This article describes how to configure alerts to be triggered for clients that have out of date Antivirus definitions.
This can be configured for Ivanti Antivirus or other third-party Antivirus vendor definitions.
For a complete list of Antivirus vendor definitions that can be managed through Patch and Compliance Manager, see the following article:
Configuring the alerts consists of several steps:
- Configure the Custom Variables for the AV-1XX definition to configure the allowed definition age
- Place the appropriate vulnerability definition into the Alert group in Patch and Compliance Manager
- Configure the associated alert
Configure the Custom Variable for the AV-1XX definition to configure the allowed definition age
There are several Vulnerability Definitions within Patch and Compliance Manager that can be used to alert on definition age for various Antivirus vendors:
AV-103 - Symantec Virus Scanner Pattern File Up To Date
AV-105 - McAfee Virus Scanner Pattern File Up To Date
AV-106 - Trend Micro Virus Scanner Pattern File Up To Date
AV-107 - Ivanti Virus Scanner Pattern File Up To Date
AV-111 - eTrust Virus Scanner Pattern File Up To Date
AV-112 - ESET Virus Scanner Pattern File Up To Date
AV-113 - Kaspersky Virus Scanner Pattern File Up To Date
AV-114 - Forefront Endpoint Protection Pattern File Up To Date
AV-115 - CA Total Defense Pattern File Up To Date
AV-116 - AVG Anti-Virus Pattern File Up To Date
AV-117 - Windows Defender Definition File Up To Date
AV-120 - Avira Virus Scanner Pattern File Up To Date
AV-124 - VIPRE Pattern File Up To Date
Within the properties of each of these definitions is a "Custom Variables" tab. This tab is used to set the maximum allowable pattern file age.
To set this value:
- Right-click and select "Properties" on the desired Vulnerability Definition (AV-105, AV-106, AV-107, AV-111, AV-112, AV-113, AV-114 or AV-115)
- Next to "Number of Days since Last Updated" set the desired number of the maximum number of days allowed between successful pattern file updates. (The default value of "0" means the pattern file date on the client must match the last downloaded pattern files date on the core server).
Place the appropriate vulnerability definition into the Alert group in Patch and Compliance Manager
Select one of the AV-1XX definitions that corresponds with your AV vendor and drag it into the Alert group in Patch and Compliance manager. Note: You may need to expand the "Groups" section in the left-hand pane.
Configure the associated alert
- In the Management Suite Console go to Tools --> Configuration --> Alerting
- In the left hand pane under "Alert Rulesets" right-click "LDMS Default Ruleset" and select "Edit"
- In the right-hand pane under "Rules" select "Add". This will open a "Configure Ruleset" section in the bottom with three sections - "Alert", "Actions", and "Time".
- In the left hand pane select "Alerts"
- In the 2nd pane under "Standard" select "Patch and Compliance".
- In the 3rd pane select "Patch and Compliance - definition(s) in the 'Alert' group were detected." and drag it down to the "Alerts" well in the bottom pane.
- In the left-hand pane select "Actions".
- In the 2nd pane select a desired action and then in the right-hand pane click "New".
For e-mail alerts, see the following article for use of variables:
Additional Variables for Alerting
- After configuring the action, select "Time" in the left-hand pane and then either select a pre-defined time (Always is recommended) and drag it down to the "Time" well in the bottom pane.
- Click "OK" to save the newly created Ruleset.
Note: For this to work properly, the desired AV-XXX definitions must be in the Scan group, and within the Scan and Repair Settings the Type "Antivirus Updates" must be set as a type to scan for.