How to configure Alerting for out of date virus definitions

Version 3

    This article describes how to configure alerts to be triggered for clients that have out of date Antivirus definitions.

     

    This can be configured for LANDesk Antivirus or other third-party Antivirus vendor definitions.

     

    For a complete list of Antivirus vendor definitions that can be managed through Patch and Compliance Manager, see the following article:

     

    http://community.landesk.com/support/docs/DOC-22885

     

    Configuring the alerts consists of several steps:

     

    • Configure the Custom Variables for the AV-1XX definition to configure the allowed definition age
    • Place the appropriate vulnerability definition into the Alert group in Patch and Compliance Manager
    • Configure the associated alert

     

    Configure the Custom Variable for the AV-1XX definition to configure the allowed definition age

     

    There are several Vulnerability Definitions within Patch and Compliance Manager that can be used to alert on definition age for various Antivirus vendors:

     

    AV-105 - McAfee Virus Scanner Pattern File Up To Date

    AV-106 - Trend Micro Virus Scanner Pattern File Up To Date

    AV-107 - LANDesk Virus Scanner Pattern File Up To Date

    AV-111 - eTrust Virus Scanner Pattern File Up To Date

    AV-112 - ESET NOD32 Virus Scanner Pattern File Up To Date

    AV-113 - Kaspersky Virus Scanner Pattern File Up To Date

    AV-114 - Forefront Endpoint Protection Pattern File Up To Date

    AV-115 - CA Total Defense Pattern File Up To Date


    Within the properties of each of these definitions is a "Custom Variables" tab.   This tab is used to set the maximum allowable pattern file age.

     

    To set this value:

     

    1. Right-click and select "Properties" on the desired Vulnerability Definition (AV-105, AV-106, AV-107, AV-111, AV-112, AV-113, AV-114 or AV-115)
    2. Next to "Number of Days since Last Updated" set the desired number of maximum number of days allowed between successful pattern file updates.  (The default value of "0" means the pattern file date on the client must match the last downloaded pattern files date on the core server).

     

    Place the appropriate vulnerability definition into the Alert group in Patch and Compliance Manager

     

    Select one of the AV-1XX definitions that corresponds with your AV vendor and drag it into the Alert

    group in Patch and Compliance manager.   Note: You may need to expand the "Groups" section in the left-hand pane.

     

    Configure the associated alert

     

    1. In the Management Suite Console go to Tools --> Configuration --> Alerting
    2. In the left hand pane under "Alert Rulesets" right-click "LDMS Default Ruleset" and select "Edit"
    3. In the right-hand pane under "Rules" select "Add".   This will open a "Configure Ruleset" section in the bottom with three sections - "Alert", "Actions", and "Time".
    4. In the left hand pane select "Alerts"
    5. In the 2nd pane under "Standard" select "Patch and Compliance".
    6. In the 3rd pane select "Patch and Compliance - definition(s) in the 'Alert' group were detected." and drag it down to the "Alerts" well in the bottom pane.
    7. In the left-hand pane select "Actions".
    8. In the 2nd pane select a desired action and then in the right-hand pane click "New".  
      For e-mail alerts, see the following article for use of variables:
      http://community.landesk.com/support/docs/DOC-5939
    9. After configuring the action, select "Time" in the left-hand pane and then either select a pre-defined time (Always is recommended) and drag it down to the "Time" well in the bottom pane.
    10. Click "OK" to save the newly created Ruleset.

     

    Note: For this to work properly, the desired AV-XXX definitions must be in the Scan group, and within the Scan and Repair Settings the Type "Antivirus Updates" must be set as a type to scan for.