OK - so what you want to do first of all is to start quantifying things.
First if all, what is your idea of "lots of viruses still get through". 1? 5? 10? 100? While even 1 getting through is arguably "too much", we do have a process for all of this. Please see here:
Process for submitting suspect or infected files:
How to send LANDesk an infected or suspicious file:
Please also read this:
Virus Bulletin: Kido / Conficker / Downadup Virus
These will require you to open tickets with support to track this, which is another reason why you should quantify things. If an AV (our or anyone's) does not detect a virus, there's multiple possibilities behind it, which usually boil down to the following.
A - The AV has been configured to scan for / not scan for specific files. Configuration issues can be common.
B - The AV genuinely is not aware of the virus and does not detect it yet (see the process on how to get suspicious files to us, so we can get them scanned and if needed have the AV definitions updated). This process is pretty fast.
C - The problem is not so much with the AV itself, but rather an OS vulnerability (such as the Kido-bulletin I linked above).
D - It's a false positive. Every AV solution can be prone to this, if it's a false positive with our AV engine, then it should be taken up with us in a support case. If it's a false positive with another AV engine, please take it up with the respective software vendor.
You need to treat this calm and rationally, else we will not be able to help you. It's the equivalent of telling a mechanic that "the car broke / doesn't work" - while a true statement, quite devoid of useful information to try and resolve the problem. And, at the end of the day, you have a problem which you'd like resolved, and we're trying to help you acheive that.
So - start documenting things. I've given you the most important processes to look at above, and then work with support through the rest.
LANDesk EMEA Technical Lead
Thanks for the reply to my post!here is the attachment of AV scanned one of my nodes!it is shown that there are trojan and worms that AV failed to Quarantine! anyway i will reupdate my anti virus definition again and we will see if the worms and trojans will be quarantine or remove successfully.
172.16.24.51.JPG 89.8 K
OK - slow down...
... so - first of all, AV detected the virus. That's good - that means that an update of the definitions is not necessary, we "know" that there's a virus there. This isn't exactly a case of "virus getting past the AV" - the AV does detect it.
If we can't clean it, it's because of something like a file-lock or whatnot (another process keeps the file open). There's a lot of potential reasons for this, which would need to be looked at in your individual case. There's - for instance - a big, big problem trying to get to files that are part of Windows Restore Points (that's true of any AV though) -- the necessity here is to disable the restore points, run the AV scan, and then re-enable them (as one example of what could be causing this).
Again, your best move at this point is to open a ticket with support and providing us detailed information on what the virus is, what the file is that we can't clean out of, what kind of media it's on and we'll go from there.
LANDesk EMEA Technical Lead.
Get idea! the virus is now quarantined!thanks to your teaching! Now i Love landesk!but 1 question, is there any other faster method on how to quarantine viruses?because it takes 3 hrs for me to scan viruses!but anyway it works!tnx!
Usually the Realtime scanner component is the first to check / find a virus, but that only check the files you configure / directories you configure to scan for, and relies on file access. If the files are "there" but either not access or the real-time scanner is not configured to be scanning for them, it won't catch them.
Generally, you may want to have a careful look at the way you've configured your antivirus behaviour.
(NOTE - even the real-time AV-scanner won't be able to clean files from the restore points, as long as restore points are enabled. It's a frequent complaint from various AV solutions in regards to what is mostly a useful/helpful Microsoft feature).
LANDesk EMEA Technical Lead
ok!tnx to your help!as a new admin of landesk, im confuse why most of the persons here in my office dont like AV!but what i have learned today will going to changed their 1st impression of AV..I will work now for more than 500 nodes!but wait i found another problem, do this attachment filename "Quarantine" have a relation with the LD?beacause its very big for a quarantine files and its getting bigger everyday!my question is how can we make it automatically auto erase?if it is possible?
landesk big files.JPG 208.4 K
Using the HELP-file is a good start.
Otherwise, you'll also find this in the AV-behaviour you configure.
1 - Open 32-bit Console
2 - Go to TOOLS -> Security and Patch Manager
3 - Click on the 3rd icon (wrench) and select "LANDesk Antivirus settings..."
4 - select the AV settings you want to modify (depends how many you have) and click on the the EDIT button...
5 - go to the "Quarantine/Backup"-tab.
6 - Here's your setting. By default this is NOT limited in size. Set it to what you want here.
7 - Click "OK" to save the changes and close the window.
8 - Click "CLOSE" to close the "Configure LANDesk Antivirus Settings" window when you're done with your AV-settings.
9 - in the "Security and Patch manager" tab, click on the second icon (stop watch with green arrow) from the left, and select "Install.Update LANDesk Antivirus..." ... and schedule the update of the AV-settings out to your devices.
Since you're new to this, and probably a bit out of the depth of your comfort zone, I would suggest that you talk to your management about getting some training. A tool like LANDesk is really too big to learn on the fly (it'd take years) - even with training it's a LOT to take in, but at least you'll have documentation and exercises to fall back on (and you can see if you can get it customized more towards your specific needs).
LANDesk is running regular (week-long'ish) training sessions itself, as are our partners (the people you bought LANDesk from). See what's available in your region of the world. It'll help you a lot in making the most of the software (and even with training, it often takes a good few months - it *IS* pretty darn BIG).
LANDesk EMEA Technical lead.