Recovering from a Bad AntiVirus Definitions File Update (Lumension EMSS 7.2.x)

Version 1

    Details

    Lumension Endpoint Management Security Suite 7.2.x
    Lumension AntiVirus 7.2.x



    In the event of a false positive where AntiVirus identifies a non-malicious file as a virus, a system administrator can perform manual steps to stop the HEATsoftware EMSS Server from distributing the AntiVirus definition file containing the false positive to endpoints.

    Important: This procedure does not address how to recover endpoints that downloaded the bad AntiVirus definition file.

    STAGE 1: STOP COMMUNICATION BETWEEN THE HEATsoftware EMSS SERVER AND THE GLOBAL SUBSCRIPTION SERVER (GSS)

         
    1. Select Tools > Subscription Updates. The Subscription Updates page opens.
    2.    
    3. Click the Configure button. The Subscription Service Configuration dialog opens.
    4.    
    5. Select the AntiVirus tab. Subscription information and configuration options are displayed.
    BadAVSteps1-3.gif


    Edit each content storage location currently set to make them unreachable. Repeat Steps 4-6 for each location listed.

         
    1. Under the AntiVirus content storage location section, select a content storage location from the list. The content storage location URL appears in the AntiVirus/Content location (URL) field.
    2.    
    3. Edit the content storage location URL by adding a '1' (one) to the end. For example, change http://cache.HEATsoftware.com/antivirus/avfilelist.xml to http://cache.HEATsoftware.com/antivirus/avfilelist.xml1
    4.    
    5. Click Add. The URL is added to the list.
    6.    
    7. Remove each original content storage location from the list by selecting it in the list and clicking Remove. Only the new AntiVirus content storage location URLs you entered remain in the list.
    8.    
    9. Click Apply and then Save.
    BadAVSteps4-8-(2).gif


    Result

    Communication between the HEATsoftware EMSS Server and the GSS is stopped, which prevents the server from downloading the same corrupt definition file again.


    STAGE 2: DELETE THE ANTIVIRUS ENGINE AND DEFINITION FILES FROM THE DOWNLOAD MANAGER FOLDER AND ANTIVIRUS FOLDER

    On the HEATsoftware EMSS Server, navigate to and delete the contents of the following folders:

         
    • C:\Program Files(x86)\HEATsoftware\EMSS\Content\DownloadManager\Files\Gold\AntiVirusEngineAndDefinitions
    •    
    • C:\Program Files(x86)\HEATsoftware\EMSS\Content\AntiVirus\Files\Gold

    STAGE 3: CONTACT HEATsoftware ABOUT THE NEXT ANTIVIRUS DEFINITION FILE UPDATE

    Contact HEATsoftware Support (support@HEATsoftware.com) by e-mail or by phone using the toll-free numbers listed in the HEATsoftware Customer Portal (http://portal.HEATsoftware.com/) for information on when a good AntiVirus Definition File will be published and available for download.


    STAGE 4: START COMMUNICATION BETWEEN THE HEATsoftware EMSS SERVER AND THE GLOBAL SUBSCRIPTION SERVER (GSS)

    Prerequisite: A good AntiVirus must be published by HEATsoftware and available for download from the GSS.

         
    1. Select Tools > Subscription Updates. The Subscription Updates page opens.
    2.    
    3. Click the Configure button. The Subscription Service Configuration dialog opens.
    4.    
    5. Select the AntiVirus tab. Subscription information and configuration options are displayed.

    Edit each set content storage location to make them reachable again. Repeat Steps 4-6 for each location listed.

         
    1. Under the AntiVirus content storage location section, select a content storage location from the list. The content storage location URL appears in the AntiVirus/Content location (URL) field.
    2.    
    3. Edit the content storage location URL by removing the '1' to the end. For example, change http://cache.HEATsoftware.com/antivirus/avfilelist.xml1 to http://cache.HEATsoftware.com/antivirus/avfilelist.xml
    4.    
    5. Click Add. The URL is added to the list.
    6.    
    7. Remove each original content storage location containing a '1' at the end by selecting it in the list and clicking Remove. Only the new AntiVirus content storage location URLs you entered remain in the list.
    8.    
    9. Click Apply.
    10.    
    11. Click Update Now to get the latest AntiVirus engine and definition files available from the GSS.
    BadAVStage4Steps1-9.gif


    Result

    Communication between the HEATsoftware EMSS Server and the GSS is restarted, so the good definition file can be downloaded and distributed to endpoints.


    After Completing This Procedure

    Use the Delay AV definition distribution by option when configuring an Agent Policy Set to set the time interval (in hours, up to 72 hours) that the HEATsoftware EMSS Agent is to delay requesting a new AntiVirus definitions file from the Application Server. Setting a delay gives you time to try the new definitions file in an isolated test environment before distributing it to real agents.


    Important: Delaying the download of important updates can make your environment vulnerable to new viruses or malware.