How to report and send files being incorrectly detected as a virus by LANDESK Antivirus

Version 16

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

     

    Description

     

    Sometimes new Virus Definitions will detect legitimate files as a virus.  These are called "False Positives".
    For further information on how to recover if this false positive is causing issues in your environment, see this article.
    In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.

    How to report and send files being detected incorrectly as a virus.

     

    If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected comptuers are scanning with the latest definition files.
    Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

    For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.

     

    Restore File for Reporting

     

    In order to submit the file for review as a False Positive, the file will need to be restored from Quarantine. The following steps outline how to provide LDAV the necessary permissions to perform this task.

    Disable Real time protection to prevent the file being immediately quarantined again, then restore the file to be submitted.

     

    LDMS 9.6/2016

     

    1. Open a Management Suite console

    2. Go to  Tools | Security and Compliance | Agent Settings

    3. Expand Agent Settings | Security | Landesk Antivirus

    4. Double click on the Antivirus settings the client is using.

    5. Click on Permissions

    6. Check the Allow user to disable Realtime scanning for up to ___ minutes option

    7. Check Allow user to restore objects

    8. Click Save

     

    1.png

     

    1. On the client Click Start | Run

    2. Type Vulscan /changesettings /showui, this will download the setting changes you made.

    3. Open the LANDESK Antivirus GUI

      • Start | Programs | LANDESK Management | LANDESK Antivirus

                 or

      • Click the LDAV Icon in the system tray if enabled
    1. Click Protection | File Anti-Virus | and click Stop

     

    STOP.png

     

    Note: If prompted with a Warning! window, click Yes

     

    This action will impact your computer's protection. Do you want to continue?

    Application name: LANDESK Antivirus

    Manufacturer: "Kaspersky Lab"

    Action: Settings modification

    warning.png

     

     

    1. With File Anti-Virus disabled, click Quarantine

    5-quarantine.png

     

    1. Take note of the Folder path, as this is where the file will restore to.

    2. Highlight the file and click Restore

    restore.png

     

    1. Take a screenshot of the false positive detection.  Compile the "infected" file(s) and the screenshot into a password protected .ZIP file, with password 'infected'.  Name the file "FalsePositive(UniqueName).zip".  (Where "UniqueName" is a filename of your choosing).

      *****Be very careful to name the zip file with a prefix of "FalsePositive" otherwise Kaspersky will treat this as a false negative submission and your case will be significantly delayed*****

     

    Note: The file must be password protected with a password of "infected". The compression type must be a .ZIP.  Other compression types will not be accepted. The file should not be a self-extracting zip file.

     

    Submit the File

    1. Place the file on LANDESK's site: http://avdrop.landesk.com/

    2. Contact LANDESK Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)

    3. Revert the changes made to the agents settings.

    4. Current virus definition release activity can be viewed here: http://www.kaspersky.com/viruswatchlite?

    Note: Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.

     

    LANDESK Support Contact information