6 Replies Latest reply on Apr 21, 2009 8:48 AM by LANDave

    Query on AV using ldav.exe

    Rookie

      Hi

       

      I have run a query based on the LANDesk Antivirus package within LANDesk Management Suite, but the results returned did not make any sense.

       

      A lot of computesr were reporting the LANDesk Antivirus package to be a different version, to what the actual ldav.exe was. For example, a computer that has had the new AV applied is showing 8.88.0.249 in the query report, though the file version is 8.80.2.24 on the computer.

       

      My guess is that the computers haven't reported back to the server (Even though it's been a few days now).

       

      How can I do a query based on C:\Program Files\LANDesk\LDClient\antivirus\ldav.exe and it's file version?

       

      Thanks for all your help.

        • 1. Re: Query on AV using ldav.exe
          phoffmann SupportEmployee

          So - what value are you query'ing for this?

           

          Are you using SOFTWARE => APPLICATION SUITES => APPLICATION SUITE => "LANDesk(R) Antivirus" => Version ?

           

          If so, then the version 8.80.0.249 is 100% correct (since it's the LANDesk 8.8 version of AV). This is information on the PACKAGE, not the binary itself.

           

          ===

           

          If you want to monitor LDAV.EXE, you should be using something else

           

          You should use either:

          SOFTWARE => PACKAGE => LANDesk Antivirus Client => Version || (this reports on LDAV.EXE)

           

          - or -

           

          SOFTWARE => PACKAGE => LANDesk AV Service => Version || (this reports on AVSERVICE.EXE)

           

          I'd also prefer moving this into the correct section ... it seems to me that this is more of a reporting issue than an AV issue per se - so I'll move this into the Reporting section (since you're trying to report on a single binary)...

           

          Paul Hoffmann

          LANDesk EMEA Technical Lead

          • 2. Re: Query on AV using ldav.exe
            Rookie

            Apologies for putting in the wrong area.

             

            I have run the report based on ldav.exe and the results are still weird.

             

            Some computers are showing 8.80.2.24 which is correct, and others are showing 8.80.2.4 which is wrong. I have browsed to the ldav.exe on several PC's and manually checked the ldav.exe and the file version shows 8.80.2.24 though LANDesk isn't picking this up.

             

            What else can I try?

             

            Thanks.

            • 3. Re: Query on AV using ldav.exe
              phoffmann SupportEmployee

              Not sure how you're getting a problem about stuff being mis-reported, that to me sounds like you're having problems with inventory.

               

              What you CAN do is to create a custom vulnerability - checking simply that LDAV.EXE needs to be a version of 8.80.2.24 - and any devices that are "vulnerable" to that custom vulnerability would thus need to be patched up.

               

              This will give you a quick chance to check up on things, independant of inventory (and a vulscan for "just custom vulnerabilities" will be a lot lighter on the network than a re-run of inventory to synch up).

               

              That'll at least get you the result you need/want quickly.

               

              For information on how to create custom vulnerabilities (just in case you're not familiar) - it's pretty easy stuff and a walkthrough can be found here:

               

              Creating Custom Vulnerabilities LDMS 8.1:

              http://community.landesk.com/support/docs/DOC-1616

               

              Sample Custom Vulnerability XML exports:

              http://community.landesk.com/support/docs/DOC-2924

               

              and there's various other threads you can find by just searching for custom vulnerabilities.

               

              Paul Hoffmann

              LANDesk EMEA Technical Lead

              • 4. Re: Query on AV using ldav.exe
                LANDave SupportEmployee

                Ultimately what are you trying to accomplish with your query?

                 

                If you are trying to see what clients have the old antivirus engine, and what clients have the new antivirus engine, here is a query you could try:

                 

                Write your query to return "Computer"."Security"."Antivirus Software"."Antivirus"."Engine Version"

                 

                If your query shows "5.0.1.95" you have the newer engine.  If it shows "5.0.1.88" you have the older engine.

                • 5. Re: Query on AV using ldav.exe
                  Rookie

                  David

                   

                  Three words................... YOU THE MAN!!

                   

                  That is perfect. It appears that only 30 PC's have 88, and the rest have 95.

                   

                  Lovin' it.

                   

                  Thanks.

                  • 6. Re: Query on AV using ldav.exe
                    LANDave SupportEmployee

                    I actually just remembered, I created this article a week or so ago:

                     

                    http://community.landesk.com/support/docs/DOC-5645

                     

                    Hopefully someone else will find this useful.    I didn't think to post it in the reporting section.

                     

                    I'm glad that worked for you.