Recovering from a Bad AntiVirus Definitions File Update (Lumension EMSS 7.3.x)

Version 1

    Details

    Lumension Endpoint Management Security Suite (LEMSS) 7.3.x
    Lumension AntiVirus (LAV) 7.3.x

    BACKGROUND

    If a definition file containing a false positive (AntiVirus identifies a non-malicious file as a virus) is downloaded from our Global Subscription Server (GSS), a system administrator can perform manual steps to stop the LEMSS Server from distributing the AntiVirus definition file containing the false positive to endpoints.

    Important: This procedure does not address how to recover endpoints that downloaded the bad AntiVirus definition file.

    Step 1: Stop Communication between the LEMSS server and GSS

    1.   Select Tools > Subscription Updates. The Subscription Updates page opens.
    2.   Click the Configure button. The Subscription Service Configuration dialog opens.
    3.   Select the AntiVirus tab. Subscription information and configuration options are displayed.
    BadAVSteps1-3.gif

    Edit each content storage location currently set to make them unreachable. Repeat Steps 4-6 for each location listed.

    1.   Under the AntiVirus content storage location section, select a content storage location from the list. The content storage location URL appears in the AntiVirus/Content location (URL) field.
    2.   Edit the content storage location URL by adding a '1' (one) to the end. For example, change http://cache.HEATsoftware.com/antivirus/avfilelist.xml to http://cache.HEATsoftware.com/antivirus/avfilelist.xml1
    3.   Click Add. The URL is added to the list.
    4.   Remove each original content storage location from the list by selecting it in the list and clicking Remove. Only the new AntiVirus content storage location URLs you entered remain in the list.
    5.   Click Apply and then Save.
    BadAVSteps4-8-(2).gif

    Result

    Communication between the LEMSS Server and the GSS is stopped, which prevents the server from downloading the same corrupt definition file again.

    Step 2:  Delete the AntiVirus engine and definition files from the download manager folder and AntiVirus folder

    On the LEMSS Server, navigate to and delete the contents of the following folders:

    •   C:\Program Files(x86)\HEATsoftware\EMSS\Content\DownloadManager\Files\Gold\AntiVirusEngineAndDefinitions
    •   C:\Program Files(x86)\HEATsoftware\EMSS\Content\AntiVirus

    Step 3:  Contact HEATsoftware about the next AntiVirus definition file update

    Contact HEATsoftware Support (support@HEATsoftware.com) by e-mail or by phone using the toll-free numbers listed in the HEATsoftware Customer Portal for information on when a good AntiVirus Definition File will be published and available for download.

    Step 4:  Start communication between the LEMSS server and GSS

    Prerequisite: A good AntiVirus must be published by HEATsoftware and available for download from the GSS.

    1.   Select Tools > Subscription Updates. The Subscription Updates page opens.
    2.   Click the Configure button. The Subscription Service Configuration dialog opens.
    3.   Select the AntiVirus tab. Subscription information and configuration options are displayed.

    Edit each set content storage location to make them reachable again. Repeat Steps 4-6 for each location listed.

    1.   Under the AntiVirus content storage location section, select a content storage location from the list. The content storage location URL appears in the AntiVirus/Content location (URL) field.
    2.   Edit the content storage location URL by removing the '1' to the end. For example, change http://cache.HEATsoftware.com/antivirus/avfilelist.xml1 to http://cache.HEATsoftware.com/antivirus/avfilelist.xml
    3.   Click Add. The URL is added to the list.
    4.   Remove each original content storage location containing a '1' at the end by selecting it in the list and clicking Remove. Only the new AntiVirus content storage location URLs you entered remain in the list.
    5.   Click Apply.
    6.   Click Update Now to get the latest AntiVirus engine and definition files available from the GSS.
    BadAVStage4Steps1-9.gif

    Result

    Communication between the LEMSS Server and the GSS is restarted, so the good definition file can be downloaded and distributed to endpoints.

    After Completing This Procedure

    Use the Delay AV definition distribution by option when configuring an Agent Policy Set to set the time interval (in hours, up to 72 hours) that the LEMSS Agent is to delay requesting a new AntiVirus definitions file from the Application Server. Setting a delay gives you time to try the new definitions file in an isolated test environment before distributing it to real agents.

    Important: Delaying the download of important updates can make your environment vulnerable to new viruses or malware.