False Positive Detection for Landesk Files flagged by AV vendors

Version 3

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Overview

     

    The purpose of this document is to assist LANDESK Administrators in understanding how to handle LANDESK files being flagged as suspicious by Antivirus (AV) vendors. This issue typically surfaces when a new version of LANDESK is released and can prevent full functionality of LANDESK.

     

    In order to restore full functionality, the quarantined LANDESK files will need to be white-listed in your AV settings.

    Description

     

    The most common methods AV scan engines use are Signature based and Heuristics detection. Signature based are most accurate. If a signature match is found in a virus definition for the quarantined file, the file is more than likely malicious. Heuristic detection matches the similarities in behavior to known malware. There are a number of heuristic detection rules that facilitate the flagging of new files introduced in your environment but one (1) piece of criteria that is sure to "raise a red flag" is if the file isn't in the AV vendors database. It's not recommended that you ignore these warnings but understand, most of the detections generated are likely false positives if the heuristic detection method is being used. Virustotal can be used  to analyze the "suspicious" file outside of the scan engine your AV vendor has provided.

     

     

    Submit the File to the Vendor

     

    If you experience a false positive, compile the "infected" file(s) into a password protected .ZIP file, with password 'infected' (without quotes).  Name the file "FalsePositive(UniqueName).zip" (where "UniqueName" is a filename of your choosing) and submit them to the vendor providing your AV solution.

     

     

    Note*If you have specific issues with LANDESK files being flagged as suspicious please open a support case.