LANDesk Antivirus false positive virus detection submission process

Description

Sometimes new Virus Definitions will detect legitimate files as a virus.   These are called "False Positives".

For further information on how to recover if this false positive is causing issues in your environment, see this article.

In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.

How to report and send a False Positive

If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all infected machines are scanning with the latest definition files. Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.

1. Open a Management Suite console

2. Go to Tools | Security | Security and Patch Manager

3. Expand Settings

4. Click on LANDesk Antivirus

5. Double click on the Antivirus settings the client is using.

6. Click on Real-Time Protection

7. Check the Allow user to disable Realtime scanning for up to ___ minutes option

8. Click on Quarantine/Backup

9. Check "Allow user to restore suspicious objects" and "Allow user to restore infected objects and risky software"

10. Click Ok

11. On the client Click Start | Run

12. Type Vulscan /changesettings /showui, this will download the setting changes you made.

13. Click Start | Run | LANDesk Management | LANDesk Antivirus

14. Click Disable next to Real-Time Protection

15. Click View details next to Quarantine or Backup depending on where the file is located.

16. Take note of the original location.

17. Highlight the file.

18. Click Restore.

19. Click Restore File.

20. Collect the file(s) from the Original Location and compile them into a password protected .ZIP file.

21. Compile the "infected" file(s) into a password protected .ZIP file.  Name the file "FalsePositive(UniqueName).zip".  (Where "UniqueName" is a filename of your choosing).
    

    IMPORTANT!
    The file must be password protected with a password of "infected". The compression type must be a .ZIP. Other compression types will not be accepted.The file should not be a self-extracting zip file.

22.  

23. Place the file on LANDESK's site: http://avdrop.landesk.com/

24. Contact LANDESK Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)

25. Revert the changes made in steps 1-10.

26. Current virus definition release activity can be viewed here:   http://www.kaspersky.com/viruswatchlite?

Note: Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.

LANDesk Support Contact information