Lumension Endpoint Management and Security Suite (LEMSS) with the AntiVirus module actively deployed
What is the issue?
HEATsoftware has determined that the antivirus (AV) definition file released at approximately 4:30am EST / 9:30am GMT on Saturday, December 15th (AV Definition v7.0.1355548122) included a signature with a false positive detection. This false positive may cause excessive alerts of files misidentified as malware and, depending upon your AV policy settings, may result in more serious system issues.
Updated definition files have since been released, and it is imperative that you check that the AV definition file on your L.E.M.S.S. server and endpoints is v7.0.1355588168 or higher. If it is not, please contact HEATsoftware Support immediately using the toll-free numbers listed in the Customer Portal or by sending an email to support@HEATsoftware.com.
Who does this impact?
This technical issue could impact any HEATsoftware customer that has actively deployed L.E.M.S.S. AV policies.
Customers will know they have been impacted if their Virus and Malware Event Alerts include Heuristic_Anomaly.A virus. Customers can check for this in L.E.M.S.S. by navigating to Review > Virus and Malware Event Alerts. The view can be filtered by entering "Heuristic_Anomoly.A" into the Virus or malware name filter at the top of the page. If no alerts appear with this name, the customer has not been affected by this issue.
At 4:30am EST / 9:30am GMT on Saturday morning (December 15, 2012), an antivirus definition file (v7.0.1355548122) provided to HEATsoftware by our AV OEM partner started to falsely detect Windows systems and application files as malware. Depending on the customers Real-Time Monitoring or Recurring AV Scan policies, this caused system or application files to be either deleted or quarantined. This in turn caused impacted systems to become unstable.
New definition files have since been provided to HEATsoftware by our AV partner. These have been published on HEATsoftware’s content distribution network. These new AV definition files (v7.0.1355588168 or higher) will be pulled by the L.E.M.S.S. server based on the AV Subscription Service Configuration setting; by default, the L.E.M.S.S. server will look for and syndicate updated content every 60 minutes. These new AV definition files will then replace the faulty definition file automatically.
Depending on specific settings in your AV monitoring and scan policies, a system could still be impacted.
If Real-Time Monitoring polices were in place and the system was actively running at the time the faulty AV definition file was syndicated from the content distribution network, it is likely that the system will have been negatively affected by the faulty definition file and may be unstable. If the system only has Recurring AV Scan policies and a scheduled scan occurred using the faulty policy, the system would also be negatively affected.
Depending on monitoring and scanning policy settings, the affected system and application files may have been either quarantined or deleted. If the file was deleted then the customer must either restore from back up or reimage the machine. HEATsoftware’s Development team continues to work with Customer Support to explore additional possible solutions that may aid customers in restoration and remediation efforts.
If the system was not active during the time of syndication of the faulty AV definition file, or if a scheduled scan did not occur until after an updated AV definition file was in place, then the system should not be affected by this issue.
The HEATsoftware Support team is working 24x7 with customers whose systems have been adversely affected and assisting them to get back up and running.
What is HEATsoftware doing about this issue?
An updated AV definition file (v7.0.1355588168) was released at approximately 1:43pm EST / 6:43pm GMT on Saturday (December 15, 2012) by HEATsoftware’s OEM AV partner. This and subsequent definition files have been published on HEATsoftware’s content distribution network. These new AV definition files (v7.0.1355588168 or higher) will be pulled by the L.E.M.S.S. server based on the AV Subscription Service Configuration setting (by default, the L.E.M.S.S. server will look for and syndicate updated content every 60 minutes) and will automatically replace the faulty definition file.
HEATsoftware has informed all customers and partners with an active HEATsoftware AntiVirus entitlement on about this issue and what steps to take in order to remediate or validate that the issue has impacted their system environment. HEATsoftware is working with customers around the clock to remediate the issue and return systems back to full operations as quickly as possible. HEATsoftware is asking for any customer who thinks that their system may have been adversely impacted by this event to contact HEATsoftware Support immediately. Please see the HEATsoftware Customer Portal for contact information.
Is there any continued potential impact?
There is a small window of risk remaining under some very specific conditions:
- If an endpoint received a bad definition file and then was turned off and then turned back on without first connecting to the L.E.M.S.S. server to receive the new updated definition file.
- Alternatively, if the endpoint was left on and Real-Time Monitoring policies were in place and set to “delete” or “quarantine,” then that endpoint may not receive the new and updated definition file. If the system only has Recurring AV Scan policies and a scheduled scan occurred using the faulty policy, then the system would also experience the same negative effects.
What can HEATsoftware Customers do to minimize any potential impact?
- If the LEMSS AV endpoints were off at the time that this faulty definition file was sent and have remained off during the time that it took to send a new definition file, then you will not be affected by this issue as your endpoints will check in and receive the latest definition files.
- An updated definition file (v7.0.1355588168) has been released, and it is imperative that you check that the AV definition file on your L.E.M.S.S. server and endpoints is v7.0.1355588168 or higher. New definition files are released typically twice a day, so it is likely you will see a newer AV definition file on your L.E.M.S.S. server.
- Please check the AV definition file on your L.E.M.S.S. Server by selecting ‘Tools’ --> ‘Subscription Updates’ --> ‘Configure’ button --> ‘AntiVirus’ tab. Validate that the AV definition file is v7.0.1355588168 or higher. If it is not, click on the ‘Update Definitions’ button to receive the latest version. To check the AV definition file version on your endpoints, first go to ‘Manage’ --> ‘Endpoints’ and select the ‘AntiVirus’ tab; sort using the ‘AV Definition Version’ column, if necessary.
- HEATsoftware recommends that you disable ‘Real Time Scans’ and ‘Scheduled Scan’ until the AV definition files have been updated. HEATsoftware highly recommends that you select a setting of “Attempt to clean, then quarantine” or “Attempt to clean, then quarantine, then delete.” Once the latest AV definition file (v7.0.1355588168 or higher) is in place, it is safe to return to normal scanning mode(s).
- Notify any remote users that they must connect to your corporate network (L.E.M.S.S. server) to receive updated virus definitions.
- If you feel that you have been affected, please contact HEATsoftware support immediately.
What has HEATsoftware done to ensure that this will not happen again?
While we have traced the technical source of the issue, we have not determined the root cause of the faulty AV definition file. We are actively exploring that issue with our AV partner to determine the root cause and take measures to ensure that an incident like this does not happen again.
When will we find out more?
Customers can get the latest information by checking with HEATsoftware Support. We will make every attempt to provide accurate and relevant data as soon as it becomes available through our Customer Support Team, this KB article, the HEATsoftware Customer Portal and the HEATsoftware Community.