About Ivanti Antivirus Alerts

Version 6

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    Ivanti Antivirus Alerts


    Ivanti Antivirus Alerts must be configured within the Alerting tool in the Management Suite Console.


    By default the following alerts are configured:


    LDMS Default Ruleset


    The LDMS Default ruleset is the Alerting ruleset used by a client unless another ruleset is specifically specified in the Agent Configuration.


    The default actions can be modified for the rulesets.


    For a complete overview of how to configure Ivanti Alerts, see this article.


    Ivanti Antivirus integrates with the Ivanti Alert Handlers.   If one of the alerting events takes place, it is handed off to the Ivanti Alerting handler and the action is logged in the ALERT.LOG located in Program Files\Shared Files on the client computer.   This alert is also logged in the AVService.log file.  Depending on the action defined in the Alert Ruleset, it may then Log an event in the Alert Log on the core, run a program on the Core, run a program on the Client, send an e-mail (through a mail server as configured in the alert), or send an SNMP trap.


    If the action is set to "Log handler configuration", this activity can be seen in the "Logs" tool in the EPM console.


    Note: If installing Ivanti Antivirus to a Server, the Default Server Ruleset does not contain Ivanti Antivirus alerts.   These should be added to the Default Server Ruleset if desired.


    Core Alert Ruleset


    The Ivanti Antivirus - virus outbreak detected" alert is used in conjunction with the Alert Settings as configured in Security and Patch Manager.


    To configure this alert:


    1. Open the Security and Compliance tool on the core server.
    2. Select the third icon drop-down and then select "Alert Settings"
    3. Select the "Antivirus" tab.


    This panel sets the threshold for when a virus outbreak will trigger an alert.  This is calculated from the Antivirus Activity.  With the default settings, if there are 50 Antivirus events within 10 hours, the "Virus Outbreak Alert" is triggered.    The Core Server is the computer that processes this alert action.  The Antivirus activity is sent through a separate mechanism than the Ivanti Alerts.  This is gathered regularly in ActionHistory.XML and sent to the core server every few minutes.   This is also sent every time the Vulnerability Scanner runs.


    Antivirus Activity can be viewed within the Security Activity tool.





    Within the Security Activity window, the section "Computers not recently reporting Antivirus Configuration and Status" is populated by data gathered during a Vulnerability scan, but only if the "Antivirus Updates" category is being scanned for.   For more regarding this, see this article.