For more information on this topic, please visit the product help file: https://help.ivanti.com/docs/help/en_US/LDMS/10.0/default.htm#Windows/security-avman-t-evaluate-avdef-files-test.htm?Hi…
It is possible to get Antivirus pattern file content that contains a virus signature that will incorrectly detect malware within a file that does not contain actual malware. This is known as a false positive.
In the event that this causes downtime due to application or operating system distruption, the following steps should be taken to update the pattern files to known good content.
Download the latest Antivirus pattern files to the core server or restore an older version of pattern files on the core server.
- In the Security and Patch Manager tool, click the "Download Updates" icon.
- Select the Ivanti Antivirus tab.
- Chances are the issue has been resolved with an update to the pattern files. You should try the latest version of the pattern files first. You can get the latest version of the pattern files by clicking "Get latest definitions".
- In the event that the issue has not yet been fixed, you can restore an older version of the antivirus pattern files. Do this by selecting an older set of pattern files under "History" and then clicking "Restore"
Once either newer pattern files or older pattern files that do not contain the bad pattern file content are set to the active "approved for distribution" pattern files, the clients must be updated. This will happen once the next local scheduled update task runs. To immediately start an update on the clients see the following steps.
Updating the pattern files on the clients
After the pattern files are updated or restored on the core server, a pattern file update and full system scan should be run on the affected clients.
- Open the Agent Settings tool. (Clock and calendar)
- Click the Create a Task icon.
- Select "Ivanti Antivirus task
- This will open the "Ivanti Antivirus update/scan task dialog"
- From here you should check the box next to Update Virus Definitions and in the drop-down box select Start full scan
You can also select Automatically target all Ivanti Antivirus machines if so desired
- Modify other task settings as desired and click Save.
- Drag targets to the task and set the start schedule.
Using the Pilot feature to minimize the impact of False Positives
Using the Pilot feature for that Antivirus pattern files can minimize the impact of a False Positive issue. The tradeoff to using the Pilot feature, is you have a further delay in getting the latest definitions out to your broader base of clients.
The following explains the Pilot feature and how to set it up in your environment:
Screenshot taken from the Download Updates, Ivanti Antivirus tab.
When downloading Virus definitions, you have the option to place downloaded definitions into a Pilot test state and then release them to the general populace of clients after a set period. This allows you to assign certain computers (possibly the IT group) to download Pilot test definitions first, and then after a period of 1 day or another period of our choosing release them to the remainder of computers in the environment.
The current definitions in pilot will be listed in the section "Approved for distribution", and those that are approved for general distribution are listed in the section "Pilot".
In order to set specific computers to use the Pilot test definitions, you need to create a new Antivirus Setting and assign the setting to your clients from your pilot group.
1. To create a new Antivirus Setting, click the drop-down by the "Configure Settings" icon in the Agent Settings tool and then select "Ivanti Antivirus Settings"
2. Either edit an existing setting, or create a new setting (Select an existing setting and click "Edit" or click "New")
3. Go to the "Scheduled Tasks -> Update" section and check the box marked "Download 'pilot' version of virus definition files"
4. Go through the other sections and make your desired selections.
At this point you can either choose the Antivirus Settings when you are pushing out your agent, and/or you can push the updated settings to your clients using a "Change Settings" task
To create a changed settings task to change Antivirus Settings
- Click the "Create a Task" in Security and Patch Manager and select "Change Settings". This will open up a dialog to select the desired setting and set the desired scheduled task settings.
- Select the Antivirus Settings that contain the "Download pilot version of definition files" option and click [OK].
- You can now drag the target computers and/or groups or queries to this task and start it at the desired time.