Getting started with Ivanti Antivirus

Version 14

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    This document serves as a best practices step by step document for setting up, configuring and maintaining Ivanti Antivirus.  This is meant as a quick-start guide and does not go into advanced options.

     

     

     

    After installation of the Core Server and/or purchase of the Ivanti Antivirus product the following steps must be performed prior to deploying Ivanti Antivirus to LDMS clients.

     

    The following Ivanti Antivirus Action Center dialog helps guide the Administrator to install and configure Ivanti Antivirus appropriately:

    AVActionCenter.jpg

    This dialog appears after selecting the Ivanti Antivirus component the first time as part of an Agent Configuration.  It also can be accessed by using the Settings drop-down menu in the Security Activity tool.

     

    Step 1 - Acknowledge removal of other antivirus software

     

    The Ivanti Antivirus installation process will attempt to remove other security software on the computer that is known to conflict with the Ivanti Antivirus product.  Often having more than one security solution installed will result in one or both products malfunctioning, thus reducing the overall security of the system.  This check is to ensure that the administrator is aware that this software will be removed before they can proceed.

     

    Action: Check the box under "Acknowledge that other antivirus software will be removed" .

     

    Step 2 - Import IIvanti Antivirus License

     

    A Ivanti Antivirus and Ivanti Antivirus subscription must be purchased in order to be able to use the product and receive updates (pattern files and product updates).  Antivirus & Malware Detection Software | Ivanti

     

    If you have purchased Ivanti Antivirus and have misplaced your license information:

    Either log a case via support.landesk.com or Contact Ivanti Support by phone.

     

    If contacting by phone do the following:

     

    1. Select Option 1 for Product Activation/Licensing.
    2. Select option 1 again for LDMS/LDSS Licensing support.
    3. Give the Support Engineer your company account name and your contact information.
    4. The Support Engineer will provide a Ivanti Antivirus license key via e-mail.  This .key file will be within a .zip file and will include a .PDF file with the license details.

     

    Actions:

    1. In the Ivanti Antivirus Action Center dialog under "Ivanti Antivirus license key required" click on "Import new license"
    2. Unzip the file provided that contains your license.
    3. Browse to the .KEY file, select it, and then click "Import"
    4. Click "Close"

     

    The current license information should appear in the two lower sections of the Ivanti Antivirus Action Center window.  This information includes the creation date, license number, license information number, activated nodes, maximum count, and the earliest expiration found in your environment (as reported in Ivanti inventory).

     

    Step 3 - Check whether any clients are nearing license expiration

     

    This check ensures that you do not deploy agents using a license key that is near expiration and also warns of existing clients in the environment that have a license that is nearing expiration.  This warning threshold can be set.  The default is 7 days.

     

    Further client license information can be viewed in the Security Activity tool in the Licenses section.

     

    Step 4 - Download Antivirus Definitions (Pattern Files) and schedule regular pattern file downloads

     

    This check ensures that pattern files have been recently updated.  This will tell you how long ago definitions were downloaded.  In addition, this warning threshold can be changed.  The default for the threshold is 3 days.

     

    Download Latest Updates

    1. In the Ivanti Antivirus Action Center click "Go to download updates"
      This will open the Ivanti Antivirus tab of the Download Updates tool.  This tool can be opened again by click on the first icon (Download updates) in the Security Activity tool.
    2. Click "Get latest definitions".  This process may take a while especially if it is the first time updating to the latest definitions (pattern files).
      ScheduleAVUpdates.jpg
          (Click for full size)

    3. Ensure the number of pattern file backups are set to what you desire.   By default, this is 5.

     

    Turn off notification in the Action Center for Antivirus versions you do not have

     

    1. Go to each tab Antivirus pattern versions that you do not have in your environment and uncheck the box that says "Notify using Ivanti Antivirus action center".

      Note: In order for the green check box to appear in the Ivanti Antivirus action center for the "Antivirus definitions are up to date" section, you must have either downloaded the definitions for that version or unchecked the "Notify using Ivanti Antivirus action center" box.

     

    Schedule Regular pattern files downloads to the core server

     

    1. Click on the "Updates" tab of the "Download Updates" tool.
    2. Ensure that only Windows / Security / Antivirus / Ivanti Antivirus Updates is selected.
    3. Click "Schedule Download"
    4. Rename the task name to "Download Antivirus Definitions" or "Download Antivirus Pattern files"

     

    This will open the Scheduled Tasks tool and this can be configured to run daily.  (If you want to schedule it to run twice a day or more, multiple scheduled tasks can be created to start at different times)
    ScheduleAVUpdatesScheduledTask.jpg
            (Click for full size)

     

    Clients are configured to download their pattern files from the Core server and fall back to the Internet (direct download from Kaspersky) by default.  This can be configured within the Ivanti Antivirus settings (within the Agent Settings tool and Security with the following 4 options:

     

    • Core only
    • Core first.  Fall back to Internet if core is not available.
    • Internet only.
    • Internet first.  Fall back to core if Internet is not available.

    AVDownloadSources.jpg

            (Click for full size)

     

    Note:

     

    Step 5 - Add and Configure Ivanti Antivirus within the Agent Configuration

     

    1. Open the Agent Configuration tool within the Configuration tool group.
    2. Under the Start section select the Ivanti Antivirus agent component check box.
    3. Under the Distribution and Patch subgroup open the Security and Compliance subgroup and then select Ivanti Antivirus.
    4. Select Configure next to Ivanti Antivirus Settings.
    5. Either create a New configuration or Edit an existing configuration
      AVComponentAgentConfig.jpg
      Within this document, we will only focus on scheduling regular pattern file updates and virus scans.  Other configuration options will be left as default.  These should be reviewed prior to saving the configuration.  It assumed that Real-time Protection will be turned on.  Further details about these settings can be found here:
      KL 102.10: Kaspersky Endpoint Security and Management

    6. Click on the Scheduled Tasks section.
    7. It is recommended to do the following:

     

    • Configure Updates to run daily.
    • Configure Full Scan to run weekly.
    • Configure Critical Areas Scan to run daily.

    ClientScheduledTasksAV.jpg

              (Click for full size)


    It is advised to have the scheduled updates run prior to the scan tasks so that the latest definitions possible are used.

     

    Step 6 - Monitor Antivirus Activity

     

    The Security Activity in the Security and Compliance tool group can be used to monitor client Antivirus activity as shown here:

    AVSecurityActivity.jpg

    Step 7 - Adding Antivirus information to column sets

     

    In order to ensure that real-time protection is running, the product is up to date, and that the latest virus definitions are being used it is recommended to add Antivirus information to your column set.

     

    Follow these instructions to create the correct column set:

     

    1. Under the "Administration" tool group open the "Column set configuration" tool.
    2. Right-click "My Column Sets" or "Public Column Sets" and select "New Column Set"
    3. In the top pane scroll down to and expand "Security" and then "Antivirus Software" and then "Antivirus"
    4. Double click the following in order:
      • Product Name
      • Product Version
      • Definition Publish Date
      • Auto Protect
    5. In the top pane go to the top of the tree and then look downward for the "Ivanti Management" node.
    6. And expand the "Agent Settings" sub-node and double-click "Unique ID"
    7. Go upward in the tree and find top-level node "Common Base Agent 8" and expand it.
    8. Double-click on "Version".

     

    At this point, your columns should look like this:

    AVColumns.jpg

    To make reading this window easier it should be dragged to a larger size and the Column headers double clicked to make them auto-fit.

     

    There are a few more steps to complete to make the data more presentable:

     

     

    Changing Alias Names

    First, change the alias names.  This is done by double-clicking the existing names under "Alias"

     

    Here are the suggestions:

     

    Original NameReplacement Name
    Product NameAntivirus Product
    Definition Publish DatePattern File Date
    Product VersionAntivirus Version
    Auto-ProtectRealtime Scanner
    Unique IDAV Settings ID
    VersionLDMS Version

     

    A few more changes will be necessary to show the correct data.  Several columns can apply to different items, so we need to qualify which entry we are looking for.  As an example, Unique ID can apply to any number of settings, so we will need to qualify that we want the Antivirus Setting.

     

    Qualifying the data

     

    When a field is pointed to that has more than one sub-field, you must use the qualify option

     

    Steps to qualify the data we are looking for:

     

    1. Click on the "Qualifier" field next to "Computer"."Ivanti Management"."Agent Settings"."Unique ID"
    2. Click the "Qualify" button and select "Ivanti Antivirus"

     

    Resulting Column Set

     

    FinalAVColumns.jpg

    There may be times that a computer is listed 2 or more times.   This can occur if more than one antivirus solution is detected as installed.  If you look in the inventory at this information you will find Security -> Antivirus -> 0 and Antivirus -> 1 (two separate subnodes) with Antivirus information. This is demonstrated by the computers highlighted in red above.

     

    Additional Documents

     

    How to troubleshoot Ivanti Antivirus license issues

     

    How to troubleshoot Ivanti Antivirus

     

    How to report undetected malware to Ivanti

     

    Ivanti Antivirus false positive virus detection submission process

     

    Further articles can be found at the Ivanti Antivirus landing page.