3 Replies Latest reply on Jan 26, 2017 3:08 AM by phoffmann

    Landesk DLL ldavhlpr.dll reported as a virus

    Jie1.ZHANG Rookie
        • 1. Re: Landesk DLL ldavhlpr.dll reported as a virus
          phoffmann SupportEmployee

          Not sure - it's not like it's either the first time one of our DLL's were reported as such and/or that it'd be the first time that an AV vendor/product/www-site has false positives.


          If we're talking about *OUR* LDAVHLPR.DLL - that very much is neither a backdoor nor a Trojan. It's quite possible that there *IS* someone who tried/has made a backdoor/Trojan and named it LDAVHLPR.DLL so as to hide better, but that wouldn't be "from us" and wouldn't be signed "by us". Given that (based on the file version) this "seems" to be the release-version of LANDesk Management Suite 2016 / v10, I'm pretty sure we'd have heard by now if we had triggered some AV products as potential backdoors (since McAffee isn't exactly an outlandish AV-solution).


          As I'm working with some customers who use McAffee, I can say with some level of confidence that McAffee does NOT pick up legitimate versions of LDAVHLPR.DLL as a virus/threat. So the information is either out of date, or of somewhat questionable accuracy (again - it's not like "false positives" aren't a thing). The McAffee "hits" aside, I can't say I've ever heard of any of the other vendors / ran into them.


          I'll pass the information along to some folks & see what we can do to correct this (a lot of it depends on the processes involved with the relevant www-site).


          What does LDAVHLPR.DLL actually do?

          This is a "dedicated" DLL to help the inventory scanner (LDISCN32.exe) pick up details on whatever AV the client has running. Since there's no "single, straight forward" way to do this, we ended up creating a DLL "just for that job". So that DLL knows how to check the Symantec / McAffee / Sophos (and so on) AV-clients for information on "how up to date are your signatures" / "what version are you") ... all that stuff that shows up under the Security / AV tab is essentially unearthed by this DLL.


          If you are ever concerned, you can always submit the relevant file/DLL to your preferred AV vendor for analysis.


          Does that help?


          - Paul Hoffmann

          • 2. Re: Landesk DLL ldavhlpr.dll reported as a virus
            Maximov Apprentice

            Hi Paul.


            I noticed too that some antivirus apps (not market leaders) mark some LDMS files (especially ldavhlpr.dll) as BACKDOOR.Trojan.  For example Dr.Web www.drweb.com

            - Vladimir Maximov

            • 3. Re: Landesk DLL ldavhlpr.dll reported as a virus
              phoffmann SupportEmployee

              Not much we can do (though I've not heard about those guys) from our side.


              Pretty much the only way to address those things is to talk to them (as a customer) & ask them to validate the relevant (mis-)detected file, as it's likely to be a false positive.


              If they've got a sensible process around this sort of thing, it should be a fairly straight forward & quick affair (false positives are relatively common as well, sadly).


              Because LDAVHLPR.DLL tries to hunt down / access information for a bunch of AV solutions, I guess that some AV products may see the behaviour as suspicious (even though it's quite legitimate in our case - we're trying to gather information for the inventory scan about whatever supported AV solution is being used) as a mistaken "hey, that DLL is trying to find out stuff about me ... could be something naughty" type thinking.


              It'd make logical sense in that regard.