issue with LANDESK Antivirus may require more in-depth analysis and troubleshooting.  LANDESK engineers may request an application runtime trace files for troubleshooting such cases.

These log files contain verbose information that can assist in finding the root cause of an issue.

How to generate an application trace file

Via Command Line

"avp.com traces on | off"

Note. Make sure your user account has administrator permissions.

OR

1. Click Support in the bottom left corner of the main application window.
   
2. The Support window will open, click System tracing. This will open the Information for Technical Support window.
   
3. Click Enable to start generating the trace files.
   
4. Stop LANDESK Antivirus by right-clicking the tray icon and selecting Exit and then restart AV by selecting LANDESK Antivirus from the LANDESK program group.
   
   (If the Exit option does not exist, the following sub-steps should be followed):
     4a. (In order to restart LANDESK Antivirus the following permissions must be set in the LANDESK Antivirus settings in the console and applied to the client):
   
     4b. In order to refresh settings simply refresh settings, select the "Create a Task" (calendar icon) drop-down in the Agent Settings tool, select "Change Settings" and then create a schedule. 
           Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the interface while it is running)
   
   
5. Go through the steps that result in the issue observed.
6. Click Disable to stop generating the trace file.

Note. Trace files are created in encrypted form with the .ENC1 extension and unique names: [Application-version]_[Creation_date]_[Creation_time_GMT]_[PID]
          This encryption ensures that the log files can only be viewed by an authorized support or development engineer.            

Where to find the generated trace files

• C:\ProgramData\Kaspersky Lab\

If there is an update task running (downloading pattern files), another log file gets generated in *.ENC format.

By default, the folders containing trace files are hidden. Make sure you have the "show hidden files" setting enabled in Windows or type the path into the File Explorer address bar to be able to access the trace files.

Sending trace files to LANDESK Technical Support

Unless requested otherwise, the following steps should be taken to send the trace files to LANDESK Technical Support:

1. Compress the trace files into a .ZIP format with the filename LANDESKCase#_ldav_trace.zip (Where LANDESKCase# is the numerical LANDESK case number assigned to your incident)
2. Upload the .ZIP file from to ftp://Landesk-public:b8Wk3EECl1Yri5@data3.kaspersky-labs.com
3. Inform the LANDESK Support technician of the exact file name (please include case sensitivity if it differs from the recommendation above).

Trace log detail levels

Typically the default trace level should be used.  Exceptions will be specified by the support technician:

The following trace levels are available (from minimum to maximum details):

• Critical (100). Logs critical errors only.
• High (200). Logs all errors including critical.
• Troubleshooting (300). Logs all errors and warnings.
• Important (400). Logs all errors and warnings, plus additional information messages.
• Normal (500).  Logs all errors and warnings, as well as additional information messages and normal operational data.  (This is the default log level)
• Low (600). Logs all possible messages.

How to delete a trace file

In order to delete the trace files, you should exit LANDESK Antivirus, delete the trace file from the %ProgramData% folder and start the application again.

Useful references

How to troubleshoot LANDESK Antivirus

How to enable / disable trace files generation via registry

Issue

AV definition download on the Core Server fails with "GetBases.exe returned an error code: Update successful, but retranslation failed.(37) (25)"

Cause

Solution

• Check network for performance issues, etc.
• Check free disk space.
• Check rights on the core server.  The rights for the antivirus directories should match the rights of the parent directories (LDLOGON down).
• It may be necessary to delete the following subdirectories to download all bases (pattern files) again.
  • ldlogon/antivirus8/win/basesEP10
  • ldlogon/antivirus8/win/pre.basesEP10
  • ldlogon/antivirus8/win/temp_bases8

If further troubleshooting is needed it is recommended to turn on advanced updater logging and to open a ticket with LANDESK Support:

How to turn on Enhanced Updater SDK logging:

https://community.landesk.com/docs/DOC-27009#jive_content_id_Advanced_Logging_for_the_Updater_SDK_for_troubleshooting_de…

Introduction

Ivanti Antivirus is a sub component of the Ivanti Management suite.  The client side portion uses the Kaspersky Endpoint Security engine but most of the backend processes and controls are Ivanti’s own components. Ivanti Antivirus is a powerful security solution that can be configured and easily managed from the security console.

Licensing

Ivanti Antivirus is a separately licensed product for Management suite.  The first step in using is it to make sure you have purchased and have all the proper licensing in place for it to be enabled and working on your core server and clients.

Antivirus licensing has two parts, core licensing and client licensing.  Core licensing enables the components to actively be installed on clients, used and monitored on the core and to allow the downloading of definitions to the core.  This part of licensing in handled by the Core Server Activation utility.

Client side licensing is a separate “.key” file that gets emailed to you from Ivanti and imported into your core by you using the Console, Antivirus License Information dialog. This license is entirely independent of the Core licensing portion and only activates the client side portion of antivirus and contains an expiration date and information on the number of nodes you purchased.  It does not in any way modify the core’s antivirus licensing or its ability to download definitions.

The client key will expire eventually and you will need to get a new key from Ivanti and import it into the console when it does.

Antivirus Action Center

To access the Antivirus Action Center in the console select Tools > Security and Compliance > Security Activity.  Select the Settings drop down and select Landesk Antivirus Action Center.

This dialog gives the status of the Antivirus setup on the core you can install a new license key, view license information and download definitions from this dialog.

This dialog gives the status of the Antivirus setup on the core.  You can install a new license key, view license information and download definitions from this dialog.  For a more detailed explanation of each item, select the Help button.

Installation

Once your core is licensed and the client key imported, you are ready to begin installing Antivirus. This can be done in four ways.

1. Through a standard Agent deployment and installation from the Core.
2. Through a self-contained Agent executable
3. By creating a Install/Update Security Components Task
4. Running as Administrator the: vulscan.exe /installAV

Command manually on a client.

The installation first checks if an existing antivirus solution is present and attempts to remove it if possible. Afterwards, two components get installed during installation. The first is the Kaspersky Engine and GUI that gets rebranded to Ivanti Antivirus and the second is the Ivanti Antivirus service which handles the settings, updating and scanning and controls the GUI.  Installation handles the both on its own.  The client device will likely need rebooted to finish installation of Antivirus and in a few cases when updating an existing installation or removal of another antivirus solution sometimes a second reboot is needed.

Download Definitions On The Core

You can have the core be a central repository for the virus definitions or you can have the clients go right to the internet and download.  To start downloading Antivirus Updates Definitions on the core select Tools > Security and Compliance > Patch and Compliance and double-click on the Download Updates icon located on the menu bar.

This will open the Download Updates interface, ensure the Updates tab is selected.

The Landesk Antivirus tab in the same dialog has more options for antivirus.

Agent Settings

In Agent Settings under Security, Landesk Antivirus is where you will create the settings to configure antivirus on your clients.  In the settings, you can configure what antivirus components are enabled or disabled, how much bandwidth and CPU usage it will use as well as how updates to definitions and when to run scans are configured.

As you are creating or modifying agent settings use the help button for more in-depth explanation of what each does and how to configure it.

Security Activity

The Security Activity tab in the console is where you will monitor Antivirus activity.  To open it Select Tools > Security and Compliance > Security Activity. In here you can see which clients have outdated pattern files(definitions), the status of their license and virus activity can be view by device or by infection.

Additional Information and Getting Started Documentation:

Getting Started - https://community.ivanti.com/docs/DOC-39373

Antivirus/Antispyware General Information - https://community.ivanti.com/community/landesk/systems/antivirus

Description:

This document contains the list of applications and files that need to be excluded/trusted for LANDESK to function properly if you aren't using LANDESK AV.

If you are using LANDESK AV, these exclusions are already made for you.

For information about AV exclusions on the core server, see this doc: About Antivirus exclusions (exceptions) for the LANDESK Core Server

These are the files that need to be added as exclusions and as trusted applications.

32 bit:

• C:\Program Files\LANDesk\LDClient\FindMBDevice.exe
• C:\Program Files\LANDesk\LDClient\GatherProducts.exe
• C:\Program Files\LANDesk\LDClient\HPScanner.exe
• C:\Program Files\LANDesk\LDClient\issclipexec.exe
• C:\Program Files\LANDesk\LDClient\issuser.exe
• C:\Program Files\LANDesk\LDClient\LDpcu.exe
• C:\Program Files\LANDesk\LDClient\LDCSTM32.exe
• C:\Program Files\LANDesk\LDClient\lddetectsystem.exe
• C:\Program Files\LANDesk\LDClient\LDISCN32.exe
• C:\Program Files\LANDesk\LDClient\LDProvisionSecureErase.exe
• C:\Program Files\LANDesk\LDClient\LDsensors.exe
• C:\Program Files\LANDesk\LDClient\LDUrlMonInject64.exe
• C:\Program Files\LANDesk\LDClient\LocalSch.exe
• C:\Program Files\LANDesk\LDClient\policy.sync.exe
• C:\Program Files\LANDesk\LDClient\rcgui.exe
• C:\Program Files\LANDesk\LDClient\restartmon.exe
• C:\Program Files\LANDesk\LDClient\SDCLIENT.exe
• C:\Program Files\LANDesk\LDClient\SDISTPS1.exe
• C:\Program Files\LANDesk\LDClient\softmon.exe
• C:\Program Files\LANDesk\LDClient\startasuser.exe
• C:\Program Files\LANDesk\LDClient\vulscan.exe
• C:\Program Files\LANDesk\LDClient\HIPS\EncArchive.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDEncrypt.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\VigAlert.exe
• C:\Program Files\LANDesk\LDClient\ HIPS\VIGUARD.exe
• C:\Program Files\LANDesk\Shared Files\residentAgent.exe
• C:\Program Files\LANDesk\Shared Files\serviceHost.exe

64 bit

• C:\Program Files (x86)\LANDesk\LDClient\FindMBDevice.exe
• C:\Program Files (x86)\LANDesk\LDClient\GatherProducts.exe
• C:\Program Files (x86)\LANDesk\LDClient\HPScanner.exe
• C:\Program Files (x86)\LANDesk\LDClient\issclipexec.exe
• C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDpcu.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDCSTM32.exe
• C:\Program Files (x86)\LANDesk\LDClient\lddetectsystem.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDISCN32.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDProvisionSecureErase.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDsensors.exe
• C:\Program Files (x86)\LANDesk\LDClient\LDUrlMonInject64.exe
• C:\Program Files (x86)\LANDesk\LDClient\LocalSch.exe
• C:\Program Files (x86)\LANDesk\LDClient\policy.sync.exe
• C:\Program Files (x86)\LANDesk\LDClient\rcgui.exe
• C:\Program Files (x86)\LANDesk\LDClient\restartmon.exe
• C:\Program Files (x86)\LANDesk\LDClient\SDCLIENT.exe
• C:\Program Files (x86)\LANDesk\LDClient\SDISTPS1.exe
• C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
• C:\Program Files (x86)\LANDesk\LDClient\startasuser.exe
• C:\Program Files (x86)\LANDesk\LDClient\vulscan.exe
• C:\Program Files (x86)\LANDesk\LDClient\HIPS\EncArchive.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\HipsClientConfig.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDEncrypt.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup32.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\LDSecSetup64.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VigAlert.exe
• C:\Program Files (x86)\LANDesk\LDClient\ HIPS\VIGUARD.exe
• C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
• C:\Program Files (x86)\LANDesk\Shared Files\serviceHost.exe

Mac Antivirus Basic Setup, Configuration and Installation

Core Definition Download

The core downloads definition updates for Macs just like it does for Windows PCs Antivirus.  These in-turn get downloaded to the Mac clients based on the agent settings you define for your clients.  To start downloading Mac Antivirus Updates Definitions on the core select Tools > Security and Compliance > Patch and Compliance and double-click on the Download Updates icon located on the menu bar.

This will open the Download Updates interface, ensure the Updates tab is selected.

Mac Antivirus Definition are located under Mac > Security > Antivirus. You will see the Ivanti AntivirusUpdates checkboxes.  Check the definition version(s) you need and Apply at the bottom of the dialog to make the selection applicable.

You can also download the definitions manually on the Landesk Antivirus tab by clicking the Get Latest Definitions button, making the selections and clicking Ok.

Installation and Removal

Installation and removal of the Mac Antivirus agent can be configured on the core.  Mac Antivirus can be installed when the agent gets installed by selecting the Landesk Antivirus option in the agent configuration.  This security feature will only be available if you are licensed for it.

Mac Antivirus can also be installed or removed through a security change task in the Security Activity tool. The Security Activity tool can be found by selecting Tools > Security and Compliance > Security Activity.

These items create a scheduled task that you can add devices to individually or by scope or query.

Agent Settings

Mac Antivirus settings are configured in Agent Settings > Security > Landesk Antivirus – Mac. Here, you can open an existing antivirus agent setting or create a new one. 

The following section will outline the properties of the Mac Antivirus agent settings.  To view the settings right click on an agent setting and select Properties. 

The General area just allows you to name your setting.  The Protection area allows you to specify what protection runs on the end clients and options on how they run.  Protection Scope here allows you to set what gets monitored through the drivers detected. By checking a box in this dialog, it enables monitoring on devices that use those drivers on the Mac.

You can also add exclusions to the Network Attack Blocker.  This is done by clicking the Exclusion button and entering the IP addresses that you want to exclude from being monitored

The Virus Scan area allows you to setup and configure Full Scans and Critical Area Scans, how they behave on the devices and schedule when they run.  The Help button can be accessed here for more detailed information on each item in the window to help you determine what options you want enabled or disabled on the clients.

The Threats area gives you options as to what malware is detected. Again, the Help button gives greater detail as to each of the options available.

In the Update area lets you define how and where you get definition updates, ether from the Core, Preferred Server or Internet directly. Checking the Update box and clicking the Change Schedule allows you to define when and how often the clients update definitions.

Important:  Due to the way the local daemon runs on the Mac OS as designed by Apple, Mac Antivirus will only update if a user is logged in.  The device can be locked, but a user must be logged in, for Mac Antivirus to download updates.

The Reports area allows configuring of how many days’ items are kept in the reporting section on the clients.  The Appearance area allows configuration of notifications and if you want an icon displayed on the menu bar on the mac clients.

Important:  Some settings you configure with agent settings will not be displayed in the Kaspersky GUI on the Mac client.  The most notable is the message that Automatic Updates are disabled.  Updates on the Mac are handled through a different mechanism other than the Kaspersky GUI so our agent settings can get them from a core instead of the internet and as such automatic updates are disabled directly in the GUI itself.

Please see the overall Supported Platforms and Operating Systems matrix.

Question:

How do I remove quarantined files from a LANDesk Antivirus client.

Answer:

Quarantined virus files are stored on the client computer in the following location:

     Windows 2000/XP/2003: C:\Documents and Settings\All Users\Application Data\LANDeskAV\Quarantine

     Windows Vista/Windows 7/Server 2008: C:\ProgramData\LANDeskAV\Quarantine

Quarantine files have a .QAR extension.

These files can be removed from this directory even while LANDesk Antivirus is running without any ill effect.

They can be removed through the LANDesk Client GUI by clicking the Antivirus shield icon, and then clicking "Show details" next to the Quarantined Items section.

To remotely remove these files, a script should be written to delete *.QAR from the remote Quarantine directory on the client.

A script can be written using a batch file, a LANDesk script, or other means.

This article details the troubleshooting steps for LANDESK Antivirus.    For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management

LANDESK Antivirus Installation

Three different methods can be used to install LANDESK Antivirus on a client.

Installed as part of the Agent installation

1. Select LANDESK Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
2. Configure desired settings within the Agent Configuration - Security and Compliance - LANDESK Antivirus section.

Installed through an Install/Update Security Components task Open the Agent Settings tool within the LDMS console.

1. Select the Create a Task dropdown and select Install/Update Security Components.
2. Select desired Task Type, Select LANDESK Antivirus Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)
   
   
   Note: If experiencing installation issues, you can select the box "Troubleshoot LANDESK Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.

Run "vulscan /installav" from the command line of a client computer

If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")

Installation files

• Bases.cab - Antivirus Bases (Pattern files)
• Cleaner.cab - rules for detection of incompatible software
• Incompatible.txt - list of incompatible software
• Kes10SP1MR2_en.msp - MR2 patch
• Kes10win.msi - MSI Installation package

Files not used by LANDESK Installation of Kaspersky Antivirus

• aes_encryption_module.msi
• Kes10win.kpd
• Kes10win.kud
• klcfginst.exe

Installation log files

Most installation failures will be logged within the LDAV_INSTALL.LOG or in the KL*.log.  Installation activity is also recorded to the Security Activity tool within the LDMS console. 

The Windows Event viewer will show the following type of events as well:

Doing a "Find" in the Event Viewer logs for "LANDESK" or "Kaspersky" can also be useful for finding successes or failures.

Possible Installation issues

• Insufficient Memory - Install failures due to insufficient memory requirements can be viewed in the Security Activity Tool in the LDMS console and in the MSI_Install.log file

See Kaspersky Endpoint Security 10 for Windows (for workstations)

• Conflicting 3rd Party Software
  

During installation, LANDESK Antivirus will detect the presence of incompatible 3rd-party software.  LANDESK Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL.  If conflicting software is found during the LANDESK Antivirus installation, one of two events will occur:

Conflicting software will be automatically removed - List of applications incompatible with Kaspersky Endpoint Security 10 for Windows

Installation will fail - Install failures due to incompatible software are viewable in KL*.log.

General Troubleshooting Flowchart

(Click for full size)

When the flowchart refers to "KES" this is referring to Kaspersky Endpoint Security and is interchangeable with "LDAV"

Troubleshooting System Watcher

At times it becomes necessary to troubleshoot system watcher.   System watcher is a vital component of LANDESK Antivirus and generally should not be disabled.

The following flowchart shows details about troubleshooting this antivirus component:

   (Click for full size)

Troubleshooting Compatibility Issues

1. Pause LDAV protection by clicking «Pause protection and control...» in LDAV tray menu.
2. Try to reproduce problem.
   1. If problem is still reproduced, go to step 3.
   2. If problem is not reproduced anymore, restore LDAV protection and start turning off LDAV protection components one-by-one.
   3. Check whether issue persists after each step. Aim is to find faulty component. When component is found, gather traces with only this component enabled.
3. Stop LDAV service by clicking «Exit» in LDAV tray menu.
4. Try to reproduce problem.
   1. If problem is still reproduced, go to step 5.
   2. If problem is not reproduced, start LDAV and gather traces with all components disabled
5. If you got to this step, this is a driver issue. Our aim is to find faulty driver. LDAV drivers are located in «C:\Windows\System32\drivers» folder.
6. Disable LDAV self-defense. Then start disabling LDAV drivers by renaming them (you can change its extension from .sys to .bak, for example).
7. Rename drivers one-by-one, reboot machine after each step and then check whether issue persists or not.

Please note, that drivers should be disabled in the following sequence:

Uninstalling LANDESK Antivirus

The following methods can be used to uninstall LANDESK Antivirus:

1. Schedule a "Remove Security Components" task from within the Security Activity tool in the LANDESK Console.  Select "LANDESK Antivirus" as a component to remove.
2. Run "vulscan /removeav" from the client command line
   

If this fails it may be necessary to run the following:

• Kaspersky Antivirus removal tool

The KAV Removal tool should be used in case uninstallation by other methods fail or there is suspicion that there are leftovers from previous installations.

KAVRemover automatically detects the installed Kaspersky product.   If detection fails the "-nodetect" command line switch should be used.

It is recommended to run KAVRemover in Safe Mode

Log files for Antivirus uninstall

• %TEMP%\MSIXXXX.log
• kl-update-YYYY-MM-DD-HH-MM-SS.log

The kl-update-yyyy-mm-dd-hh-mm-ss.log files will be picked up by GetSystemInfo if run.  The MSI log must be gathered manually.

Product Activation

How to troubleshoot LANDESK Antivirus license issues

Directories

• C:\ProgramData\LANDESKAV - Main directory for LANDESK Antivirus log files
• C:\ProgramData\Kaspersky Labs - Directory for Kaspersky trace files
• C:\Program Files (x86)\landesk\ldclient\antivirus - Main directory for LANDESK Antivirus service
• C:\Program Files (x86)\landesk\ldclient\antivirus\install - Used to install LANDESK Antivirus and rebrand Kaspersky Endpoint Security
• C:\Program Files (x86)\landesk\ldclient\antivirus\temp_bases8 - Used to update pattern files
• C:\Program Files\ (x86)landesk\ldclient\antivirus\kav - Kaspersky Endpoint Security files
• C:\ProgramData\Kaspersky Lab\KES10\Bases - Pattern files directory for Kaspersky Endpoint Security 8.
• C:\Program Files\LANDESK\LDClient\Antivirus\KAV\Patches - Directory where Kaspersky patches are stored.  Look here to see if patches have been downloaded.

Files

Registry Keys

Drivers Location

All of the drivers are stored in C:\Windows\System32\Drivers

There are typically six drivers:

• KLELAM.SYS
• KL1.SYS
  
• KLFLT.SYS
  
• KLIF.SYS
• KLWFP.SYS
• KNEPS.SYS
  

LANDESK Antivirus Database Tables, Inventory Information and Security Activity

LANDESK Antivirus: Database Tables, Inventory Information, and Security Activity

Settings

The LANDESK Antivirus scanner, as with the LANDESK Security vulnerability scanner, uses an XML file to configure its behavior.  Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml

The following registry key value indicates the ID of the AV behavior being used:

• Key: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan  DWORD Value: KLBehavior

Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors.  In order to refresh settings, a Change Settings Task can be created on the Core Server.  In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule.  Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the UI while it is running)

Settings that cannot be configured through LANDESK Management Suite

Currently all settings available within the client side LANDESK Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using LANDESK Management Suite.  In order to utilize settings not available within the LANDESK Antivirus Settings within the LANDESK Management Suite Console, the following document outlines steps can be performed: 

How to import Kaspersky Agent settings to the LDMS Agent settings on the Core

Tasks

Scheduled tasks for Update, Full, and Critical Areas scans are created via Local Tasks. It will not create a task within LANDESK Antivirus.  As a result, the tasks within the Client UI will show "Manually".

To view the LANDESK Local Scheduled tasks from the LDCLIENT directory run LocalSch.exe /tasks | more 

Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)

Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)

Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)

Gathering logging information for LANDESK support

Standard Log Files

• C:\ProgramData\LANDESKAV\*.log
• C:\ProgramData\LANDESK\Log\*.log
• C:\ProgramData\vulscan\installav*.log
• C:\ProgramData\Kaspersky Lab\*.log
• C:\Windows\Temp\KL*.log, %TEMP%\KL*.log,
• C:\Windows\Temp\Ucaevents.log, %TEMP%\Ucaevents.log
• C:\Documents and Settings\All Users\Application Data\LANDESKAV\*.log
• C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log

GetSystemInfo Report

GetSystemInfo Utility Download

1. Extract the downloaded GetSystemInfo Utility .ZIP file
2. Run GSI.EXE that you extracted from the .ZIP file
3. Click the button green "Play" button to start gathering the report.
4. Wait until the utility has completely scanned the system.  (This make take quite some time)
5. Click OK to confirm the creation of a report.

A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.  Attach this report to your created case, or e-mail it to your LANDESK Support technician.  The GetSystemInfo report can then be reviewed and further analyzed by doing the following:

1. Browse to http://www.getsysteminfo.com/
2. From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
3. After uploading the file you can analyze it yourself.
   
4. This will bring up a tabbed interface with various information:
   

Trace Log Files

The following article contains detailed information for gathering trace log files: How to gather trace log files for LANDESK Antivirus

Antivirus client configuration export

At times it may be required to export the configuration from the Antivirus client.   The following is the procedure to do so:

How To: Import/Export Kaspersky Agent Settings

Advanced Logging for the Updater SDK (for troubleshooting definition download issues)

1. Copy the attached UPDSDK.XML to the \ManagementSuite\LDLogon\Antivirus8 folder on the core server.

2. Download Antivirus pattern files

This will create an UpdaterSDK7.log file in the managementsuite folder.

Memory dump

In case of a blue screen, a memory dump will need to be gathered.

1. Right-click "My computer" and choose "Properties"
2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
4. Make note of the path that the MEMORY.DMP file will be saved to.
5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
   
   

A complete memory dump must be supplied, a mini dump does not supply sufficient information.

See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.

Submitting files for investigation by Kaspersky

How to report undetected viruses or false positives to LANDESK

Often it is necessary to turn off System Restore.  This is especially true when a system has had the Restore Points compromised or corrupted due to malware.

(Thanks to user Zman for this tip)

For additional information regarding System Restore please see the following Microsoft article:

http://support.microsoft.com/kb/831829

Statement:

Here you will find official statement from Kaspersky about Bad Rabbit ransomware: https://securelist.com/bad-rabbit-ransomware/82851/.

Recommendations from Kaspersky:

Kaspersky Lab corporate customers are also advised to:

• make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
• update the antivirus databases immediately.

The abovementioned measures should be sufficient. However, as additional precautions we advise the following:

• restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat in Kaspersky Endpoint Security.
• configuring and enabling Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.

Kaspersky Lab products detect this threat with the following verdicts:

• Trojan-Ransom.Win32.Gen.ftl
• Trojan-Ransom.Win32.BadRabbit
• DangerousObject.Multi.Generic
• PDM:Trojan.Win32.Generic
• Intrusion.Win.CVE-2017-0147.sa.leak

Description

Resolution

Submit a request to Ivanti Customer Support to have detection and remediation content added so that the spyware is properly detected and removed.

Process for submitting requests for Spyware content:

In order for Ivanti to add this undetected spyware the following process must be followed:

1. If possible, the actual install executable that downloaded and/or installed the spyware.
2. The executable that was installed on the computer. You can usually find this by looking in the running processes. Spyware generally takes up an unusual amount of memory or CPU usage.
3. Any additional information about the suspected spyware. please include any information that you know.
   
   
   • A description of how it is installed, a website, email, or as part of a different installation.
   • A description of what it does: Does it launch additional sites?  Does it download other applications?  Etc.
   • A description of any malicious behavior, processor utilization, file corruption, etc,
   • Any other other observations.
     
     
4. Compress any files that you collected in .ZIP format and password protect it with the password "infected".
5. Upload the files to ftp://ftp.landesk.com/spyware
6. Call LANDESK Support and create a support case. They will need to know the name of the file you uploaded.  In addition please provide a detailed description of the issue.

Our team will make a thorough assessment of the submitted information to determine if they should be identified and removed.

How to fix "Databases are Corrupted", "Databases are extremely out of date", and "Malfunction" errors

Table of Contents

"Databases are Corrupted" & "Databases are extremely out of date"

On a single machine

1. Open and administrative command prompt
2. Run the following commands:
   • cd\ - press Enter
   • cd "Program Files (x86)\LANDesk\LDClient\Antivirus" - press Enter
   • ldav.exe /updatefrominternet - press Enter

You should see activity in the GUI for your AV client, as seen below:

Once the update has finished, the error should be gone as seen below:

On multiple clients

1. On your core, go to the ManagementSuite\ldlogon\avclient\install\setup directory and rename the “bases.cab” file to bases.cab.old.

    2. Re-initiate a download of the AV definitions from your Patch Manager (this will rebuild the bases.cab file on your core)

    3. In your Security Activity section (Tools->Security and Compliance->Security Activity), create a new "LANDESK Antivirus task..." that updates the definitions without a scan. Next, configure a new Antivirus setting. Leave everything here set to default, but change the update source to "Internet Only". Name the setting and save it - but be sure to remember this name. Once you have saved it, select that setting from the list and hit the "Use selected" button in the bottom right. At this point, give the task an appropriate name and hit Save. This will create a Scheduled Task with that name. Schedule the task like any other task you would build out and assign machines to it accordingly. Remember, the settings we're using for this task ONLY apply to this particular task - they will not be used from this point forward...just one time for this task and then be discarded.

"Malfunction" error in AV Components

On occasion, AV components may malfunction. They will show in the GUI as seen below:

If you see this behavior on a single machine, please follow the steps in the "On a single machine" section above. You will want to reboot the machine once this has completed.

If you see this on multiple machines, follow the instructions from Step 3 in the "On multiple clients" section above. You will want to schedule reboots for the machines once this has successfully ran on the targeted clients.

Issue

With Ivanti Antivirus installed a Web Application is not working

Cause

Typically this is caused by a port being monitored by Ivanti Antivirus that the web application is using even though the application has been added to the trusted application list and by adding the URL to the trusted list.

Resolution

Change the monitored ports settings from "Monitor all ports" to "Monitor selected ports" ("Monitor selected ports is set by default") and then remove the port number that the web application uses.

This is done by doing the following steps:

1. Open the Agent Settings tool in the Ivanti Endpoint Manager console.
2. Move to the Security node in the tree on the left and expand it.
3. Select "Ivanti Antivirus" and then select the Antivirus setting you wish to Edit.
4. Go to the "Protection" section of the setting and then change the radio button under "Monitored" ports in the bottom right-hand section of the window.

If all computers do not use this web application you can create a separate Ivanti Antivirus setting with the ports change and deploy that only to clients that use that web application.

This document lists the tables in the Ivanti EPM Database that are related to the Ivanti Antivirus product:

Within this document you can click the images for a full-size version.

The following are the tables used for Ivanti Antivirus:

Antivirus table

The information from this table shows up in the Antivirus Licensing information in the Ivanti Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool.  This table records the inventory information for not only the Ivanti Antivirus product but also for other 3rd party Antivirus products.  This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the Ivanti Antivirus Service.  This information is sent under the following conditions:

• After AV installation
• After activating with a new license
• After a scanning task is done
• After pattern files are updated

In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.

When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")

For an Inventory Scan this information is gathered through LDAVHLPR.DLL.  Periodic updates of this .DLL are provided within Ivanti Patch Content to support gathering information on newer versions of Antivirus Software.  The information gathered can from each 3rd party vendor can vary.  Some information may not be applicable or available to gather through the Ivanti Inventory or Patch and Compliance scan processes.

This information shows up in the Inventory of a client in this manner:

This table consists of the following columns:

AntivirusPatches table

This table lists the patches for the Antivirus product that are installed on the client.

This information is sent to the Core when an Inventory Scan runs.

This shows up in the Client Inventory in this location:

The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches

InfectedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Infections by Computer, and Ivanti Antivirus - Infections by Virus

This table consists of the following columns:

QuarantinedFiles table

This information shows up in the Security Activity tool under Ivanti Antivirus - Quarantined Infections by computer and Ivanti Antivirus - Infections by virus

This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.

This table consists of the following columns:

This information shows up in the Inventory of the client under Security - Quarantined Files.  Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus

SecurityAction table

This information shows up in the Security Activity Tool under Ivanti Antivirus - Activity, Activity by computer, and activity by virus.  In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.

The information in this table makes up most of the Ivanti Antivirus information shown in the Security Activity tool.  This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.

The exception would be the licensing information which is stored in the Antivirus table and is sent by the Ivanti Antivirus Service on the client WSVulnerability web service on the core server.

The following are the codes returned to the core server and their meanings:

TrustedItem table

Trusted items are a list of objects that Ivanti Antivirus does not monitor or control.  This list is populated with a list of Ivanti EPM client files at the time of Ivanti Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.

You can add a trusted item and it will block Ivanti Antivirus access to that item, however you must be very sure that it does not represent any threat.

On the client side these are the entries from the Exclusion Rules or Trusted Applications

This information shows up in the Inventory of the client under Security - Trusted Items.  Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status

Antivirus Functions included in server installs

• File Anti-Virus
• Firewall
• Network Attack Blocker

The following components are not included on server installs:

• Mail Anti-Virus
• Web Anti-Virus
• IM Anti-Virus
• System Watcher

Mail, Web, IM, and System Watcher will appear disabled in the local UI on clients.

Antivirus Exclusions

Ivanti Antivirus should be carefully tested before applying to your production servers.

Ivanti Antivirus is intended to protect the server and its file system.  It is not designed to scan server applications like Microsoft Exchange.  Application servers typically need exclusions added to prevent Ivanti Antivirus from negatively affecting server performance.

If your server's application is not listed there, it is recommended to get a list of exclusions from the application's Vendor.

Ivanti also has its own list of exclusions if applying Ivanti Antivirus to a core server: About Antivirus exclusions (exceptions) for the Ivanti EPM Core Server