About LANDESK Antivirus Email Notification/Event Types

Version 22

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Description

    This document is intended to detail the Notifications Events provided by LANDESK Antivirus, and how they are categorized.

     

    Configuring LANDESK Email Antivirus Notifications

     

    Management Console

     

    From the Menu Bar, go to Tools > Configure > Agent Settings. Within the Agent Settings Tool, go to Security > LANDESK Antivirus then select the desired configuration.

     

    When the configuration file opens, go to Interface > Email notification settings.

    Configuring Email Notifications.png

     

    LANDESK Antivirus Client Interface

     

    Open LANDESK Antivirus on a Managed Workstation. Go to Settings > Advanced Settings > Interface > Settings...

    Configure on Client.png

    This will bring up the Notifications Window. From here, various configurations can be made to configure where and how notifications are distributed by LANDESK Antivirus.

    Notifications.png

    Once the desired configuration has been applied, the Antivirus Configuration will need to be exported and imported into the Management Suite LANDESK Antivirus Settings. It can then be distributed to Managed Workstations.

    This configuration requires allowing permissions in the LANDESK Antivirus Agent Configuration. It also requires exporting and importing a .CFG file into the Management Console. For more information, please reference the following Documents:

    Edit LANDESK Antivirus Agent Permissions

    Exporting and Importing Antivirus .CFG File

     

    About LANDESK Antivirus Event Types

     

    LANDESK Antivirus Events are separated into three Hierarchical categories:

     

    • Critical Events: Events of Critical Importance and faults that indicate problems in the operation of Kaspersky Endpoint Security or Vulnerabilities in protection of the user's computer
      • Example: Malicious Object Detected
    • Important Events: Events that need attention because they reflect important situations in the operation of LANDESK Antivirus Security
      • Example: Databases are out of date
    • Information Events: Formal Events that do not normally contain important information
      • Example: Subscription License has been Renewed

    Informational Events occur rather frequently. It is not recommended to enable Email Notifications on these events as they've been shown to cause system crashes due to the amount of emails being processed.

    System Audit

    Notifications.png

     

    Critical Events

    EventDescription
    License Agreement ViolatedCurrent License Expires in 14 days or less; Current Key File is expired; Current key is in the "Black List"

    License has Almost Expired

    License will expire in 7 days or less
    Databases are Missing or CorruptedLANDESK Antivirus base updates have been moved or are no longer valid
    Databases are Extremely out of DateAV bases are older than 7 days
    Application Autorun is DisabledApplication isn't configured to run at Windows Startup; Not configured for persistent relaunch
    Activation ErrorLANDESK Antivirus wasn't able to activate with key - often related to network issues
    Active Threat Detected. Advanced Disinfection should be StartedDetected Malware is already running, hampering disinfection. User is prompted to begin Advanced Disinfection
    Black List of Keys Corrupted or Not FoundSee this Community Document
    Task Cannot be PerformedInitiated task was unable to complete; reference LANDESK Antivirus logs for more information.

     

    Important Events

    EventDescription
    Application crashed during previous sessionLANDESK Antivirus closed unexpectedly the last time it was run
    License Expires SoonLicense will expire in 30 days or less
    Databases are out of DateAV bases are older than 3 days
    Automatic Updates are DisabledAutomatic Updates are Disabled
    Self-Defense is DisabledSelf-Defense is Disabled. See this Community Document
    Protection Components are DisabledLANDESK Antivirus was fully installed, but some components were paused or disabled
    Computer is running in Safe ModeComputer is running in Safe Mode
    There are Unprocessed FilesSuspicious file is awaiting action. See Reports > System Audit in LANDESK Antivirus UI for more information
    Group Policy AppliedPreConfigured Antivirus locked policy was applied to the workstation (Not used natively by LANDESK)
    Task StoppedInitiated task was stopped by an outside source (User, other program, etc)
    Quit and Reopen the Application to Complete UpdatingLANDESK Antivirus needs to be exited and reopened in order to reflect changes. Typically involves Updating Application Modules
    Computer Restart RequiredComputer needs to be rebooted after the last task
    The License Entitles to use Components that have not been InstalledThe license activated on the worksation includes features and software not currently being utilized
    Advanced Disinfection StartedAdvanced Disinfection is running on a Workstation likely due to an Active Threat being detected
    Advanced Disinfection CompletedAdvanced Disinfection has finished running and has removed the Active Threat
    Incorrect Reserve Activation CodeThis event does not apply to LANDesk Antivirus
    Subscription License Expires SoonThis event does not apply to LANDesk Antivirus
    Cannot Move to QuarantineSuspicious/Malicious file cannot be moved to the Quarantine directory. Seek manual removal or Contact Support
    Cannot Restore Object from QuarantineSuspicious/Malicioius file cannot be removed from the Quarantine directory.
    Suspicious Network Activity DetectedNetwork Attack Blocker detected suspicious activity

     

    Informational Events

    EventDescription
    Product StartedLANDESK Antivirus Started
    Product StoppedLANDESK Antivirus Stopped
    Action Blocked by Self-DefenseThe workstation attempted to Perform a Task that was Stopped by LANDESK Antivirus Self-Defense
    Report ClearedThe Report for Activity History was cleared on the Workstation
    Group Policy DisabledGroup Policy Disabled
    Application Settings ChangedA Configuration Change occurred on the workstation involving LANDESK Antivirus
    Task StartedAn AV Task (Scan, Update, Disinfect, Etc.) has been started on the Workstation
    Task CompletedAn AV Task (Scan, Update, Disinfect, Etc.) has Completed
    All Application Components that are Defined by the License have been Installed and run in Normal ModeAll Application Components that are Defined by the License have been Installed and run in Normal Mode
    File sent to Kaspersky Lab for AnalysisTypically involved with troubleshooting. Trace Files or GSI report sent to Kaspersky
    Subscription License Parameters have ChangedAV Subscription has been changed Externally and the Workstation is Acknowledging the change
    Subscription License has been RenewedAV Subscription has been renewed and the Workstation is Acknowledging the renewal
    Object moved to QuarantineSuspicious/Malicious file was moved to the Quarantine Directory
    Object Restored from QuarantineSuspicious/Malicious file was moved from the Quarantine Directory (Usually done by user)
    User Name and Password InputUser name and Password was used to Unlock Configuration Options on Workstation (If Configured)

     

    File Antivirus

    Component that controls the computer file system. It scans Open, Launched, and Saved files on your computer and on all attached discs.

    • Every file the workstation interacts with is intercepted by LANDESK Antivirus and scanned for viruses.
    • The workstation can utilize the file if it's not infected or was successfully disinfected by LANDESK Antivirus.
    • If the file cannot be disinfected, it is either deleted or quarantined.

    File Antivirus.png

    Critical Events

    EventDescription
    Malicious Object DetectedA Malicious/Viral File was Detected on the Workstation

    Probably Infected Object Detected

    A Suspicious File that isn't confirmed to be Malicious was Detected
    Disinfection ImpossibleDisinfection of a Malicious file Attempt Failed. Will likely be Quarantined/Deleted
    Cannot be DeletedA Malicious File that failed to Disinfect also failed to Delete. Seek Manual Removal or Contact Support
    Processing ErrorLANDesk Antivirus was not able to scan an object due to a different reason (e.g. access denied)

     

    Important Events

    EventDescription
    Cannot Back UpBackup Copying Failed. Reference LANDESK Antivirus Logs for more information
    Cannot Move to QuarantineMalicious File failed to move to Quarantine and will likely be Deleted
    Object not ProcessedFile was not scanned.  This can happen for several reasons
    Object EncryptedThe file to be scanned is encrypted
    Object CorruptedThe file to be scanned is corrupted (e.g. file header does not match file body)
    Object will be Deleted on RestartMalicious File cannot be Deleted until the Workstation is Rebooted
    Object will be Disinfected on RestartMalicious File cannot be Disinfected until the Workstation is Rebooted
    Legal Software that can be used by Criminals for Damaging your Computer or Personal Data was DetectedLegal Software that can be used by Criminals for Damaging your Computer or Personal Data was Detected

     

    Informational Events

    EventDescription
    Object ProcessedObject was scanned (This Event does not Notify by Default)
    Object DisinfectedSuspicious Object/File was Disinfected and can be used by the Host Workstation
    Object DeletedSuspicious Object/File failed to be Disinfected and was Deleted
    A Backup Copy of the Object was CreatedCopies of files that have been deleted or modified during disinfection are moved to backup storage
    Object moved to QuarantineSuspicious Object/File was moved to the Quarantine Directory
    Object SkippedObject was skipped due to scan exclusions or limits (e.g maximum archive size limit)
    Archive DetectedLANDesk Antivirus recognized the file to be scanned as an archive (e.g. .zip .cab .rar etc.)
    Packed Object DetectedLANDesk Antivirus recognized the file to be scanned as a packed object (e.g. .exe executables)
    Overwritten by a Copy that was Disinfected EarlierSuspicious file was overwritten by a previously disinfected copy of the same file
    Object will be Moved to Quarantine on RestartSuspicious File cannot be Quarantined until the Workstation is Rebooted
    Password-Protected Archive DetectedLANDESK Antivirus was unable to access this Directory. Usually in compressed formats such as RAR or ZIP
    Information about Detected ObjectInformation about Detected Object was Recorded

     

    Mail Antivirus

    Component that protects incoming and outgoing mail from malicious objects.

    • Each email received or sent by the workstation is intercepted by Mail AntiVirus.
    • The email is broken down into three parts: the Email Heading, Body, and Attachments.
    • The body and attachments of the email (including OLE attachments) are scanned for dangerous objects. Malicious objects are detected using the databases included in the program and with LANDESK Antivirus. The databases contain descriptions of all the malicious programs known to date and methods for neutralizing them. LANDESK Antivirus can also detect malicious objects not yet in the database.

    Mail Antivirus.png

    Critical Events

    EventDescription
    Malicious Object DetectedA Malicious/Viral File was Detected on the Workstation

    Probably Infected Object Detected

    A Suspicious File that isn't confirmed to be Malicious was Detected
    Disinfection ImpossibleDisinfection of a Malicious file Attempt Failed. Will likely be Quarantined/Deleted
    Processing ErrorLANDesk Antivirus was not able to scan an object due to an error (e.g. access denied)

     

    Important Events

    EventDescription
    Object not ProcessedFile was not scanned
    Object CorruptedThe file to be scanned is corrupted (e.g.file header does not match file body)
    Legal Software that can be used by Criminals for Damaging your Computer or Personal Data was DetectedLegal Software that can be used by Criminals for Damaging your Computer or Personal Data was Detected

     

    Informational Events

    EventDescription
    Object ProcessedObject was scanned (This Event does not Notify by Default)
    Object DisinfectedSuspicious Object/File was Disinfected and can be used by the Host Workstation
    Object DeletedSuspicious Object/File failed to be Disinfected and was Deleted
    A Backup Copy of the Object was CreatedCopies of files that have been deleted or modified during disinfection are moved to Backup storage
    Object moved to QuarantineA Suspicious Object/File was moved to the Quarantine Directory
    Archive DetectedLANDesk Antivirus recognized the file as an archive (e.g. .zip .cab .rar etc.)
    Packed Object DetectedLANDesk Antivirus recognized the file as a packed object (e.g. .exe executable)
    Object RenamedSuspicious Object/File was renamed in order to prevent use
    Object will be Moved to Quarantine on RestartSuspicious File cannot be Quarantined until the Workstation is Rebooted
    Password-Protected Archive DetectedLANDESK Antivirus was unable to access this Directory. Usually in compressed formats such as RAR or ZIP
    Information About Detected ObjectInformation about Detected Object was Recorded

     

    Web Antivirus

    • Analyzes site addresses and blocks access to dangerous sites.
    • Scans the objects downloaded over HTTP.

    Web Antivirus.png

    Critical Events

    EventDescription
    Malicious Object DetectedA Malicious/Viral File was Detected on the Workstation

    Probably Infected Object Detected

    A Suspicious File that isn't confirmed to be Malicious was Detected
    Processing ErrorLANDesk Antivirus was not able to scan an object due to an error (e.g. access denied)
    BlockedA Malicious Link/Object was blocked from accessing the workstation via the Web
    Previously Opened Phishing Link DetectedWebAV detected a phishing link, which was accessed earlier
    Previously Opened Malicious Link DetectedWebAV detected a malicious link, which was accessed earlier

    Important Events

    EventDescription
    Object CorruptedScanned file is corrupted (e.g. file header does not match file body).
    Legal Software that can be used by Criminals for Damaging your Computer or Personal Data was DetectedLegal Software that can be used by Criminals for Damaging your Computer or Personal Data was Detected

    Informational Events

    EventDescription
    Object ProcessedObject was scanned (This Event does not Notify by Default)
    Archive DetectedLANDesk Antivirus recognized the file as an archive (e.g. .zip .cab .rar etc.)
    Packed Object DetectedLANDesk Antivirus recognized the file as a packed object (e.g. .exe executable)
    AllowedAction/object was allowed by Web AV
    Information about Detected ObjectInformation about Detected Object
    Password-Protected Archive DetectedLANDESK Antivirus was unable to access this Directory. Usually in compressed formats such as RAR or ZIP

     

    IM Antivirus

    Performs the same tasks as Mail Antivirus but for Instant Messaging Applications. Scans for:

    • Links to phishing and suspicious sites (as defined by Mail Antivirus Database).
    • Infected Code in the Text Message

    IM Antivirus.png

     

    Critical Events

    EventDescription
    Malicious Object DetectedA Malicious/Viral File was Detected on the Workstation
    BlockedA Malicious Link/Object was blocked from accessing the workstation via IM

     

    Informational Events

    EventDescription
    Object ProcessedObject was scanned (This Event does not Notify by Default)

     

    System Watcher

    Monitors program actions and compares them with dangerous activity patterns.

    • Logs Application Activity for AV database purposes.
    • Detects Malware Programs and Blocks their Actions.
    • Rolls Back Actions of the Malware Detected by other Components.

     

    Critical Events

    EventDescription
    Malicious Object DetectedA Malicious/Viral File was Detected on the Workstation
    Probably Infected Object DetectedA Suspicious File that isn't confirmed to be Malicious was Detected
    Process TerminatedA Malicious Process (Typically assumed to be Malware) was found running and terminated
    BlockedA Malicious Program/Process was blocked from running on the Workstation
    Unable to Terminate ProcessA Malicious Process (Typically assumed to be Malware) was found running and failed to Terminate. Seek Manual Termination or Contact Support

     

    Important Events

    EventDescription
    Cannot Move to QuarantineMalicious File failed to move to Quarantine and will likely be Deleted
    Rollback CompletedActions done by Malware was Successfully Rolled back to a Previous, Uninfected, state

     

    Informational Events

    EventDescription
    Object Moved to QuarantineA Suspicious Object/File was moved to the Quarantine Directory
    Object DeletedSuspicious Object/File failed to be Disinfected and was Deleted
    AllowedSystem Watcher checked and allowed an action
    File Restored from BackupSystem Watcher restored the file from backup (e.g. during rollback of malicious activity)
    Registry Value RestoredSystem Watcher restored the registry entry (e.g. during rollback of malicious activity)
    Registry Value DeletedSystem Watcher deleted the registry entry
    Object RenamedMalicious Object/File was renamed in order to prevent use

     

    Network Attack Blocker

    Component used to block Network Attacks including:

    • Port Scanning.
    • Denial-Of-Service Attacks.
    • Buffer-Overrun Attacks.
    • Various Malicious Remote Actions taken against Programs and Services in the Network.

    Network Attack Blocker uses Signatures and blocks all Connections that Correspond to Descriptions of Known Network Attacks.

    Network Attack Blocker.png

     

    Critical Events

    EventDescription
    Network Attack DetectedAn instance of one of the above Attacks was detected on the network. Seek more information from the LANDESK Console Security Activity Window