7 Replies Latest reply on Jun 11, 2014 8:55 AM by Fabian Schmidt

    AV Best Practices

    acopeland Apprentice

      I've tried scouring these forums and support articles, but haven't found what I am looking for.

       

      What are the recommended or best practice configs for AV/spyware scans on client machines?

       

      If there isn't official documentation, then what works and is consistent for you guys?

       

      We have a mixture of desktops, laptops and Citrix VMs all running Windows 7 in our environment. All physical machines are turned off at close of business, and WoL is hit or miss with MDRs it seems, but I can work with that. Don't care about server settings, we took LD off of them because it was so inconsistent.

       

      I have tried a couple different configs in the past, but nothing is ever consistent. Heaven forbid we have a virus issue and have to start a catch all task. That throws the local schedules completely off and we won't get scans ever back on a schedule, without pushing the update to all of the agents. Oh man, don't get me started on trying to limit the CPU usage on the clients. I'm convinced that slider bar is just there for show.

       

      So what works best for you all? Local schedules? One task run from the core? Push or Policy? What settings do you use that gives you the most consistent coverage? Screen shots of your configs is a plus .

       

      Thanks for any help you can offer!!

        • 1. Re: AV Best Practices
          LANDave SupportEmployee

          Here is what I recommend:

           

          • Set your critical areas scan to run daily.
          • Set your full scan to run weekly.
          • Set your Antivirus definitions to update every 4 hours on the core server.
          • Set your Antivirus definitions to update once a day on your clients.

           

          Here are the steps I would recommend:

           

          Within your LANDesk Antivirus settings, go to the "Scheduled Tasks" section.

           

          You will have 3 options for setting a schedule.

           

          1. Update - This updates the antivirus pattern files
            a. Set the time you want it to run
            b. Repeat after: 1 day
            c. Important: Set a time range you want it to run in.   If you don't, if it misses it's time, it will reschedule itself for the next time the computer logs in, and it will use that new time from there on.Full Scan

          2. Critical Areas Scan—scans computer memory, startup objects and disk boot sectors
            Basically set this with the same settings as the pattern file update, but you want it to run AFTER the pattern file update (to take advantage of the very latest definitions)


          3. Full Scan—full scan of the computer, except for network drives and e-mail data files (the Computer scan scope)
          • 2. Re: AV Best Practices
            acopeland Apprentice

            I don't know if it is a difference in version number...I am on 9.0 SP3.

             

            But I don't see anything relating to those kind of specific options.

             

            Are the steps you are recommending on the agent config or the LD AV settings itself? Screenshots would be very helpful if you can provide them.

             

            I don't see options for being more specific with updating pattern files or differentiating between critical areas scan and full scan.

            • 3. Re: AV Best Practices
              Jonathan.JANVIER SupportEmployee

              Hello,

               

              David is talking about the Antivirus settings on your Core server. Then it will depend on your version, Dave is referring to 9.5 & 9.5 SP1, that works with Kaspersky Endpoint Security 8 and version 10.1/10.2.

               

              Regards,

              Jonathan

              • 4. Re: AV Best Practices
                acopeland Apprentice

                Appears that way. So any tips for us still on 9.0?

                • 5. Re: AV Best Practices
                  dsears Apprentice

                  What I've found best for your situation (I had the same issues) is to set the available options as close as possible in 9.0 to what LANDesk is reccomending and creating queries and scheduled tasks for the rest of it.

                   

                  I have 5 different queries running hourly to pickup machines that fall under mulitple categories. Below is an example of what I've setup for one of them.

                   

                   

                  Here's a screenshot of my query for machines that have definitions within the last 24 hours but missed their weekly scan (hasn't run within the last 7 days):

                  landeskscreen.png

                  Something you should remember is that you can use SQL query commands inside the queries to get verify specific criteria.

                   

                  For this specific query, I have a task created to update definitions (using the current agent's configuration) and then run a scan (using the current agent's configuration). I have it targeting the above query.

                   

                  I have 3 seperate copies of this scheduled task due to how long the scans take to run (on average). I have one set at 9am, 12pm, and 3pm. All of these tasks are scheduled to run daily at their specified time.

                   

                  To make sure my queries are up to date, I have a task scheduled to run an Inventory Scan on each machine in the queries every hour.

                  • 6. Re: AV Best Practices
                    GJepsen Rookie

                    I had similar issues on 9.0. and other issues on 9.5 base.  It has been very stable on 9.5 sp2 except for a patchable issue on mcp0417.  I recommend moving toward 9.5.

                    • 7. Re: AV Best Practices
                      Fabian Schmidt Expert

                      Just a quick info on this:

                      LANDESK changed the Kaspersky Engine with 9.5 SP1 from 8 to 10 and there were a lot of major changes!

                       

                      I would recommend everybody who is using AV that they should update to the latest version, as the KAV Engine is much more stable and configurable as the old one was.

                       

                      Regards

                      Fabian