Best Know Methods for LANDesk Anti-Virus and Spyware
Best Know Methods for LANDesk Anti-Virus and Spyware
Best Know Methods for LANDesk Anti-Virus and Spyware
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Best</strong> <strong>Know</strong> <strong>Methods</strong> <strong>for</strong><br />
<strong>LANDesk</strong> <strong>Anti</strong>-<strong>Virus</strong> <strong>and</strong><br />
<strong>Spyware</strong><br />
Interchange 2010<br />
Stewart Christensen<br />
Solutions Architect<br />
October 11, 2010<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> ® Solutions<br />
2<br />
Power &<br />
Infrastructure<br />
Management<br />
Virtualization<br />
Management<br />
Systems<br />
Lifecycle<br />
Management<br />
Management<br />
Automation<br />
Plat<strong>for</strong>m<br />
IT Service<br />
Management<br />
<strong>LANDesk</strong> Software Confidential<br />
Endpoint<br />
Security &<br />
Compliance<br />
Asset<br />
Lifecycle<br />
Management
New! LDAV SDK 8 Key Benefits<br />
State-of-the-Art Protection<br />
“Generic” malware detection<br />
› Detects “families” of malware with a single signature<br />
› Effective in detecting many new threats without an updated signature<br />
Advanced heuristics (behavioral) module<br />
› Emulates malware object’s execution in a secure virtual environment<br />
› Discovers <strong>and</strong> blocks suspicious actions, typical malware behavior<br />
Powerful Engine<br />
Updatable AV Engine – engine version is now concurrent with signature date<br />
DeepUnpack technology<br />
› Better h<strong>and</strong>ling of compressed objects (.zip, etc)<br />
› Largest number of Packer <strong>and</strong> Archive <strong>for</strong>mats supported (~4000)<br />
› Multi-volume archive processing/detection<br />
› Increased processing speed<br />
Per<strong>for</strong>mance<br />
Optimized AV Database<br />
Native multi-threading support<br />
Scanning of Startup objects<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus 9 – Supported OS<br />
Desktop Operating Systems Server Operating Systems<br />
Windows XP Professional SP2, SP3<br />
Windows XP Professional x64 Edition SP2<br />
Windows Vista Business/Ultimate/Enterprise<br />
SP2 (32-bit)<br />
Windows Vista Business/Ultimate/Enterprise<br />
SP2 (64-bit) (x64)<br />
<strong>LANDesk</strong> Software Confidential<br />
Windows 2003 Server St<strong>and</strong>ard, Enterprise<br />
SP2 (32-bit) (SP1 is not supported)<br />
Windows 2003 Server St<strong>and</strong>ard, Enterprise<br />
SP2* (64-bit) (x64) (SP1 is not supported)<br />
Windows Server 2008 SP2 (32bit)<br />
Windows Server 2008 SP2 (64-bit) (x64)<br />
Windows 7 Business/Ultimate/Enterprise Windows Server 2008 R2 (32-bit)<br />
Windows 7 Business/Ultimate/Enterprise Windows Server 2008 R2 (64-bit) (x64)<br />
Note: LDMS 9 drops support <strong>for</strong> Windows 2000 <strong>and</strong> adds<br />
support <strong>for</strong> Windows 7 <strong>and</strong> Server 2008 R2<br />
http://community.l<strong>and</strong>esk.com/support/docs/D<br />
OC-5685
<strong>LANDesk</strong> <strong>Anti</strong>virus – Pattern file updates<br />
“Get latest definitions” only<br />
available on core, not on<br />
remote consoles<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-6842<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus – Core Pattern File Updates<br />
Uses Kaspersky Updater SDK 8<br />
LDMS 9 definitions stored under LDLogon\<strong>Anti</strong>virus8\win\Bases8<br />
LDMS 8.x definitions stored under LDLogon\<strong>Anti</strong>virus\Bases<br />
Bases <strong>for</strong>mat on the core differs from the client <strong>for</strong>mat due to a<br />
restriction in the Updater SDK. LDDWNLD downloads the files<br />
from the core (or peer) from ldlogon\win\antivirus8\bases8\ to<br />
ldclient\antivirus\temp_bases8\l<strong>and</strong>esk, then AVService will call the<br />
Updater SDK 8 to update the files from<br />
ldclient\antivirus\temp_bases8 to antivirus\bases8<br />
New utility: Getbases.exe<br />
› Compares files on the source <strong>and</strong> destination <strong>and</strong> downloads only the delta,<br />
which significantly decreases update time <strong>and</strong> saves traffic. If the update<br />
fails in the middle, it has the ability to roll back to the prior definitions.<br />
› Getbases.exe creates LDBasesInfo.xml which contains the definition<br />
date/time in Moscow time.<br />
› Getbases.exe logs to Getbases.exe.log under the ManagementSuite\Log<br />
directory<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus – Core Pattern File Updates<br />
An option is available to also update the virus<br />
definitions <strong>for</strong> <strong>LANDesk</strong> AV 8.x. This option is<br />
checked by default. Update<strong>Virus</strong>Definitions.exe is<br />
still used to update the 8.x definitions. The 8.x<br />
definitions are not updated using the Kaspersky<br />
Updater SDK, so they are stored in the <strong>for</strong>mat the<br />
client uses in LDLogon\<strong>Anti</strong>virus\Bases.<br />
We do not provide backup, restore, or pilot options<br />
<strong>for</strong> 8.x definitions. We simply overwrite the files in<br />
LDLogon\<strong>Anti</strong>virus\Bases every time we run<br />
Update<strong>Virus</strong>Definitions.exe.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus – Core Pattern File Updates<br />
We do not ship with 8.x virus definitions files, so when the core<br />
is upgraded to 9.0, ldlogon\antivirus\bases folder does not<br />
exist. This way the existing <strong>LANDesk</strong> AV 8.x client can keep the<br />
current virus definitions. If the download option was set to<br />
download from the core then internet, the existing client will try<br />
to contact the core. It connects to the core, but because the<br />
core does not have the bases folder, the download fails, but the<br />
client can keep the existing definition set. (Because it can<br />
connect to the core, it will not try to download from the<br />
internet.) After the core downloads the virus definitions <strong>for</strong> 8.x,<br />
ldlogon\antivirus\bases folder will be created <strong>and</strong> the existing<br />
client can update the definitions from the core.<br />
Moral of the story: Update virus definitions immediately after<br />
installation.<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus – <strong>Anti</strong>virus Settings<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus settings have been moved from the Security<br />
<strong>and</strong> Patch Manager tool to the “Security Configurations” tool within<br />
the “Security <strong>and</strong> Compliance” group.<br />
These settings reside in the “My”, “Public”, <strong>and</strong><br />
“All” Security Configurations containers.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus Settings – Agent Configuration<br />
The next, as shown here is through the Agent<br />
Configuration tool, then right-clicking the desired<br />
agent configuration, going to properties, <strong>and</strong> then<br />
the <strong>LANDesk</strong> <strong>Anti</strong>virus section.<br />
From within the dropdown within the <strong>LANDesk</strong><br />
<strong>Anti</strong>virus section of the Agent Configuration<br />
properties, you can then select the <strong>Anti</strong>virus<br />
settings you wish to use, or click Configure to<br />
modify the <strong>Anti</strong>virus settings.<br />
<strong>LANDesk</strong> Software Confidential
Agent Installation – Possible issues<br />
Agent install will not reboot initially in LDMS 9. For an <strong>Anti</strong>virus<br />
upgrade from an older version, a separate reboot task will be<br />
required. A fresh install may or may not require a reboot.<br />
After an upgrade installation, if the end user attempts to start<br />
realtime protection on a computer where a reboot has not taken<br />
place after installation, they will be presented with the message<br />
“Another <strong>Anti</strong>virus solution is installed. To avoid compatibility,<br />
<strong>LANDesk</strong>® <strong>Anti</strong>virus service will not start.” This is due to the prior<br />
LDMS 8.x <strong>Anti</strong>virus driver still being installed.<br />
Note: In instances where <strong>LANDesk</strong> <strong>Anti</strong>virus is uninstalled <strong>and</strong> the<br />
reinstalled without a reboot, a failure message may appear during<br />
the installation of the real-time driver. The message may read<br />
“Installation failed”. This is due to the real-time driver from the<br />
original installation being installed. A reboot must take place<br />
between an uninstallation <strong>and</strong> a reinstallation.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus Settings – General tab<br />
A note regarding e-mail scanning. E-mails are scanned as<br />
they are selected, not as they are received.<br />
<strong>LANDesk</strong> Software Confidential<br />
Use this tab to configure the basic antivirus scanner settings on<br />
target devices.<br />
This tab contains the following options:<br />
Show <strong>LANDesk</strong> <strong>Anti</strong>virus icon in system tray: Makes the<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus icon appear in the device system tray. The<br />
icon's appearance depends on the status of antivirus protection,<br />
indicating whether real-time protection is enabled. If the arrow icon<br />
is yellow, real-time protection is enabled meaning the device is<br />
continuously being monitored <strong>for</strong> viruses. If the icon is gray, realtime<br />
protection is not enabled.<br />
End users can double-click the icon to open the <strong>LANDesk</strong><br />
<strong>Anti</strong>virus client <strong>and</strong> per<strong>for</strong>m tasks. They can also right-click the<br />
icon to access the shortcut menu <strong>and</strong> select to run a scan <strong>and</strong> update<br />
antivirus files.<br />
Enable email scanning: Enables real-time email scanning on<br />
target devices. Real-time email scanning continuously monitors<br />
incoming <strong>and</strong> outgoing messages (supported applications include:<br />
Microsoft Outlook), checking <strong>for</strong> viruses in both the body of the<br />
message <strong>and</strong> any attached files <strong>and</strong> messages. Any detected viruses<br />
are removed.
<strong>Anti</strong>virus Settings – General tab continued<br />
<strong>LANDesk</strong> Software Confidential<br />
Enable right-click scanning: Provides an option on the <strong>LANDesk</strong><br />
<strong>Anti</strong>virus client that allows end users to select a file, group of files,<br />
folder, or group of folders, <strong>and</strong> right click the selection to per<strong>for</strong>m an<br />
antivirus scan.<br />
Scan <strong>for</strong> risky software in addition to viruses (extended database):<br />
Provides an option on the <strong>LANDesk</strong> <strong>Anti</strong>virus client that allows end users<br />
to scan <strong>for</strong> riskware (i.e., spyware, FTP, IRC, remote control utilities,<br />
etc.) using an extended database that is loaded on the managed device.<br />
Allow user to add files <strong>and</strong> folders to Trusted Items list: Provides an<br />
option on the <strong>LANDesk</strong> <strong>Anti</strong>virus client that lets users identify files <strong>and</strong><br />
folders they don't want scanned <strong>for</strong> viruses. Files <strong>and</strong> folders in this list<br />
are ignored by an antivirus scan. Users should be made aware that they<br />
should move only safe files to their trusted items list.<br />
CPU utilization when scanning: Lets you control CPU usage on target<br />
machines when <strong>LANDesk</strong> <strong>Anti</strong>virus runs an antivirus scan. This setting<br />
will actually have less effect on CPU usage than overall I/O on the<br />
computer. You will feel a difference between having this set on low <strong>and</strong><br />
this set on high, however the cpu usage will only change very minimally.<br />
It will take nearly twice as long to scan a system at the low setting vs. the<br />
high setting.
<strong>Anti</strong>virus settings – Right-click scanning<br />
The right-click scan menu option is added by AVScanShlExt.dll or<br />
AVScanShlExt64.dll. If this option does not show up, the .DLL likely<br />
failed to register correctly. It can be reregistered using REGSVR32.<br />
When right-clicking a drive or folder, <strong>Anti</strong>virus exceptions do not take<br />
effect. Files within a trusted (ie – excluded) folder are scanned.<br />
A right-click scan will spawn an additional AVService.exe process,<br />
<strong>and</strong> an additional Kavehost.exe process.<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus – Risky Software<br />
What is "Risky Software"? Without this option set, <strong>LANDesk</strong><br />
<strong>Anti</strong>virus will scan <strong>for</strong> viruses, but will not scan <strong>for</strong> other<br />
malware. Risky software is essentially client software whose<br />
installation presents a possible but not definite risk <strong>for</strong> the end<br />
user. For example: Adware, proxy-programs, pornware, remote<br />
admin utilities, IRC, dialers, activity monitors, password utilities,<br />
<strong>and</strong> Internet tools such as FTP, Web, Proxy <strong>and</strong> Telnet.<br />
Once enabled, if a program that is in this extended database of<br />
Risky Software is desired to be used, an exception will need to<br />
be made in the Real-time protection <strong>and</strong> <strong>Virus</strong> scan Exceptions<br />
section.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus Settings – General tab continued<br />
<strong>LANDesk</strong> Software Confidential<br />
Owner: Lets you specify an owner <strong>for</strong> the antivirus setting<br />
in order to prevent unauthorized modification. Only the<br />
owner <strong>and</strong> users with the <strong>LANDesk</strong> Administrator right can<br />
access <strong>and</strong> modify the setting. Other users can only view the<br />
setting. The public user option allows universal access to<br />
the setting.<br />
Set as default: Establishes this antivirus setting (including<br />
the option settings on all of the <strong>Anti</strong>virus setting dialog's<br />
tabs) as the default on target devices. Unless an antivirus<br />
scan task has a specific antivirus setting associated with it,<br />
the default settings are used during scan <strong>and</strong> definition file<br />
update tasks. If this setting is already the default, this will<br />
show a green checkmark with the words “Default setting”.<br />
Restore defaults: Restores the predefined default settings<br />
<strong>for</strong> all of the antivirus options on the dialog's tabs.
<strong>Anti</strong>virus Settings – Real time protection<br />
tab<br />
<strong>LANDesk</strong> Software Confidential<br />
We now move on to the Realtime<br />
Protection Tab<br />
Use this tab to enable <strong>and</strong> configure<br />
real-time file protection, which files to<br />
protect <strong>and</strong> what to exclude, <strong>and</strong> end<br />
user notification.<br />
Real-time protection is an ongoing<br />
(background) scan of specified files,<br />
folders, <strong>and</strong> file types by extension.<br />
When real-time protection is running,<br />
files are scanned <strong>for</strong> viruses every<br />
time they are opened, closed,<br />
accessed, copied, or saved.<br />
When real-time protection is enabled,<br />
the <strong>LANDesk</strong> <strong>Anti</strong>virus system tray<br />
icon is yellow. The icon is gray when<br />
real-time protection is turned off.<br />
This tab contains the following options<br />
(Next slide)
Realtime protection tab continued…<br />
Enable real-time file protection: Turns on real-time file protection on target devices. Real-time file protection runs in the<br />
background <strong>and</strong> scans <strong>for</strong> known viruses according to the downloaded virus definition files.<br />
Also show real-time messages on client: Displays messages on target devices to notify users of certain <strong>LANDesk</strong><br />
<strong>Anti</strong>virus activities. End users are notified when an infected file is detected, quarantined, deleted, skipped, or cleaned.<br />
Message dialogs show the path, file name, virus name, <strong>and</strong> a note telling the end user to contact their network<br />
administrator.<br />
Allow user to disable real-time scanning <strong>for</strong> up to: Provides an option on the <strong>LANDesk</strong> <strong>Anti</strong>virus client that allows the<br />
end user to turn off real-time file protection <strong>for</strong> a specified period of time. You should keep the amount of time to a<br />
minimum so that users can't disable real-time protection long term.<br />
Scan all file types: Specifies that files of all types on the target device are scanned by an antivirus scan. This may take<br />
a long time so it is a good idea to scan all file types with an on-dem<strong>and</strong> scan rather than real-time protection.<br />
Scan infectable files only: Specifies that infectable files only are scanned. Infectable files are those types of files known<br />
to be vulnerable to virus infections. Scanning only infectable files is more efficient than scanning all files because some<br />
viruses affect only certain file types. However, you should make a habit of regularly scanning all the files with an ondem<strong>and</strong><br />
scan in order to ensure devices are clean.<br />
Infectable file types are identified by their <strong>for</strong>mat identifier in the file header rather than by their file extension, ensuring<br />
that renamed files are scanned. Infectable files include: document files such as Word <strong>and</strong> Excel files; template files that<br />
are associated with document files; <strong>and</strong> program files such as Dynamic Link Libraries (.DLLs), communication files<br />
(.COM), Executable files (.EXEs), <strong>and</strong> other program files. A complete list of file extensions that are considered<br />
infectable files follow:<br />
<strong>LANDesk</strong> Software Confidential
Realtime protection tab continued…<br />
ACM ACV ADT AX BAT BIN BTM CLA COM CPL CSC CSH DLL DOC DOT DRV EXE HLP<br />
HTA HTM HTML HTT INF INI JS JSE JTD MDB MSO OBD OBT OCX PIF PL PM POT PPS<br />
PPT RTF SCR SH SHB SHS SMM SYS VBE VBS VSD VSS VST VXD WSF WSH, XLS<br />
Use heuristics to scan <strong>for</strong> suspicious files: Utilizes the scanner's heuristic analysis<br />
capability when scanning target devices.<br />
Heuristic scanning attempts to detect files suspected of being infected by a virus by looking<br />
<strong>for</strong> suspicious behavior such as a program that: modifies itself, immediately tries to find<br />
other executables, or is modified after terminating. Using heuristic scanning may negatively<br />
affect speed/per<strong>for</strong>mance on managed devices.<br />
Exclude the following files <strong>and</strong> folders<br />
› Add: Opens the Add excluded path dialog where you can create new exclusions to specify the files,<br />
folders, or file types (by extension) you want to exclude from an antivirus scan associated with this<br />
setting.<br />
› Edit: Opens the selected exclusion so you can modify a file path, file name, file extension, <strong>and</strong><br />
variables.<br />
› Delete: Removes the selected exclusion from the antivirus setting.<br />
Note: When adding extensions, do not include the leading period, simply add the letters of<br />
the extension.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus Settings – <strong>Virus</strong> scan tab<br />
<strong>LANDesk</strong> Software Confidential<br />
This tab is almost identical to the<br />
Real-time Protection tab, however it<br />
only applies to manual scans.<br />
A manual scan can be initiated in the<br />
following ways.<br />
1. Double-clicking the shield icon in the<br />
system tray <strong>and</strong> selecting “Scan my<br />
computer”<br />
2. Right-clicking a file, folder, or drive <strong>and</strong><br />
selecting “Scan <strong>for</strong> viruses”<br />
3. A scheduled scan that runs from the<br />
local scheduler on the client computer.<br />
4. Selecting “<strong>LANDesk</strong> <strong>Anti</strong>virus Scan” in<br />
the “Create a task” dropdown in the<br />
Security <strong>and</strong> Patch Manager tool.<br />
(This is the 2 nd icon).
<strong>Anti</strong>virus Settings – Scheduled scan tab<br />
<strong>LANDesk</strong> Software Confidential<br />
Use this tab to enable <strong>and</strong> configure a recurring<br />
scheduled antivirus scan on target devices.<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus scan types<br />
You can scan your managed devices <strong>for</strong> viruses with<br />
scheduled scans, on-dem<strong>and</strong> scans, as well as realtime<br />
file <strong>and</strong> email protection. End users can also<br />
per<strong>for</strong>m on-dem<strong>and</strong> scans of their own computer.<br />
This tab contains the following options:<br />
Have <strong>LANDesk</strong> <strong>Anti</strong>virus scan devices <strong>for</strong> viruses<br />
at a scheduled time: Enables a recurring scheduled<br />
antivirus scan that runs on target devices according to<br />
the start time, frequency, time restriction, <strong>and</strong><br />
b<strong>and</strong>width requirement you specify.<br />
Change settings: Opens the Schedule dialog where<br />
you can set the scheduling options.<br />
Allow user to schedule scans: Lets the end user<br />
create a local scheduled antivirus scan on their own<br />
machine. This is done by double-clicking the shield<br />
icon on the system tray, selecting “view details” next to<br />
the “Scheduled Scan” option, <strong>and</strong> then clicking “New”.<br />
If this option is not selected, the user will be able to<br />
view details of the scheduled scan, but will not be able<br />
to add their own scans.
Scheduled virus definitions updates dialog<br />
<strong>LANDesk</strong> Software Confidential<br />
This controls the local scheduler task that is created on the client.<br />
This dialog is identical <strong>for</strong> both scheduled scans <strong>and</strong> definition<br />
updates.<br />
Start time: Specifies the time the virus definition update runs on<br />
target devices. By default, this field displays the current time.<br />
Repeat after: Schedules the virus definition update to recur<br />
periodically. Select the number of minutes, hours, <strong>and</strong> days to<br />
control how often the task repeats. If the time period is longer<br />
than one day, the update runs at the start time above.<br />
Restrictions: Allows you to disable the virus definition file update<br />
at certain times, days,<br />
<strong>and</strong> dates.<br />
Device must have enough b<strong>and</strong>width: En<strong>for</strong>ces a minimum<br />
b<strong>and</strong>width requirement <strong>for</strong> target devices in order <strong>for</strong> the virus<br />
definition update to run successfully. If this option is enabled <strong>and</strong><br />
the target device's currently available b<strong>and</strong>width does not meet<br />
the requirement, the update doesn't run.<br />
Minimum b<strong>and</strong>width: Specifies the minimum network b<strong>and</strong>width<br />
required in order <strong>for</strong> the task to run. Select either RAS, WAN, or<br />
LAN.<br />
Computer name: Identifies the computer that is used to test the<br />
device b<strong>and</strong>width. The test transmission is between a target<br />
device <strong>and</strong> this computer.
<strong>Anti</strong>virus Settings – <strong>Virus</strong> Definitions Updates<br />
<strong>LANDesk</strong> Software Confidential<br />
LDMS 9 includes a<br />
default definition<br />
update schedule of<br />
daily at 12:00pm.
<strong>Anti</strong>virus Settings – Quarantine/Backup tab<br />
<strong>LANDesk</strong> Software Confidential
<strong>Virus</strong> definition files<br />
Using the Download “pilot” versions of virus definition files option will allow any computer that has these settings applied to act<br />
as a pilot computer to test new definition files be<strong>for</strong>e they are released to other computers.<br />
Note: Pilot definitions are not available <strong>for</strong> LDMS 8.x clients reporting to an LDMS 9 server.<br />
Selecting the option “Users may download virus definition updates” adds the option “Update Now” to the <strong>LANDesk</strong> <strong>Anti</strong>virus dialog.<br />
Again, you get to this screen by double clicking the shield icon on the client system tray.<br />
As discussed in the last slide, the virus definition updates can <strong>and</strong> should be scheduled to run regularly.<br />
<strong>LANDesk</strong> pattern file updates take advantage of both peer download technology <strong>and</strong> preferred server technology. This<br />
helps greatly to save b<strong>and</strong>width back to the core server. LDDWNLD <strong>and</strong> Peer Download technology is much improved in LDMS 9.<br />
The Bases.cab compressed file no longer exists in LDMS 9. Definition files are downloaded 1 file at a time.<br />
Options are available to select the default behavior <strong>for</strong> downloading pattern files.<br />
The options listed as shown in the graphic on the right are:<br />
Core only – Only download pattern files directly from the core server.<br />
Core only. Fall back to internet if core is not available.<br />
Internet only. Only download from the internet.<br />
Internet first. Fall back to the core if internet is not available.<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus Installation<br />
Four ways to install <strong>LANDesk</strong><br />
<strong>Anti</strong>virus.<br />
<strong>LANDesk</strong> Software Confidential
“St<strong>and</strong>alone” <strong>Anti</strong>virus Installation<br />
New in LDMS 9:<br />
Run LDMAIN\AVSt<strong>and</strong>aloneBuilder.exe<br />
This creates \LDLogon\AVSt<strong>and</strong>alonesetup.exe<br />
Installation is logged in AVSt<strong>and</strong>aloneSetup.exe.log,<br />
written to the location the installation is launched from.<br />
Alternative way to create a “St<strong>and</strong>alone” <strong>Anti</strong>virus installation:<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-6829<br />
<strong>LANDesk</strong> Software Confidential
Scheduling an <strong>Anti</strong>virus scan task<br />
This dialog will create a new task,<br />
either a st<strong>and</strong>ard push task, or a policy<br />
task that will appear in the Scheduled<br />
Tasks tool.<br />
The option “Update virus definitions<br />
(including pilot) on the core will cause<br />
the definitions to be updated on the<br />
core server prior to updating the client<br />
definitions. This will ensure that the<br />
clients have the very latest definitions.<br />
<strong>LANDesk</strong> Software Confidential
Changing <strong>Anti</strong>virus Settings<br />
You can also change the current <strong>Anti</strong>virus Settings that the<br />
client uses, by creating a Change Settings task.<br />
This is done by selecting the “Create a Task” dropdown<br />
(Second icon in “Security Configurations”). You can then<br />
select different <strong>Anti</strong>virus settings <strong>for</strong> the client to use.<br />
This will change the default settings that the client will use.<br />
If you have simply made a change to the existing <strong>Anti</strong>virus<br />
settings, those changes will take place the next time the<br />
vulnerability scanner runs on the client.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus Activity tool<br />
<strong>LANDesk</strong> Software Confidential<br />
This screen displays the <strong>Anti</strong>virus Activity tool. This is<br />
opened by clicking the yellow shield icon with an<br />
exclamation mark in the Security <strong>and</strong> Patch Manager<br />
tool, as pictured.<br />
This screen displays recent activity in your environment<br />
<strong>for</strong> infections, quarantined infections, trusted items,<br />
computers that have not recently sent in status, etc.<br />
You can right-click each area <strong>and</strong> select “View as<br />
report”.
<strong>LANDesk</strong> <strong>Anti</strong>virus Reports<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus Alerts<br />
By default, the following alerts are configured <strong>for</strong> <strong>LANDesk</strong> <strong>Anti</strong>virus.<br />
These alerts are configured by default to log to the event viewer on the core server. They can be modified to<br />
per<strong>for</strong>m the following actions:<br />
St<strong>and</strong>ard, Run on Core, Run on Client, Send e-mail, Send SNMP trap<br />
For further in<strong>for</strong>mation about setting up <strong>LANDesk</strong> Alerts, please<br />
see the following Community Article:<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-5674<br />
<strong>LANDesk</strong> Software Confidential
<strong>LANDesk</strong> <strong>Anti</strong>virus – Inventory In<strong>for</strong>mation<br />
<strong>LANDesk</strong> Software Confidential<br />
This is the <strong>Anti</strong>virus in<strong>for</strong>mation gathered by<br />
the Inventory Scanner. <strong>Anti</strong>virus in<strong>for</strong>mation<br />
is gathered not only <strong>for</strong> <strong>LANDesk</strong> <strong>Anti</strong>virus,<br />
but <strong>for</strong> various other vendors.<br />
This in<strong>for</strong>mation is gathered as part of the<br />
inventory scan by LDAVHLPR.DLL. If you<br />
are having issues gathering accurate data<br />
about your <strong>Anti</strong>virus solution, make sure you<br />
have the latest version of LDAVHLPR.DLL.<br />
It may be useful to create a custom column set<br />
or create a query showing the Last <strong>Virus</strong> Scan<br />
<strong>and</strong> Definition Publish dates to ensure that the<br />
computers are up to date with pattern files <strong>and</strong><br />
are scanning regularly.
<strong>Anti</strong>virus – Security <strong>and</strong> Patch Definitions<br />
There are 12 <strong>Anti</strong>virus definitions that can be used to help control <strong>Anti</strong>virus<br />
programs in your environment. These definitions serve various purposes.<br />
The definitions that check the status of other <strong>Anti</strong>virus vendor products check the<br />
following products:<br />
Symantec <strong>Anti</strong>virus, Norton <strong>Anti</strong>virus, PCCillin, Trend Officescan, Trend<br />
ServerProtect, Sophos Enterprise, Sophos Small Business, Etrust, <strong>and</strong> Eset<br />
NOD32.<br />
AV-100 will of course check to see if there is a virus scanner installed.<br />
AV-101 will check to see if the realtime engine is enabled on various vendor<br />
products<br />
AV-103, AV-105, AV-106, AV-107, AV-111, <strong>and</strong> AV-112 will check to see if<br />
the particular vendor’s definition files are up to date. Note the days the pattern<br />
file can be out of date is set in the Custom Definitions tab of the definition.<br />
AV-104 checks the number of days since a last full system scan (default is 2<br />
days)<br />
AV-109 reports whether the last scan succeeded or failed<br />
AV-110 reports computers that had remediation errors during the last scan<br />
The vulnerability scan category “<strong>Anti</strong>virus Updates” must be enabled in the Scan<br />
tab of the Scan <strong>and</strong> Repair settings <strong>for</strong> these definitions to be scanned.<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus – Pattern file content<br />
Security <strong>and</strong> Patch Manager also includes definitions to download the latest<br />
pattern files from other <strong>Anti</strong>virus Vendors.<br />
As you can see pattern files can be downloaded <strong>for</strong> ESET NOD32, eTrust,<br />
<strong>LANDesk</strong>, McAfee, Sophos, Symantec, <strong>and</strong> Trend Micro.<br />
When you select other vendors <strong>Anti</strong>virus Updates category, you must accept<br />
an agreement that you own <strong>and</strong> are adequately licensed <strong>for</strong> the software you<br />
are downloading updates <strong>for</strong>.<br />
<strong>LANDesk</strong> Software Confidential
Server initiated scans <strong>and</strong> pattern file<br />
updates<br />
There are several ways to initiate<br />
an antivirus scan <strong>and</strong> pattern file<br />
update from the core.<br />
The first, pictured here is to go to<br />
the “Create a task” icon in the<br />
Security Configurations tool, <strong>and</strong><br />
then select “<strong>LANDesk</strong> <strong>Anti</strong>virus<br />
task”. This can be set up as a<br />
scheduled push task or a policy,<br />
with the option to run the scan with<br />
different antivirus setting options,<br />
<strong>and</strong> also the option to update virus<br />
<strong>LANDesk</strong> Software Confidential
Important client side <strong>Anti</strong>virus program files<br />
C:\Documents <strong>and</strong> Settings\All Users\<br />
Application Data\<strong>LANDesk</strong>AV (Windows 2000/XP/2003)<br />
or C:\ProgramData\<strong>LANDesk</strong>AV (Windows Vista/7/2008)<br />
File name Purpose<br />
AVBehavior_(Corename)[#].xml <strong>Anti</strong>virus behavior file<br />
(settings)<br />
C:\Program Files\<strong>LANDesk</strong>\LDClient<br />
File name Purpose<br />
Vulscan.exe Installs LDAV, downloads updated<br />
settings, etc<br />
The Current <strong>Anti</strong>virus Behavior in use on a client can be<br />
verified by viewing the following registry key:<br />
HKLM\Software\<strong>LANDesk</strong>\ManagementSuite\WinClient\Vulscan<br />
<strong>LANDesk</strong> Software Confidential<br />
C:\Program Files\<strong>LANDesk</strong>\LDClient\<strong>Anti</strong>virus<br />
File name Purpose<br />
AVService.exe Main <strong>Anti</strong>virus Engine<br />
LDAV.EXE <strong>LANDesk</strong> <strong>Anti</strong>virus GUI (Systray<br />
Icon <strong>and</strong> related dialogs)<br />
KaveHost.exe Processes that per<strong>for</strong>m scanning<br />
functions<br />
Udinstaller32.exe<br />
Or Udinstaller64.exe<br />
AVScanShlExt.dll or<br />
AVScanShlExt64.dll<br />
32 <strong>and</strong> 64-bit versions of the realtime<br />
driver installer<br />
Windows Shell Plug-in.<br />
(Adds right-click “Scan <strong>for</strong><br />
viruses”option)<br />
*.ppl Plug-in files to per<strong>for</strong>m specific<br />
functions (such as scanning<br />
compressed files, etc)<br />
Av.key Product license file. Real-time<br />
service will not start with an expired<br />
key. (Also is in the LDClient\Bases<br />
directory)
<strong>Anti</strong>virus real-time driver<br />
The real-time driver is installed by udinstaller32.exe or udinstaller64.exe. This installation is logged in udinstaller.log. The<br />
registry key HKLM\System\CurrentControlSet\Services\KLIF should be checked to verify it points to the correct location, <strong>and</strong> the<br />
correct driver exists in that location.<br />
The realtime driver is installed from \LDClient\<strong>Anti</strong>virus\Install\Instdrivers\mklif <strong>and</strong> then a subdirectory depending on the major<br />
<strong>and</strong> minor version of Windows. This is controlled by Udinstaller.ini.<br />
The following table shows the Operating System,<br />
32-Bit Clients Installed From File Size Version 64-Bit Clients (x64 only) Installed From File Size Version<br />
Windows 7 fre_wlh_x86 299KB 8.4.0.76 Windows 7 x64 fre_wlh_amd64 344KB 8.4.0.76<br />
Server 2008 R2 fre_wlh_x86 299KB 8.4.0.76 Server 2008 R2 x64 fre_wlh_amd64 344KB 8.4.0.76<br />
Server 2008 fre_wlh_x86 299KB 8.4.0.76 Server 2008 x64 fre_wlh_amd64 344KB 8.4.0.76<br />
Windows Vista fre_wlh_x86 299KB 8.4.0.76 Windows Vista x64 fre_wlh_amd64 344KB 8.4.0.76<br />
Server 2003 R2 fre_wnet_x86 306KB 8.4.0.76 Server 2003 R2 x64 fre_wnet_amd64 319KB 8.4.0.76<br />
Server 2003 fre_wnet_x86 306KB 8.4.0.76 Server 2003 x64 fre_wnet_amd64 319KB 8.4.0.76<br />
Windows XP fre_wxp_x86 310KB 8.4.0.76 Windows XP x64 fre_wnet_amd64 319KB 8.4.0.76<br />
Note: 64-bit support is <strong>for</strong> the x64 plat<strong>for</strong>m only. Itanium (IA-64) is not supported<br />
<strong>LANDesk</strong> Software Confidential
Active <strong>LANDesk</strong> <strong>Anti</strong>virus processes<br />
AVService.exe LDAV.exe<br />
One instance active if <strong>LANDesk</strong> <strong>Anti</strong>virus<br />
Service is running.<br />
One instance if a pattern file<br />
update is running.<br />
Once instance <strong>for</strong> each active scan.<br />
One instance active if<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus System Tray<br />
shield icon is running.<br />
One process <strong>for</strong> each open LDAV GUI<br />
Window (Active Scan, etc)<br />
(These will usually show as running<br />
under the SYSTEM account)<br />
<strong>LANDesk</strong> Software Confidential<br />
KaveHost.exe<br />
One KaveHost process per CPU core<br />
(These will usually show as running<br />
under the SYSTEM account)<br />
One more KaveHost process if<br />
e-mail scanning is enabled <strong>and</strong><br />
Outlook installed <strong>and</strong> running<br />
(This will show up as running<br />
under the logged in user)<br />
You will have a KaveHost process<br />
<strong>for</strong> each active scan<br />
(these will usually show as running<br />
under the SYSTEM account)<br />
By default, 1 KaveHost.exe is opened per CPU core on Desktop operating systems.<br />
On Server operating systems 2 cpu cores are used.<br />
To limit this behavior, see the following community article.<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-5714
Local Scheduler <strong>Anti</strong>virus Tasks<br />
Local scheduler tasks can be viewed by typing<br />
“Localsch /tasks | more” at a DOS prompt from the<br />
LDCLIENT directory.<br />
LDAV /scancomputer – Scheduled scan<br />
LDAV /update – virus definition update<br />
<strong>LANDesk</strong> Software Confidential<br />
These can also be viewed within the<br />
Inventory <strong>for</strong> a client computer under<br />
Computer <strong>LANDesk</strong> Management <br />
Local Scheduler Scheduled Tasks.<br />
These will typically be somewhere around<br />
tasks #8 or #9.
Steps to enable verbose logging<br />
1. Stop the <strong>LANDesk</strong> antivirus service.<br />
2. Run AVSERVICE.EXE /LOG<br />
This will enable the logging level of 10.<br />
<strong>Anti</strong>virus – Verbose logging<br />
These settings are enabled in the KAVE.INI<br />
file.<br />
Here is what is written to the<br />
KAVE.INI file:<br />
[LOGGING]<br />
WriteLog=10<br />
WriteFileMonitorLog=10<br />
WriteScanningProcessLog=10<br />
Note: Logging will log a LOT of data <strong>and</strong> can use a large<br />
amount of disk space. To turn the logging back off, run<br />
AVService /RemoveLog <strong>and</strong> restart the <strong>LANDesk</strong> <strong>Anti</strong>virus<br />
Service.<br />
This will create several log files in the LDCLIENT\ANTIVIRUS<br />
directory that will be named KAVE_{PID}.log<br />
{PID} = the Process ID of the process being logged<br />
http://community.l<strong>and</strong>esk.com/support/docs/D<br />
OC-6537<br />
Adding “Append=1” to the KAVE.INI will cause the logs to<br />
remain when the service starts <strong>and</strong> append the logging<br />
in<strong>for</strong>mation to the existing log.<br />
To change the log location, add the following line in the<br />
KAVE.INI: LogsFolder=“C:\{directory}"<br />
You can also get valuable system in<strong>for</strong>mation by running this<br />
utility:<br />
http://telecharger.kaspersky.fr/GSI/GetSystemInfo.exe<br />
<strong>LANDesk</strong> Software Confidential
<strong>Anti</strong>virus licensing issues<br />
Issues with the <strong>Anti</strong>virus license key can be caused by many factors. This is discussed in the<br />
following knowledgebase article.<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-1640<br />
Two licenses exist. One <strong>for</strong> the <strong>Anti</strong>virus tools <strong>and</strong> one <strong>for</strong> the pattern file content.<br />
In the Core Server Activation tool, if you click “Licenses” the <strong>Anti</strong>virus licensing will show up like this:<br />
(Click on Product Name to sort alphabetically)<br />
In the above example, the product was originally licensed as <strong>LANDesk</strong> 8.7, <strong>and</strong> then was upgraded to LDMS<br />
8.8. A newly licensed 8.8 install would show “<strong>LANDesk</strong> <strong>Anti</strong>virus 8.8 License” <strong>and</strong> “<strong>LANDesk</strong> <strong>Anti</strong>virus<br />
8.8 Subscription”.<br />
<strong>LANDesk</strong> Software Confidential
Important Community Articles<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-7241<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus Recommended Patch List<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-1520<br />
How to send <strong>LANDesk</strong> an infected or suspicious file<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-5597<br />
NEW <strong>LANDesk</strong> <strong>Anti</strong>virus Engine<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-6426<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus Tool <strong>and</strong>/or Content not appearing in Management Console<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-5714<br />
How to limit the number of active ScanningProcess.exe (KaveHost.exe) processes<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-7148<br />
How to send <strong>LANDesk</strong> a valid file (Non-infected) that is being detected as a virus<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-7070<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus not detecting a suspected virus<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-5685<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus supported Operating Systems<br />
http://community.l<strong>and</strong>esk.com/support/docs/DOC-6537<br />
<strong>LANDesk</strong> <strong>Anti</strong>virus Logging In<strong>for</strong>mation<br />
<strong>LANDesk</strong> Software Confidential
44<br />
Thank You!<br />
The in<strong>for</strong>mation herein is the confidential in<strong>for</strong>mation <strong>and</strong>/or proprietary property of <strong>LANDesk</strong> Software, Inc. <strong>and</strong> its affiliates (referred to collectively as<br />
“<strong>LANDesk</strong>”), <strong>and</strong> may not be disclosed or copied without prior written consent of <strong>LANDesk</strong>.<br />
To the maximum extent permitted under applicable law, <strong>LANDesk</strong> assumes no liability whatsoever, <strong>and</strong> disclaims any express or implied warranty,<br />
relating to the sale <strong>and</strong>/or use of <strong>LANDesk</strong> products including liability or warranties relating to fitness <strong>for</strong> a particular purpose, merchantability, or<br />
infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright.<br />
<strong>LANDesk</strong> retains the right to make changes to the in<strong>for</strong>mation herein or related product specifications <strong>and</strong> descriptions, at any time, without notice.<br />
<strong>LANDesk</strong> makes no warranty <strong>for</strong> the use of the in<strong>for</strong>mation herein <strong>and</strong> assumes no responsibility <strong>for</strong> any errors that can appear nor does it make a<br />
commitment to update the in<strong>for</strong>mation contained herein. For the most current product in<strong>for</strong>mation, please visit www.l<strong>and</strong>esk.com.<br />
Copyright © 2010, <strong>LANDesk</strong> Software, Inc. <strong>and</strong> its affiliates. All rights reserved. <strong>LANDesk</strong> <strong>and</strong> its logos are registered trademarks or trademarks of<br />
<strong>LANDesk</strong> Software, Inc. <strong>and</strong> its affiliates in the United States <strong>and</strong>/or other countries. Other br<strong>and</strong>s <strong>and</strong> names may be claimed as the property of<br />
others.<br />
<strong>LANDesk</strong> Software Confidential