About LANDESK Antivirus Alerts

Version 4

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    LANDESK Antivirus Alerts

     

    LANDESK Antivirus Alerts must be configured within the Alerting tool in the Management Suite Console.

     

    By default the following alerts are configured:

    AntivirusAlertsList.png

    LDMS Default Ruleset

     

    The LDMS Default ruleset is the Alerting ruleset used by a client unless another ruleset is specifically specified in the Agent Configuration.

     

    The default actions can be modified for the rulesets.

     

    For a complete overview of how to configure LANDESK Alerts, see this article.

     

    LANDESK Antivirus integrates with the LANDESK Alert Handlers.   If one of the alerting events takes place, it is handed off to the LANDESK Alerting handler and the action is logged in the ALERT.LOG located in Program Files\Shared Files on the client computer.   This alert is also logged in the AVService.log file.  Depending on the action defined in the Alert Ruleset, it may then Log an event in the Alert Log on the core, run a program on the Core, run a program on the Client, send an e-mail (through a mail server as configured in the alert), or send an SNMP trap.

     

    If the action is set to "Log handler configuration", this activity can be seen within the "Logs" tool in the LDMS console.

     

    Note: If installing LANDESK Antivirus to a Server, the Default Server Ruleset does not contain LANDESK Antivirus alerts.   These should be added to the Default Server Ruleset if desired.

     

    Core Alert Ruleset

     

    The "LANDESK Antivirus - virus outbreak detected" alert is used in conjunction with the Alert Settings as configured in Security and Patch Manager.

     

    To configure this alert:

     

    1. Open the Security and Patch Manager tool on the core server.

    2. Select the third icon dropdown and then select "Alert Settings"

    AVAlertSettings.png

    3. Select the "Antivirus" tab.

    OutbreakAlert.png

    This panel sets the threshold for when a virus outbreak will trigger an alert.  This is calculated from the Antivirus Activity.  With the default settings, if there are 50 Antivirus events within 10 hours, the "Virus Outbreak Alert" is triggered.    The Core Server is the computer that processes this alert action.  The Antivirus activity is sent through a seperate mechanism than the LANDESK Alerts.  This is gathered regularly in ActionHistory.XML and sent to the core server every few minutes.   This is also sent every time the Vulnerability Scanner runs.

     

    Antivirus Activity can be viewed within the Antivirus Activity tool.


    AntivirusActivityTool2.png

    Within the Antivirus activity window, the section "Computers not recently reporting Antivirus Configuration and Status" is populated by data gathered during a Vulnerability scan, but only if the "Antivirus Updates" category is being scanned for.   For more regarding this, see this article.