Sometimes new Virus Definitions will detect legitimate files as a virus. These are called "False Positives".
For further information on how to recover if this false positive is causing issues in your environment, see this article.
In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.
How to report and send files being detected incorrectly as a virus
If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected computers are scanning with the latest definition files.
Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.
For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.
Restore File for Reporting
In order to submit the file for review as a False Positive, the file will need to be restored from Quarantine. The following steps outline how to provide LDAV the necessary permissions to perform this task.
Disable Real-time protection to prevent the file being immediately quarantined again, then restore the file to be submitted.
Open a Management Suite console
Go to Tools | Security and Compliance | Agent Settings
Expand Agent Settings | Security | Ivanti Antivirus
Double click on the Antivirus settings the client is using.
Click on Permissions
Check the Allow user to disable Realtime scanning for up to ___ minutes option
Check Allow user to restore objects
On the client Click Start | Run
Type Vulscan /changesettings /showui, this will download the setting changes you made.
Open the Ivanti Antivirus GUI
- Start | Programs | Ivanti Management | Ivanti Antivirus
- Click the LDAV Icon in the system tray if enabled
Click Protection | File Anti-Virus | and click Stop
Note: If prompted with a Warning! window, click Yes
This action will impact your computer's protection. Do you want to continue?
Application name: Ivanti Antivirus
Manufacturer: "Kaspersky Lab"
Action: Settings modification
With File Anti-Virus disabled, click Quarantine
Take note of the Folder path, as this is where the file will restore to.
Highlight the file and click Restore
- Take a screenshot of the false positive detection. Compile the "infected" file(s) and the screenshot into a password protected .ZIP file, with password 'infected'. Name the file "FalsePositive(UniqueName).zip". (Where "UniqueName" is a filename of your choosing).
*****Be very careful to name the zip file with a prefix of "FalsePositive" otherwise Kaspersky will treat this as a false negative submission and your case will be significantly delayed*****
Note: The file must be password protected with a password of "infected". The compression type must be a .ZIP. Other compression types will not be accepted. The file should not be a self-extracting zip file.
Submit the File
Place the file on Ivanti's site: http://avdrop.landesk.com/
Contact Ivanti Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)
Revert the changes made to the agents settings.
- Current virus definition release activity can be viewed here: http://www.kaspersky.com/viruswatchlite?
Note: Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.