Applies to LANDesk Management Suite 8.8 and LANDesk Management Suite 9
LANDesk provides an Anti-spyware/Anti-malware tool that can be used and managed in conjunction with the LANDesk agent to provide greater security and protection in an environment. This article will help to get the tool configured and running in your environment. This document is not comprehensive nor does it address all situations for all environments, but should be a good starting point to get LANDesk Antispyware running.
A more complete treatment of the subject can be found here: Best Known Method for Spyware Scanning
Get the latest scanner
It is important that you have the most up-to-date version of the LANDesk Anti-spyware engine in order to provide the best protection and performance. The newest version is available for LANDesk Management Suite 8.8 SP4 and LANDesk Management Suite 9. It is included in LANDesk Management Suite 9 SP1. To get the latest version or review information about the latest version please see:
How it works
There are two "modes" that the spyware protection can work. First is a scheduled or manual scan and the second is Real-time protection. Each of these behaves slightly differently and can be configured as needed
Scheduled spyware scan
The scheduled spyware scan is run by vulscan.exe. Vulscan.exe is also the same application on the client that scans for any Windows Vulnerabilities, Security Threats, etc. The behavior of this scan is determined by the Scan and Repair settings. The Scan and Repair settings are used to determine what items or types are scanned for when a scan is run. The scan can be scheduled as part of the Agent Configuration or as a Scheduled Task.
Scheduled Scan - Agent Configuration
This scan can be scheduled to occur on a regular basis from the Agent Configuration. Using the settings from the Agent Configuration under Security and compliance scan -> Patch and compliance scan. There a start date and time, repeat frequency, time range, weekly day range, and monthly date range can be set. Other requirements as well as a random delay can also be configured.
Once configured this information is put into the Local Scheduler service on the client machine. The client machine manages and runs the task according to the schedule and the normal behaviors of the LANDesk Local Scheduler. The schedule can be changed by modifying the Agent Configuration, then running an Update Agent settings task.
Every time that this scan runs it will use the most current version of the currently installed Scan and Repair settings. Which settings are included during the agent installation is configured in the Agent Configuration. However a Change settings... task can be run on the client machine to change which Scan and Repair settings are installed on the device. Therefore it is important that you track which settings are currently installed on the machine to make sure that proper scans are being run as expected. The currently installed Scan and Repair settings can be found in the Inventory record of the device under LANDesk Management - Vulnerability Scan - Settings.
Important Note: Vulscan will AUTOMATICALLY update to the newest revision of the Scan and Repair settings installed. This means that if Company Scan and Repair Settings is installed on the device and the administrator modifies those settings, the changes will be propagated to all the client machines using Company Scan and Repair Settings the next time vulscan runs.
The real-time spyware protection is run by softmon.exe. This will monitor open processes and files to scan for spyware. In order for this to actually work, the spyware definition must be in the Scan group AND set to Autofix. If it is only set to scan, the spyware will be detected and reported, but not repaired. It is also important that all settings allow autofix. These need to be set in the Agent Configuration (Never Autofix) and the Scan and Repair settings (Enable Autofix).
Due to the nature of real-time scanning it is recommended that a regularly scheduled scan occasionally take place on client machines for the best protection from spyware.
The LANDesk Agent does not require a great deal of configuration to permit spyware scanning. The applications used (vulscan.exe and softmon.exe) are automatically included in all agent installations. Some settings to watch:
Security and Compliance - Patch and Compliance Scan - Never autofix: If this setting is checked, it is not possible for the real-time scanner to repair spyware. This cannot be overridden by any other setting. If it must be changed, a new agent needs to be installed, or an Update Agent Settings task needs to be run.
Security and Compliance - Spyware - Enable real-time spyware blocking: This will enable softmon.exe to scan for spyware real-time. This setting CAN be overridden using a Scan and Repair setting.
The only remaining setting to be concerned with or look at is the schedule for the Security scan. As spyware scanning can sometimes be included as part of this, it may need to be configured to run appropriately.
Scan and Repair settings
The Scan and Repair settings can be used to provide some additional configuration for the spyware scanning.
Scan Options - Type - Spyware: This option should be checked if you want vulscan to scan for Spyware when run using these Scan and Repair settings. There are several sub-options
- Smart scan: A Smart scan will only scan for critical locations of the computer, such as running processes, loading points, browser hijacks, LSPs, etc.
- Default scan: A Default scan will scan for all the items in a Smart scan. Additionally it will scan all files under the Windows directory, Program Files directories (including both C:\Program Files and C:\Program Files (x86) on x64 platforms) and the current user's personal folder(s). It will also scan all files on the root of the system drive.
- Full scan: A Full scan includes the Smart scan options and it will scan all the files on all of the drives on the computer.
- Download only: Download only mode will download the agent update, agent configurations, engine update and content update from the core server. No spyware scan will run in this mode.
Spyware scanning - Override settings from client configuration: This allows you to override the current real-time spyware scanning setting from the client. If the box is checked, once these settings are installed on the client machine through a Change settings task, or updated by the client machine, the settings in the Scan and Repair will override the agent setting. This allows you to turn on or off real-time spyware scanning as needed.
There are a few things that should be configured on the LANDesk core server to get the best results.
In order for LANDesk to scan (and subsequently repair) any spyware, the appropriate definition must be in the Scan folder in the Patch and Compliance tool. In order for them to be repaired automatically during real-time scanning, they must be set to Autofix. This can be done manually, or though the Download Updates tool.
Download Updates options
The Download Updates tool can be used to automatically put the Spyware definitions in the Scan group and set them to Autofix. To do this:
- Open the Patch and Compliance tool
- Select Download Updates
- At the bottom of the dialog, select Definition group settings
- Select New...
- From the drop downs select Spyware and Critical
- Check the box for Set status:
- Select Scan from the drop down and check Set autofix. (If you want to fix spyware during real-time scanning
- Press OK
- Repeat steps 4-8 for each Severity Level
- Click Close then Apply
Now everytime you download updates manually or as a scheduled task it will filter the spyware definitions into the scan group and set them to autofix.