How to report and send files being incorrectly detected as a virus by Ivanti Antivirus

Version 17

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x




    Sometimes new Virus Definitions will detect legitimate files as a virus.  These are called "False Positives".
    For further information on how to recover if this false positive is causing issues in your environment, see this article.
    In order for the definition to be adjusted, the "False Positive" must be reported and sent to us immediately.

    How to report and send files being detected incorrectly as a virus


    If there is a file(s) that are being identified as a False Positive, before submitting the file(s) for analysis make sure that all affected computers are scanning with the latest definition files.
    Once all machines have been scanned with the latest definition files then follow the steps outlined below to have the infected files analyzed.

    For further information on how to ensure your clients are using the latest Antivirus pattern files, see this article.


    Restore File for Reporting


    In order to submit the file for review as a False Positive, the file will need to be restored from Quarantine. The following steps outline how to provide LDAV the necessary permissions to perform this task.

    Disable Real-time protection to prevent the file being immediately quarantined again, then restore the file to be submitted.


    LDMS 9.6/2016


    1. Open a Management Suite console

    2. Go to  Tools | Security and Compliance | Agent Settings

    3. Expand Agent Settings | Security | Ivanti Antivirus

    4. Double click on the Antivirus settings the client is using.

    5. Click on Permissions

    6. Check the Allow user to disable Realtime scanning for up to ___ minutes option

    7. Check Allow user to restore objects

    8. Click Save




    1. On the client Click Start | Run

    2. Type Vulscan /changesettings /showui, this will download the setting changes you made.

    3. Open the Ivanti Antivirus GUI

      • Start | Programs | Ivanti Management | Ivanti Antivirus


      • Click the LDAV Icon in the system tray if enabled
    1. Click Protection | File Anti-Virus | and click Stop




    Note: If prompted with a Warning! window, click Yes


    This action will impact your computer's protection. Do you want to continue?

    Application name: Ivanti Antivirus

    Manufacturer: "Kaspersky Lab"

    Action: Settings modification




    1. With File Anti-Virus disabled, click Quarantine



    1. Take note of the Folder path, as this is where the file will restore to.

    2. Highlight the file and click Restore



    1. Take a screenshot of the false positive detection.  Compile the "infected" file(s) and the screenshot into a password protected .ZIP file, with password 'infected'.  Name the file "FalsePositive(UniqueName).zip".  (Where "UniqueName" is a filename of your choosing).

      *****Be very careful to name the zip file with a prefix of "FalsePositive" otherwise Kaspersky will treat this as a false negative submission and your case will be significantly delayed*****


    Note: The file must be password protected with a password of "infected". The compression type must be a .ZIP.  Other compression types will not be accepted. The file should not be a self-extracting zip file.


    Submit the File

    1. Place the file on Ivanti's site:

    2. Contact Ivanti Support and open a Support Incident and provide the name of the sample file uploaded to the ftp site. (Case sensitive)

    3. Revert the changes made to the agents settings.

    4. Current virus definition release activity can be viewed here:

    Note: Once the antivirus pattern files are updated to correct the false positive, the files within quarantine will be restored to their original locations.


    Ivanti Support Contact information