LANDesk Antivirus

LANDesk Antivirus is one of the major components of LANDesk Security Suite. Antivirus protects your managed devices from malicious virus attacks by scanning and cleaning viruses based on the latest known virus definition files.

Antivirus offers configurable virus protection features, including scheduled and on-demand virus definition file updates, pilot tests, configurable antivirus scan operation and end user interactive options, infected object handling, real-time file and e-mail protection, status and activity views, reports, and more.

Read this section to learn about:

• Antivirus overview
• Antivirus task workflow
• Configuring devices for Antivirus protection
  • List of third-party antivirus products that can be automatically removed
  • Removing Antivirus from devices
• Updating virus definition files
• Evaluating virus definition files with a pilot test
• Backing up virus definition files
• Scanning devices for viruses
  • Scanning methods
  • Enabling real-time antivirus protection (file, e-mail)
  • Configuring antivirus scan options with antivirus settings
  • Configuring which files to scan (infectable files only, exclusions, heuristics, riskware)
• What happens on a device during an antivirus scan
  • Antivirus client interface and end user actions
  • When an infected object is detected
  • Automatic scanning of quarantined files
• Using antivirus alerts
• Using antivirus reports
• Viewing antivirus information in the Executive Dashboard

Antivirus overview

LANDesk Antivirus is comprised of a built-in antivirus agent scanner, a continuously updated virus signature database, and antivirus configuration options and features available in the Security Configurations tool.

NOTE: Antivirus agent
The Antivirus agent is distinct from the Patch and Compliance security scanner.

LANDesk Security Suite services maintains a current database of virus definition/pattern files that can be downloaded, evaluated and tested, and distributed to target devices on your network.

With Antivirus, you can:

• Download the latest virus definition\pattern file updates (the LANDesk Security Suite service's antivirus signature database is updated several times a day)
• Schedule recurring virus definition file updates
• Archive previous virus definition files
• Create and deploy Antivirus agent installation tasks
• Run on-demand and scheduled antivirus scans on target devices
• Configure antivirus scan behavior and end user options
• Select which types of files to scan, and whether to scan for riskware
• Enable real-time file and e-mail virus protection
• Scan for third-party antivirus scanner engines, and enable/disable real-time virus scanning and ensure up-to-date virus pattern files for those specific antivirus products
• View antivirus activity and status information for scanned devices
• Configure antivirus alerts
• Generate antivirus reports

Security content types and subscriptions

When you install LANDesk Management Suite or LANDesk Security Suite, the Patch and Compliance tool is included by default. However, without a Security Suite content subscription, you can only scan for LANDesk software updates and custom definitions. A Security Suite content subscription enables you to take full advantage of the Patch and Compliance tool (and Security Configurations tool) by providing access to additional security content (definition types), including antivirus scanner detection rules and the actual Antivirus virus definition files used by the antivirus scanner.

Security content types include:

• Antivirus updates (for third-party scanners, includes antivirus scanner detection content only; for Antivirus, includes both scanner detection content AND virus definition files, as well as riskware definition files available in an extended database)
• Blocked applications (see the Legal disclaimer for the blocked applications type)
• Custom vulnerability definitions
• Driver updates
• LANDesk software updates
• Security threats (system configuration exposures; includes firewall detection and configuration)
• Software updates
• Spyware
• Vulnerabilities (known platform vulnerabilities, and application-specific vulnerabilities)

For information about Security Suite content subscriptions, contact your LANDesk reseller, or visit the LANDesk Web site.

Using Download Updates

Note that the Updates page of the Download updates dialog box includes several antivirus updates in the definition types list, including one named LANDesk Antivirus Updates. When you select LANDesk Antivirus Updates, both the scanner detection content AND the LANDesk Antivirus virus definition file updates are downloaded.

For third-party scanner engines, antivirus updates include scanner definitions that detect:

• Installation of common antivirus scanner engines (including the Antivirus tool)
• Real-time scanning status (enabled or disabled)
• Scanner-specific pattern file versions (up to date or old)
• Last scan date (whether the last scan is within the maximum allowable time period specified by the administrator)

For the Antivirus scanner, antivirus updates includes not only the scanner detection content listed above, but also the virus definition files used by the Antivirus scanner.

NOTE: Antivirus scanner detection content versus virus definition content
Antivirus updates does not imply actual virus definition/pattern files. When you download third-party antivirus updates, only scanner detection content is downloaded to the default repository, but scanner-specific virus definition files are not downloaded. However, when you download Antivirus updates, both the scanner detection content AND the Antivirus-specific virus definition files are downloaded. Antivirus virus definition files are downloaded to a separate location on the core server. The default virus definition file repository is the \LDLogon\Antivirus\Bases folder.

Supported device platforms

Antivirus supports most of the same platforms supported by Patch and Compliance's security scanning capabilities and the standard LANDesk-managed device platforms, including the following operating systems:

• Windows NT (4.0 SP6a and higher)
• Windows 2000 SP2
• Windows 2003
• Windows XP SP1
• Windows XP 64-bit
• Windows XP Home Edition/Professional
• Windows Vista (32-bit, and 64-bit)

NOTE: Reboot required for Windows NT 4.0 machines
In order for the Antivirus service to be activated, Windows NT 4 machines must be rebooted after agent configuration deployment.

Other system requirements

Make sure the managed devices you want to configure with the Antivirus agent meet the following system requirements:

• Microsoft Internet Explorer 6.0 or higher
• No other antivirus products installed (For information on automatically removing antivirus products, see Deployment considerations.)

Role-based administration with Antivirus

LANDesk Antivirus, just like Patch and Compliance, uses role-based administration to allow users access to features. Role-based administration is the access and security framework that lets Administrators restrict user access to tools and devices. Each user is assigned specific roles and scope that determine which features they can use and which devices they can manage.

Administrators assign these roles to other users with the Users tool in the console. Antivirus is included in the Security Configurations right, which appears under the Security rights group in the Roles dialog box. In order to see and use Antivirus features, a user must be assigned the necessary Security Configurations access rights.

IMPORTANT: LANDesk Script Writers group permission required
In order to create scheduled tasks and policies in the Patch and Compliance tool and the Security Configurations tool (for security and compliance scan tasks, repair tasks, and change settings tasks), a user must have the LANDesk Script Writers group permission. In other words, they must belong to a group that has the LANDesk Script Writers permission assigned. For more information about role-based administration, see Role-based administration.

With the Security Configurations right, you can provide users the ability to:

• Deploy agent configurations with Antivirus to target devices
• Download virus definition file updates
• Create scheduled updates
• Create scheduled antivirus scan tasks
• Create antivirus settings
• Deploy antivirus scan tasks and change settings tasks associated with antivirus settings
• Enable real-time file and e-mail protection
• Configure antivirus scans to scan for certain file types
• Exclude certain files, folders, and file types (by extension) from antivirus scans
• View antivirus scan activity and status information for scanned devices
• Enable antivirus alerts.
• Generate antivirus reports (also requires Reporting roles)

Antivirus task workflow

The steps below provide a quick summary outline of the typical processes or tasks involved in implementing antivirus protection on your network with LANDesk Antivirus. Each of these procedures are described in detail in subsequent sections.

Basic steps in implementing and using LANDesk Antivirus:

1. Configure managed devices for antivirus scanning.
2. Download virus definition/pattern file definition updates from a security content server.
3. Determine whether to make virus definition files available to managed devices immediately, or to first evaluate them in a pilot test environment.
4. Create on-demand and scheduled antivirus scan tasks and policies.
5. Configure antivirus settings to determine scan operation and end user options.
6. Scan managed devices for known viruses and suspicious files.
7. View antivirus scan results for scanned devices.
8. Configure antivirus alerts.
9. Generate antivirus reports.

Configuring devices for Antivirus protection

Before managed devices can be scanned for viruses and cleaned, they must have the Antivirus agent installed. You can do this either during initial device agent configuration or with a separate installation or update task.

Deployment considerations

If you deploy Antivirus to a device that already has another antivirus solution installed and running, Antivirus does not enable its real-time protection functionality in order to avoid any potential software conflicts. Once you remove the other antivirus product, you can enable Antivirus real-time antivirus protection.

You can select to automatically remove existing antivirus software from target devices when deploying LANDesk Antivirus, either during initial agent configuration or as a separate Antivirus install/update task. For a current list of antivirus products that can be removed from devices, see List of third-party antivirus products that can be automatically removed.

NOTE: Clear password protected antivirus software
If the existing antivirus software is password protected, you must first clear the password before Antivirus can uninstall the software.

List of third-party antivirus products that can be automatically removed

Other antivirus products that can be automatically removed when deploying (or updating) LANDesk Antivirus include:

• Symantec* Antivirus (versions 7, 8, 9, 10)
• Symantec Endpoint Protection 11
• McAfee* Enterprise (versions 7.0, 8.0i, 8.5)
• McAfee ePolicy Orchestrator EPO
• Trend Micro* PC-cillin (versions 2004, 2005, 2006, 2007 15.3 on Windows Vista 64-bit)
• Trend Micro OfficeScan
• Trend Micro ServerProtect
• Trend Micro Internet Security 2008
• CA eTrust* Antivirus (versions 6, 7.x, 8, 8.1)

Configuring devices for Antivirus protection

To configure devices with Antivirus via an agent configuration

1. In the console, click Tools > Configuration > Agent Configuration.
2. Click the New Windows toolbar button.
3. After specifying your desired settings for the agent configuration, you must first click the Start page, and select the LANDesk Antivirus option. Now you can access the options on the LANDesk Antivirus page.
4. Click the Security and Compliance group, and then click LANDesk Antivirus.
5. If you want to automatically remove an existing antivirus product from target devices, select the Remove existing antivirus agent option. For a current list of antivirus products that can be removed from devices, see List of third-party antivirus products that can be automatically removed.
6. Select an antivirus settings from the available list to apply it to the agent configuration you're creating. You can create a new settings or edit an existing settings by clicking Configure. Antivirus settings determine whether the Antivirus icon appears in the device system tray, availability of interactive options to end users, e-mail scan and real-time protection enabling, file types to scan, files and folders to exclude, infected file quarantine and backup, scheduled antivirus scans, and scheduled virus definition file updates.
7. Finish specifying any other desired settings for the agent configuration and then click Save.

You can also configure devices for Antivirus with the Security Configurations tool.

Using the Security Configurations tool

If you want to install or update Antivirus at a later time, you can do so as a separate task from the console.

Use the Security Configurations tool (Tools > Security > Security Configurations) to create install or update tasks, remove tasks, and antivirus definition file update and scan tasks.

To install or update Antivirus as a separate task

1. In the console, click Tools > Security > Security Configurations.
2. Click the Create a task toolbar button, and then click Install or update security components.
3. Enter a name for the task.
4. Specify whether the installation is a scheduled task or a policy-based task, or both.
5. Select the component you want to install, in this case select LANDesk Antivirus. You can select an antivirus settings from the available list to apply it to the task you're creating. You can also create a new settings or edit an existing antivirus settings.
6. If you want to display the installation progress in the security scanner dialog on target devices, select the Show progress dialog on client option.
7. If you want to automatically remove an existing antivirus product from target devices, select the Remove existing antivirus agent option. For a current list of antivirus products that can be removed from devices, see List of third-party antivirus products that can be automatically removed.
8. Select a scan and repair settings from the available list to apply its reboot configuration to the task you're creating. You can create a new settings or edit an existing settings by clicking Configure. The task will use the selected scan and repair settings' reboot options ONLY, which determine reboot requirements and actions on target devices during Antivirus agent installation.
9. Click OK.

Removing Antivirus from devices

If you want to remove Antivirus from managed devices, you can also do that as a separate task.

To remove Antivirus

1. In the console, click Tools > Security > Security Configurations.
2. Click the Create a task toolbar button, and then click Remove security components.
3. Enter a name for the task.
4. Specify whether the installation is a scheduled task or a policy-based task, or both.
5. If you want to display the installation progress in the security scanner dialog on target devices, select the Show progress dialog on client option.
6. Select a scan and repair settings from the available list to apply its reboot configuration to the task you're creating. You can create a new settings or edit an existing settings by clicking Configure. The task will use the selected scan and repair settings' reboot options ONLY, which determine reboot requirements and actions on target devices during Antivirus agent removal.
7. Click OK.

Updating virus definition files

Antivirus lets you download the most current virus definition files from the LANDesk Security Suite content servers. The virus signature database is updated several times a day in order to ensure you have all of the latest known virus definitions so that you can protect your managed devices from these rapidly evolving threats.

You can download virus definition file updates from the console, either immediately as a one-time task or as a regularly scheduled task.

Using Download Updates for virus definition files

Use Download updates (Security Configurations > Download Updates) to specify where definition files are copied, whether they are stored in the default virus definition file repository where they are deployed to target devices or in a pilot test folder where they can be deployed to a limited scope of devices in order to test them before full deployment.

You can also access this dialog box directly when creating an Antivirus task. For more information, see Scanning devices for viruses.

NOTE: Deploying virus definition files to end user devices
The virus definition updates that you download can be deployed to end user devices remotely from the core server. From their own computer, users can also perform the task of updating virus definition files. By default they download files from their LANDesk core server. However, if they need to be able to download the latest virus definition updates while they're not connected to the network (for example, while traveling or using a laptop), you can provide the option of letting users download files directly from the LANDesk security content server via an Internet connection.

To download virus definition file updates

1. Click Tools > Security > Security Configurations.
2. Click the Download updates toolbar button. The dialog box opens to the Antivirus page. (You can also access the Download updates dialog box from the Patch and Compliance tool.)
3. At the Updates page, select the update source site from the list of available content servers. Choose the one closest to your location.
4. At the Updates page, select Antivirus Updates in the Definition types list. (You can select more than one definition type for a single download. However, you must have the corresponding depending on your LANDesk Security Suite content subscription. The more types you select, the longer the update will take.)
5. At the Updates page, select the languages whose content you want to update for the types you've specified.
6. If you want new content (content that does not already reside in any groups in the tree) to automatically be placed in the Unassigned group instead of the default location, which is the Scan group, select the Put new definitions in the Unassigned group check box.
7. Now click LANDesk Antivirus to view the current status of virus definition files and to configure specific virus definition file updates settings.
8. If you want virus definition files to be downloaded to the default repository on the core server (\LDLogon\Antivirus\Bases) where they can be deployed to target devices, click Immediately approve. However, if you want to first evaluate virus definition files, before deploying them to your managed devices, click Restrict definitions to a pilot test first. (You can also set an automatic approval time period, and minimum test period, to avoid having to do this manually after the test). If you choose to do a pilot test first, virus definition files are downloaded to a pilot test folder so that they are deployed to only those devices whose antivirus settings says to download the "pilot" version of definition files.
9. If you want a pop-up message to display on the core server console when virus definition files have not been updated in the past seven (7) days, click Show reminder dialog if definitions are out of date.
10. If you want to download the latest definition files right now, click Get latest definitions. The Updating Definitions dialog box displays the current operation and status.
11. If you want to approve virus definitions currently residing in the pilot test folder, click Approve now. This moves definition files from the pilot test folder to the default folder (\LDLogon\Antivirus\Bases).
12. If you want to save a backup copy of the virus definition files currently residing in the Bases folder, select the Make backups option. You can restore definition file backups at anytime. Backups are useful if you want to revert to an earlier virus definition file version. (Virus definition file backups are saved in separate folders named by the date and time they were created, under: \LDLogon\Antivirus\Backups\)
13. Click Download Now to download your selected security content updates. The Updating Definitions dialog displays the current operation and status. Or you can click the Schedule download button to create a scheduled task (see below).
14. When the update has completed, click Close. Note that if you click Cancel before the update is finished, only the security content that has been processed to that point is downloaded to the core database. You would need to run the update again in order to obtain all of the remaining security content.

NOTE: Whenever virus definition files are updated on managed devices, a mini-scan of memory processes runs on the device. This scan is performed to ensure that the processes running in memory at the time of the update are still clean.

Scheduling automatic virus definition file updates

You can also configure virus definition file updates as a scheduled task to occur at a set time in the future, or as a recurring task.

To do this, configure security content download options in the Update downloads dialog box, making sure to select LANDesk Antivirus updates in the definition type list on the Updates tab, configure virus definition file options on the LANDesk Antivirus tab, and then click the Schedule Update button. The Scheduled update information dialog box shows task-specific settings for the task. Enter a name for the task, and then click OK to create a Download Security Content task in the Scheduled Tasks tool, where you can specify the scheduling options.

NOTE: Task-specific settings and global settings
Note that only the definition types, languages, and definition and patch download settings are saved and associated with a specific task when you create it. Those three settings are considered task specific. However, all of the settings on the other pages of the Download updates dialog box are global, meaning they apply to all subsequent security content download tasks. Global settings include: patch download location, proxy server, spyware autofix, security alerts, and antivirus. Any time you change a global settings it is effective for all security content download tasks from that point on.

Evaluating virus definition files with a pilot test

You may want to first evaluate virus definition files before deploying them to all of your managed devices. You can easily do this by specifying to restrict virus definition file updates to a pilot test folder, and then applying an antivirus settings with the Download pilot version of virus definition files option selected.

To run a pilot test of virus definition files

1. On the Download update dialog's LANDesk Antivirus tab, click Restrict them to a pilot test first.
2. If you don't want to have to manually move tested virus definition files from the pilot test folder to the default folder (\LDLogon\Antivirus\Bases), click Automatically approve, and specify the minimum time period. When this time period elapses, the virus definition files are automatically approved and moved.
3. To download the most recent virus definition files from the LANDesk security content server, click Get latest definitions.
4. To immediately approve the virus definition files currently residing in the pilot test folder, click Approve now.
5. Next, create a pilot test antivirus settings that allows you to deploy virus definition files to a limited set of testing machines. On the antivirus setting's Virus definition updates page, select Download pilot version of definition files.
6. Apply that pilot test antivirus settings to an antivirus scan task that you can use to target your limited set of test machines. Now you can observe the antivirus scan activity and results on these devices in order to evaluate the effectiveness of the downloaded virus definition files before deploying them to a wider audience.

Backing up virus definition files

If you want to save older versions of downloaded virus definition files, use the Virus definition backups settings on the LANDesk Antivirus tab.

Backing up virus definition files can be very useful if you need to go back to an older virus definition file to scan and clean specific infected files, or to restore a virus definition file that resolved a particular problem.

Virus definition file backups are saved in separate folders, named by the date and time the files were saved, under the parent \LDLogon\Antivirus\Backups\ folder.

Scanning devices for viruses

This section provides information on scanning managed devices for known viruses as well as suspicious objects.

NOTE: Scanning requires the proper content subscription
Remember that in order to scan for a specific security content type, including viruses, you must have the corresponding LANDesk Security Suite content subscription. For information about content subscriptions, contact your LANDesk reseller, or visit the LANDesk Web site.

Scanning methods

There are several different methods of running an antivirus scan on managed devices that have Antivirus installed:

• Scheduled antivirus scan
• On-demand antivirus scan
• User-initiated antivirus scan
• Real-time file protection
• Real-time e-mail protection

Running a scheduled antivirus scan from the console

From the console, you can configure antivirus scan tasks that can be run as either an on-demand scan or as a scheduled task or policy.

Scheduled task remediation can be thought of as a push distribution because the patch is pushed from the core server to devices, while a policy is considered a pull distribution because the policy agent on the device checks the core server for applicable policies and then pulls the patch from the core server.

To create an antivirus scan task

1. Click Tools > Security > Security Configurations.
2. Make sure virus definition files have been updated recently.
3. Make sure the default virus definition file folder (\LDLogon\Antivirus\Bases) contains only those definitions you want to scan for.
4. Click the Create a task toolbar button, and then click LANDesk Antivirus.
5. Enter a name for the task.
6. Specify whether you want this task to update virus definitions, perform an antivirus scan, or do both.
7. Specify whether the task is a scheduled task or a policy-based scan, or both.
8. If you want to scan ALL of your managed devices with Antivirus agent installed, select a scheduled task, and then select to target all devices. You can also select to start the antivirus scan of all devices immediately.
9. If you want to ensure that the scan uses the latest known virus definition files, select the Update virus definitions option.
10. Select an antivirus settings from the available list (or create a custom settings for this scan by clicking the Configure button), to determine how the scanner operates on end user devices. If you want the antivirus scan to use the device's local antivirus settings (default settings), select that option from the drop-down list. For more information about configuring the antivirus scan with an antivirus settings, see About the LANDesk Antivirus settings dialog box.
11. Click OK. (For a typical scheduled task scan, click OK, and then add target devices and configure the scheduling options in the Scheduled tasks tool.)

Running an on-demand antivirus scan from the console

You can also run an immediate on-demand antivirus scan on one or more target devices.

To do this, right-click the selected device (or up to 20 multi-selected devices), click LANDesk Antivirus scan now, select an antivirus settings, choose whether to update virus definition files before scanning, and then click OK.

When you click OK, the Status of requested actions dialog displays the following information:

• Progress
• Results
• Scan time information

Running an antivirus scan at a managed device

Additionally, if you've configured antivirus settings to display the Antivirus icon in the device system tray, end users can perform their own on-demand antivirus scans.

To do this at the managed device, right-click the LANDesk Antivirus taskbar icon, and then select Scan my computer. Or from the Antivirus dialog box, click Scan my computer.

Enabling real-time antivirus protection (file, e-mail)

Real-time antivirus protection provides ongoing background scans of specified files, file types, e-mail messages, and e-mail attachments, based on known virus definitions. You can also enable real-time notification to inform end users about infected files.

Real-time file protection, e-mail scanning, and notification are all configured with antivirus settings.

NOTE: LANDesk Antivirus system tray icon indicator
When real-time antivirus protection is enabled, the LANDesk Antivirus system tray icon (on the end user device) is yellow. When real-time protection is disabled, the icon is gray.

Real-time file protection

Configure real-time file protection with the options on the Real-time protection page of the Antivirus settings dialog box. For more information, click Help.

When real-time protection is running, files are scanned for viruses every time the file is:

• Opened
• Closed
• Accessed
• Copied
• Saved

Real-time e-mail scanning

Configure real-time e-mail scanning with the Enable e-mail scanning option on the General page of the Antivirus settings dialog box.

Real-time e-mail protection provides on ongoing scan of incoming and outgoing messages. Antivirus scans the message body as well as attached message's bodies and file attachments.

Antivirus real-time e-mail protection supports:

• Microsoft Outlook

When real-time e-mail protection is running, messages and attachments are:

• Scanned when opened or previewed
• Not scanned when selected

When an infected e-mail is discovered on a managed device, Antivirus attempts to clean it. If it can be cleaned: a new header is placed in the message body to inform the end user. If the infected e-mail can't be cleaned: the entire message body is deleted and replaced with a new header.

When a suspicious e-mail message is discovered, the message body is converted to plain text and a header is added to the message.

Also, a dialog displays on the end user device that shows:

• File path
• File name
• Virus name
• Note telling the end user to contact their network administrator

Real-time (infected file) notification

End users can be notified when a file infected by a virus is detected, quarantined, deleted, skipped, or cleaned.

Configure real-time infected file notification with the option on the Real-time protection page of the Antivirus settings dialog box.

A dialog displays on the end user device that shows:

• File path
• File name
• Virus name
• Note telling the end user to contact their network administrator

Configuring antivirus scan options with antivirus settings

Antivirus gives you complete control over how antivirus scans run on target devices, and which options are available to end users. For example, depending on the purpose or scheduled time of an antivirus scan, you may want to show the Antivirus client on end user devices, allow the end user to perform antivirus scans, view and restore quarantined objects, download virus definition file updates on their own, etc. You can do this by creating and applying antivirus settings to a scan task.

With antivirus settings, you can configure the following options:

• Whether the Antivirus icon appears in device system trays (providing end user access to antivirus scanning, quarantine and backup viewing, and file handling tasks)
• Real-time e-mail scanning
• End user right-click scans
• CPU usage
• Owner (to restrict access)
• Scheduled antivirus scans
• Quarantine/backup folder size
• Restoring infected and suspicious objects
• Which files, folders, and file types to scan
• Scan exclusions
• Whether to use heuristic analysis for detecting suspicious files
• Whether to scan for riskware
• Real-time file protection (including which files to scan, heuristics, and exclusions)
• Downloading virus definition file updates (pilot test versions, scheduled downloads, end user download permission, and direct downloads from the security content server)

All of the antivirus settings you create are stored in the LANDesk Antivirus group in the Security Configurations tool.

Using Antivirus settings

Create and apply antivirus settings (a saved set of configured options) to antivirus scan tasks. You can create as many antivirus settings as you like. Antivirus settings can be designed for a specific purpose, time, or set of target devices.

To create antivirus settings

1. In the Security Configurations tool, right-click the LANDesk Antivirus object, and then click New. (Note: You can also access this dialog box by clicking Edit or Configure on any of the task dialog boxes that let you apply an antivirus settings.)
2. Enter a name for the antivirus settings.
3. Specify the settings on the pages as desired for the particular task. For more information about an option, click Help.

Once configured, you can apply antivirus settings to antivirus tasks (or to a change settings task).

Changing device default antivirus settings

A device's default antivirus settings are deployed as part of the initial agent configuration. When a specific task has a different antivirus settings associated or assigned to it, the default settings are overridden. You can also choose to use the device's default settings by selecting it when you create a task.

At some point you may want to change these default antivirus settings on certain devices. Patch and Compliance provides a way to do this without having to redeploy an entirely new and complete agent configuration. To do this, use the Change settings task located in the drop-down list of the Create a task toolbar button. The dialog box that appears allows you to enter a unique name for the task, specify whether it is a scheduled task or policy, and either select an existing antivirus settings as the default or use the Edit button to create a new antivirus settings as the default for target devices.

Viewing device antivirus settings in the Inventory

You can discover and/or verify device antivirus settings in their Inventory view.

To do this, right-click the selected device, click Inventory > LANDesk Management > AV Settings.

Configuring which files to scan (infectable files only, exclusions, heuristics, riskware)

You can specify which files (items) you want to scan which files you don't want to scan with both antivirus scans and real-time antivirus file protection.

See the following sections for information on customizing what to scan:

• All files or infectable files only
• Excluding items from antivirus scans and real-time protection
• Using heuristic analysis to scan for suspicious objects
• Scanning for riskware (extended database)

All files or infectable files only

Configure to scan all files or infectable files only on the Virus scan and Real-time protection pages of an antivirus settings.

• Scan all file types: Specifies that files of all types on the target device are scanned by an antivirus scan. This may take a long time so it is a good idea to scan all file types with an on-demand scan rather than real-time protection.
• Scan infectable files only: Specifies that infectable files only are scanned. Infectable files are those types of files known to be vulnerable to virus infections. Scanning only infectable files is more efficient than scanning all files because some viruses affect only certain file types. However, you should make a habit of regularly scanning all the files with an on-demand scan in order to ensure devices are clean.

Infectable file types

Infectable file types are identified by their format identifier in the file header rather than by their file extension, ensuring that renamed files are scanned.

Infectable files include: document files such as Word and Excel files; template files that are associated with document files; and program files such as Dynamic Link Libraries (.DLLs), communication files (.COM), Executable files (.EXEs), and other program files. See below for a list of infectable file types by the file format's standard or original file extension.

• ACM
• ACV
• ADT
• AX
• BAT
• BIN
• BTM
• CLA
• COM
• CPL
• CSC
• CSH
• DLL
• DOC
• DOT
• DRV
• EXE
• HLP
• HTA
• HTM
• HTML
• HTT
• INF
• INI
• JS
• JSE
• JTD
• MDB
• MSO
• OBD
• OBT
• OCX
• PIF
• PL
• PM
• POT
• PPS
• PPT
• RTF
• SCR
• SH
• SHB
• SHS
• SMM
• SYS
• VBE
• VBS
• VSD
• VSS
• VST
• VXD
• WSF
• WSH

Excluding items from antivirus scans and real-time protection

You can also specify what not to scan for with both antivirus scans and real-time file protection. Configure antivirus scan exclusions by adding files, folders, and file types to the exclusion list on the Virus scan and Real-time protection pages of an antivirus settings.

NOTE: Trusted Items list on managed devices
Note that you can also enable an option that allows end users to specify files and folders they don't want to be scanned by LANDesk Antivirus. This feature is called the trusted items list, and is configured on the General page of an antivirus settings.

Using heuristic analysis to scan for suspicious objects

You can enable heuristic analysis to check for suspicious (possibly infected) files with both antivirus scans and real-time file protection.

Enable heuristic scanning on the Virus scan and Real-time protection pages of an antivirus settings.

Heuristic analysis scanning attempts to detect files suspected of being infected by an unknown virus (not defined in the virus signature database) by looking for suspicious behavior. Suspicious behavior can include a program that is self-modifying, immediately tries to find other executables, or that is modified after terminating. A heuristic analysis emulates program execution to make protocols of observed suspicious activity, and uses those protocols to identify possible virus infections. In almost all cases, this mechanism is effective and reliable, and rarely leads to false positives.

Antivirus utilizes a heuristic analyzer to verify files that have already been scanned by an antivirus scan based on known virus definitions.

Note that heuristic scanning may negatively affect performance on managed devices.

Scanning for riskware (extended database)

Antivirus lets you enable scanning for risky software, also known as riskware, on target devices. Risky software is essentially client software whose installation presents a possible but not definite risk for the end user.

For example: adware, proxy-programs, pornware, remote admin utilities, IRC, dialers, activity monitors, password utilities, and Internet tools such as FTP, Web, Proxy and Telnet.

When you specify to scan managed devices for risky software, Antivirus loads an extended database that contains definition files used to perform the scan. The extended database scan requires more time than the standard antivirus scan.

Additional notes about scanning files

• System restore point scanning: Antivirus will scan the files in any system restore point folders that may exist on the managed device.

What happens on a device during an antivirus scan

This section describes how Antivirus displays on end user devices with Antivirus installed and what happens when devices are scanned for viruses by an antivirus scan or through real-time virus protection. Possible end user options are listed as well as the actions end users can take when an infected object is discovered by the scan.

Antivirus client interface and end user actions

If the Show LANDesk Antivirus icon in the system tray option is selected on the device's antivirus settings, the Antivirus client appears and shows the following elements:

System tray icon

• Real-time protection is enabled (system tray icon is yellow) or disabled (system tray icon is gray)

Antivirus window

• Real-time protection is enabled or disabled (If the option is enabled in antivirus settings, the end user can disable real-time protection for as long a period of time as you specify)
• E-mail scanning is enabled or disabled
• Latest scan (date and time)
• Scheduled scan (date and time)
• Scan engine version number
• Virus definitions (the last time pattern files were updated)
• Quarantine (shows the number of objects that have been quarantined. End users can click View details to access the Quarantined objects dialog. If the option is enabled, end user can also restore files. If the password requirement option is enabled, the end user must enter that password.)
• Backup (shows the number of objects that have been backed up)
• Trusted items (shows the items the end user has added to their trusted items list that won't be scanned for viruses or risky software)

End user actions

If Antivirus is installed on their computer, and their antivirus settings (default or task-specific) allow, users can perform the following tasks:

• Scan my computer (can view scan status, and pause and cancel the scan)
• Right-click to perform antivirus scan on files and folders in Windows Explorer (if the option is enabled by the antivirus setting)
• View local scheduled antivirus scans tasks
• Create local scheduled antivirus scans on their own machine (if the option is enabled by the antivirus setting).
• Update virus definition files
• Temporarily disable real-time protection (if the option is enabled by the agent configuration, and limited to a specified period of time)
• View quarantined objects
• View backup objects
• View trusted items
• Restore suspicious objects (if the option is enabled by the antivirus setting)
• Restore infected objects and risky software (if the option is enabled by the antivirus setting)
• Add and remove files and folders\subfolders to their trusted items list

Note that end users can't configure antivirus scan settings, or disable e-mail scanning.

When an infected object is detected

This process applies to both infected files and e-mail messages.

The infected object is:

1. Automatically backed up. (The backup file is saved in \LDClient\Antivirus\ folder, with a *.bak extension.)
2. An attempt is made to clean the infected object.
3. If the infected object can be cleaned, it is restored to its original location.
4. If the infected object can't be cleaned, it is quarantined. (The virus string is removed and the file is encrypted so it can't be run. The quarantined file is saved in \LDClient\Antivirus\ folder, with a *.qar extension.)

If the corresponding option is enabled in their antivirus settings (default or task-specific), end users can restore, delete, and rescan quarantined objects.

Automatic scanning of quarantined files

When an on-demand antivirus scan is executed, or when the virus definition files are updated, the antivirus scanner automatically scans objects in the quarantine folder to see if any infected files can be cleaned with the current virus definition files.

If a quarantined file can be cleaned, it is automatically restored and the user is notified.

End users can open a backup file to see a header that provides information on the original file location, and the reason for the file being backed up.

Note that only the original user is allowed to delete or modify backup files. The user that is logged in when the infected file is discovered.

Using antivirus alerts

You can configure antivirus alerting so that you can be notified when specific virus outbreaks are detected on managed devices in your system. Antivirus uses the standard LANDesk alerting tool.

You define virus outbreak parameters based on the number of managed devices infected by a virus in a specified period of time.

To configure antivirus alerting

Antivirus alert settings are found on the Antivirus page of the Alert settings dialog box.

You must first configure the antivirus alerts in the Alert Settings tool in the console. Antivirus alerts include:

• An alertable antivirus action failed
• An alertable antivirus action succeeded
• Virus outbreak alert (per virus)

The following antivirus events can generate antivirus alerts:

• Virus removal failed
• Virus removal succeeded
• Quarantine failed
• Quarantine succeeded
• Deletion failed
• Deletion succeeded

Select which alerts you want generated. The time interval option lets you prevent too many alerts. More than one alert (for any antivirus trigger) during the specified time interval is ignored.

You can view the complete antivirus alert history for a device in its Security Information view. Right-click a device, select Security Information, select the Antivirus type in the Type drop-down list, and then select the Antivirus History object.

Using antivirus reports

Antivirus information is represented by several reports in the Reports tool. These reports provide useful information about antivirus scan activity and status for scanned devices on your network.

In order to access the Reports tool, and generate and view reports, a user must have the LANDesk Administrator right (implying full rights) and the specific Reporting roles.

For more information about using the Reports tool, see Reports.

Viewing antivirus information in the Executive Dashboard

You can also view antivirus scan information in the Web console Executive Dashboard. This data is useful in identifying virus outbreaks and to show antivirus protection over time.

LANDesk Antivirus-specific widgets show:

• Top five viruses detected (in the past 10 days or weeks)
• Managed devices infected with viruses (in the past 10 days or weeks)
• Percentage gauge of managed devices with real-time protection enabled
• Percentage gauge of managed devices with up-to-date virus definitions