L.E.M.S.S. AntiVirus: New scan engine released

Version 1

    Details

    Lumension Endpoint Management and Security Suite (LEMSS) - AntiVirus module version 7.1 and later

    AV Scan Engine version 7.0 constitutes a significant update of our AntiVirus scan engine.  Customers will benefit from performance improvements at system start-up and several malware detection enhancements, including default use of the SandBox technology.

    ENHANCEMENTS

    The following is the full list of enhancements provided by AV Scan Engine version 7.0:

         
    • Improved performance    
               
      • Improved scanning speed
      •        
      • Reduced time spent during initialization
      •    
         
    •    
    • Improved detection
    •    
    • Reduced memory usage, especially during initialization
    •    
    • Improved stability
    •    
    • New definition file format    
               
      • Less time is used to apply increments during initialization
      •    
         
    •    
    • Improved scanning for several file formats    
               
      • Flash
      •        
      • Support for several PE packers
      •        
      • Improved speed when scanning text files
      •    
         
    •    
    • SandBox is now an integral part of the scan engine, it is always turned on and used as part of regular detection
    •    
    • Support for new file formats    
               
      • Windows x64 (PE32+)
      •        
      • Apple binaries (Mach-O)
      •        
      • .NET binaries 
      •    
         

    SandBox

    As noted above, SandBox is now an integral part of AV Scan Engine version 7.0 and is always turned on.  This change provides better protection against new malware and malware variants.  On previous versions of the scan engine, SandBox was an optional configuration in the AntiVirus policy wizard.  The performance improvements in AV Scan Engine version 7.0 have enabled SandBox to be always on without a noticeable performance impact being experienced by the user. 
    The SandBox controls in the AntiVirus policy wizards remain but changing the settings will have no impact on scanning.  Existing AntiVirus policies which show SandBox as turned off in the UI will actually have SandBox turned on once AV Scan Engine version 7.0 is loaded.  The SandBox UI settings will be removed from the wizards in an upcoming release.

    Malware Type Reporting

    AV Scan Engine version 7.0 has simplified the reporting of malware types.  Previous versions of the AV scan engine documented a range of different types that could be set to add additional information about the detected malware. This made sense many years ago when the number of known malware types were relatively small.  However, the different categories reported by AV Scan Engine v6 are no longer meaningful.  With AV Scan Engine version 7.0, detected malware will simply be reported as “virus”.

    OTHER INFORMATION

    What versions of L.E.M.S.S.: AntiVirus are affected?

    All versions of L.E.M.S.S. AntiVirus (7.1 or higher) will receive the updated AV Scan Engine version 7.0.  Updates to the AV engine are provided automatically through the L.E.M.S.S. AntiVirus content feed.

    How will AV Scan Engine version 7.0 become available?

    Scan engine updates are delivered using the same mechanism as the AntiVirus definition file updates.  Minor engine updates are currently released approximately once a quarter and are downloaded seamlessly.  Once the new engine is made available on GSS, it will automatically be downloaded by the LEMSS server (depending on AntiVirus polling frequency) and then made available to endpoints who will download and load the new engine along with associated definitions.  The new scan engine is approximately 2.5MB in size, similar to previous updates.  As with any engine release, a full set of base definition files will be released simultaneously. 

    AV Scan Engine v7.0 along with the full set of base definitions will be made available on Monday November 12th at 11am EST (4pm GMT).

    As the base definition file is a large file (approximately 250MB), customers may want to take steps to minimize the impact on their network bandwidth.  Customers can change the AV polling frequency (Tools > Subscription Updates) to have the “check for updates” occur at a time which is more convenient for them.  The polling frequency is defaulted to 60 minutes.  For example, if customers wanted the update to occur at 2pm EST, they could edit the Antivirus Subscription Service Configuration page at 10am EST (1 hour ahead of the update) and set the polling frequency to 240 minutes (4 hours).  Once this setting has been saved, the server will then check for updates 4 hours later at 2pm EST.  Customers should remember to revert the polling frequency back to 60 minutes or their preferred frequency once the new engine has been downloaded.