I guess I got it right. It is MS Windows Spyware.
Once it downloaded the new files, I deleted Malware.Genotype as per the recommedations in other threads. Is there a way to permanently avoid this one defintion from being downloaded?
Lastly, is it possible to place all the spyware conent in a custom group/folder and have the scheduled task and real-time spyware scan run against that folder? or must all content remain in SCAN?
I have found the best way to handle Spyware (and Blocked Applications if using it) is to do the following:
Your LANDesk Agent has a "default scan and repair setting", it will use this for its daily scans.
In this setting I recommend that you do NOT select all or even most items to be scanned, but rather just the following:
- Antivirus (optional)
- LANDesk Updates
- Custom Definitions
These are the core items that should be scan for on a regular basis and do not impact systems too greatly
For other items I recommend that you set up a weekly scan and have it run as a policy. To do this, create a Scan & Repair setting named something like "Weekly Full Scan"
In the Scan options, choose the items you want, I would not choose options you are not going to deal with, such as Software Updates, Driver Updates and so on, again, unless you are going to work with those (and those two need to be handled very carefully!
So if all you care about is Spyware add that. Now set the repair and reboot options to what you want them to use.
Now, in the Patching tool, click on the "Create a Scheduled Task" > Security Scan
Name it "Weekly Full Scan Policy" or something, check "Create a policy" and choose the new scan setting.
Now go to the scheduled task, right click, properties, delivery method, choose a Policy method that is set to NEVER reboot and is silent. Create one if you need to.
After you add your query of systems to be scanned, go into the properties, schedule task, set to start later, choose day and time, and select "repeat weekly"
Since these scans are more cpu impacting, I choose to do this after hours.
You can add the items you want into a Custom Group and set your Scan and repair setting to scan the group instead of "Type", but you cannot move them out of the Scan group
Good Morning James,
Many thanks for your response.
I believe our default LD agent has been set as you have mentioned in your reply - to scan against Vulnerabilities for Microsoft products.
As it happens I do have Blocking Applications enabled and all new definitions are immediately dropped into a Public Custom Folder named "Blocking Applications". A task had been created to scan against this custom folder but this is not something that is not periodically scheduled - it is ran manually every so often. Now that I think about it, perhaps I should automate this piece.
With regards to Spyware Scan, I have followed the PDF document attached to this message right down to the wire. As you can see, the instructions in the document are exactly the same as what you have suggested above.
The only changes I have made to the Scan and Repair settings for the weekly scan are 1) I have selected FULL Scan as oppost to default, smart etc and 2) Specified to Scan files less than 100mb in size.
When I right click on the weekly task named 'Weekly Spyware Scan', my delivery method settings are as follows:
Delivery Type: Policy
Delivery Method: Patch and Compliance
Is that OK or do I need to change it?
For testing purposes, I have a schedule task for the spyware scan to run the daily (this will later change to Weekly) and am finding a few problems. Of the 6 test machines, only 2 of them are running and reporting as a success (see attachement Fig. 1). The 4 remaining machines stay in 'PENDING' with a result status as 'Policy has been made available' (see attachment Fig. 2). These 4 machines simply do not become active.
The strange part is, when you navigate to the Softmon file in the Vulscan folder for one of the test machines, you can clearly see that some sort of spyware scan is going on. I assume, the log is in reference to the REAL-TIME scan and NOT the weekly scan. Is there a seperate log created on the client machine for the weekly scan? If so, where can I find this?
If required, I can attach one of the SOFTMON logs from on of the PENDING machines for your perusal.
Thanks again James.
AS for your delivery method, you need to go to "Delivery Methods" and look at how this one is set up, this my be one of the default ones and it might have "Reboot if needed" checked.
Attached are some screenshots
As for your systems that are waiting, that is how a policy works, when you make it available systems will go into "active" for a short time, then to pending. Now when one of those clients checks for policies, which if left "as is" the default is once every 24 hours, it will find the policy and run.
As I write this, I see that I did miss a point in the original post, and that is, if you set the policy to start later, and it is set for 7pm, systems may not check for that policy until 2pm the next day (an example), so systems could run the task at any time during the day. There are ways around this if need be.
Once your systems check in and run the policy they should then move to successful.
To manually test this, go to one of the systems and run the Desktop Manager (Software Portal), this will cause the system to look for policies.
policy-method.zip 204.8 K
Thank you again for your input bro.
Where do I find the "Delivery Methods" options as per your attached zipped screenshots? I cannot see these anywhere.
I had 8 test workstations today (2 of them were VM's) and I was informed by the users of those systems that they had really slowed down when the full scan was running. The scheduled scan I selected was FULL SCAN and in an attempt to weaken the performance impact on the end user machine, I selected the option to scan files less than 100mb. Unfortunately, this did not seem to help the performance.
The problem with my environment is that we have a mixture of models and specs. Some are Core2Duos with 4GB RAM and others are Pentium 3's with 256mb RAM and some even worse than that. What would be the best way to avoid causing the slowness during working hours? Maybe - Schedule the scan for Saturday and ask the users to leave their machines on (tricky for laptop users though)? Select a different scan type for e.g. Smart Scan instead of Full Scan? Perhaps I have overlooked an option to perhaps select how much CPU usage the system can dedicate when a scheduled scan is taking place? Any tips on this would be greatly appreciated.
I noticed in previous threads that people have mentioned problems with MALWARE.GENOTYPE. Is there a way to have this specific definition from not being downloaded? I suppose I could simply find it in the SCANS folder and set Autofix to NO.
One final question (a bit of a dumb one) - our core is based in the USA. We have 1000's of computers in many geographical locations all working from the one core and preferred server (if set up in their location). With reference to Spyware scheduled scans - say if I have 1000 machines all set to run once per month. When that date passes and all 1000 machines start their scans, will there be any impact on bandwidth?
To create or modify delivery methods, at the top of your console, go to Tools > Distribution > Delivery Methods
You will now see "My" and "Public" distribution methods, each containing Policy Supported Push, Policy and Push ones.
You can use a "Push" and have it run every Friday night late, or sometime on the weekend, repeating every week, this will lessen the impact on your users.
We are not currently using the Spyware component in v9. We had used it some in v8 and there is where I gained my experience with it. At this time our corporate tool for this is being handled by Symantec Endpoint Security, though I might re-enable it on one of my smaller cores to see how well SEP is doing.
Ok cool James appreciate the response once again.
So at the moment, I have my weekly scheduled scan set as a policy (see attachment). Setting this as a push for a Friday night seems good option but wont that mean cause any issues with the Bandwidth?
Maybe I can have 2 scans - policy and push. Push the scan every week/month and place the failures in policy.
I have one absolutely final question. One of the test machines I had set up to scan completed with the following text at the end of the log:
Done. Found 151 items in 1 families.
Can you briefly explain the bit in the RED? Am I right in assuming the scan found AND resolved 151 infections?
**MALWARE.GENOTYPE is not set to autofix (due to the problems experienced in other threads), which is why im assuming it is listed as detected.
I have tried to search the log to see precisely what these 151 items were but I can't really see anything.
Push.JPG 84.7 K
It has been too long since I have used the Spyware feature that I cannot comment on the item in read...
On the "Push", this will not impact bandwidth much, if at all, be cause you are not really pusing any payload other than sending a command to start the scan. Yes, there will be some communications back and forth between the agent (client) and the core, but I cannot imagine it being too much. Not sure of your environment.
On one of our cores we have over 5,000 clients and the tech for that group will do a push of a months baseline of patches (over 20 last month), and this has a lot of actual files (patches) in the payload and it did / does not overly impact our network.
If your systems are in the same location / network as your core, you should be fine
The Malware.Genotype detection is rather heavy-handed and must be used with caution, as you have seen in other threads.
Typically the vulscan.log that was populated at the time of the spyware scan will contain details about the specific files that were seen as "infected".
A common file to be deleted are Internet Tracking cookies.
In this case the vulscan log will show something like this:Infection found of (family: Malware.Genotype) with family id 0, item id 408921. Reason - type-cookie, description-*adserv*, category-Privacy ObjectInfection found.
A newer version of CEAPI.DLL (part of the Spyware scanning engine) is included in the April Patch Manager MCP available here:
The newer CEAPI.DLL resolves issues with the Malware.Genotype definition incorrectly detecting innocous files as being infected.
LANDesk Antispyware uses the Lavasoft engine.
Here is some detailed information about the Malware.Genotype definition and how it works.
I hope this helps.
I don't think the original person answered this, but if you want to make sure/push out the latest lavasoft definitions to a given machine, you need to create a scan definition to do this; In LD 9.6 go into tools->Security and compliance->agent settings, Select the my/public/other agent settings you want to change and click the "+" icon to create a new one, the under scanning options make sure only "spyware" is checked. In the spyware section, click the option you want - if all you want to do is force a download of the latest definitions click download only. If you actually want to force a manual scan, this is also where you would define that. Now go to the task icon and select Security scan and select your distribution and scan setting, then drop in any of the machines or queries for machines you want to have update their definitions.