Best Know Methods for LANDesk Anti-Virus and Spyware

Best Know Methods for 

LANDesk Anti-Virus and 

Spyware 

Interchange 2010 

Stewart Christensen 

Solutions Architect 

October 11, 2010 

LANDesk Software Confidential

LANDesk ® Solutions 

2 

Power & 

Infrastructure 

Management 

Virtualization 

Management 

Systems 

Lifecycle 

Management 

Management 

Automation 

Platform 

IT Service 

Management 

LANDesk Software Confidential 

Endpoint 

Security & 

Compliance 

Asset 

Lifecycle 

Management

New! LDAV SDK 8 Key Benefits 

State-of-the-Art Protection 

“Generic” malware detection 

› Detects “families” of malware with a single signature 

› Effective in detecting many new threats without an updated signature 

Advanced heuristics (behavioral) module 

› Emulates malware object’s execution in a secure virtual environment 

› Discovers and blocks suspicious actions, typical malware behavior 

Powerful Engine 

Updatable AV Engine – engine version is now concurrent with signature date 

DeepUnpack technology 

› Better handling of compressed objects (.zip, etc) 

› Largest number of Packer and Archive formats supported (~4000) 

› Multi-volume archive processing/detection 

› Increased processing speed 

Performance 

Optimized AV Database 

Native multi-threading support 

Scanning of Startup objects 


LANDesk Antivirus 9 – Supported OS 

Desktop Operating Systems Server Operating Systems 

Windows XP Professional SP2, SP3 

Windows XP Professional x64 Edition SP2 

Windows Vista Business/Ultimate/Enterprise 

SP2 (32-bit) 

Windows Vista Business/Ultimate/Enterprise 

SP2 (64-bit) (x64) 


Windows 2003 Server Standard, Enterprise 

SP2 (32-bit) (SP1 is not supported) 

Windows 2003 Server Standard, Enterprise 

SP2* (64-bit) (x64) (SP1 is not supported) 

Windows Server 2008 SP2 (32bit) 

Windows Server 2008 SP2 (64-bit) (x64) 

Windows 7 Business/Ultimate/Enterprise Windows Server 2008 R2 (32-bit) 

Windows 7 Business/Ultimate/Enterprise Windows Server 2008 R2 (64-bit) (x64) 

Note: LDMS 9 drops support for Windows 2000 and adds 

support for Windows 7 and Server 2008 R2 

http://community.landesk.com/support/docs/D 

OC-5685

LANDesk Antivirus – Pattern file updates 

“Get latest definitions” only 

available on core, not on 

remote consoles 

http://community.landesk.com/support/docs/DOC-6842 


Antivirus – Core Pattern File Updates 

Uses Kaspersky Updater SDK 8 

LDMS 9 definitions stored under LDLogon\Antivirus8\win\Bases8 

LDMS 8.x definitions stored under LDLogon\Antivirus\Bases 

Bases format on the core differs from the client format due to a 

restriction in the Updater SDK. LDDWNLD downloads the files 

from the core (or peer) from ldlogon\win\antivirus8\bases8\ to 

ldclient\antivirus\temp_bases8\landesk, then AVService will call the 

Updater SDK 8 to update the files from 

ldclient\antivirus\temp_bases8 to antivirus\bases8 

New utility: Getbases.exe 

› Compares files on the source and destination and downloads only the delta, 

which significantly decreases update time and saves traffic. If the update 

fails in the middle, it has the ability to roll back to the prior definitions. 

› Getbases.exe creates LDBasesInfo.xml which contains the definition 

date/time in Moscow time. 

› Getbases.exe logs to Getbases.exe.log under the ManagementSuite\Log 

directory 



An option is available to also update the virus 

definitions for LANDesk AV 8.x. This option is 

checked by default. UpdateVirusDefinitions.exe is 

still used to update the 8.x definitions. The 8.x 

definitions are not updated using the Kaspersky 

Updater SDK, so they are stored in the format the 

client uses in LDLogon\Antivirus\Bases. 

We do not provide backup, restore, or pilot options 

for 8.x definitions. We simply overwrite the files in 

LDLogon\Antivirus\Bases every time we run 

UpdateVirusDefinitions.exe. 



We do not ship with 8.x virus definitions files, so when the core 

is upgraded to 9.0, ldlogon\antivirus\bases folder does not 

exist. This way the existing LANDesk AV 8.x client can keep the 

current virus definitions. If the download option was set to 

download from the core then internet, the existing client will try 

to contact the core. It connects to the core, but because the 

core does not have the bases folder, the download fails, but the 

client can keep the existing definition set. (Because it can 

connect to the core, it will not try to download from the 

internet.) After the core downloads the virus definitions for 8.x, 

ldlogon\antivirus\bases folder will be created and the existing 

client can update the definitions from the core. 

Moral of the story: Update virus definitions immediately after 

installation. 


LANDesk Antivirus – Antivirus Settings 

LANDesk Antivirus settings have been moved from the Security 

and Patch Manager tool to the “Security Configurations” tool within 

the “Security and Compliance” group. 

These settings reside in the “My”, “Public”, and 

“All” Security Configurations containers. 


Antivirus Settings – Agent Configuration 

The next, as shown here is through the Agent 

Configuration tool, then right-clicking the desired 

agent configuration, going to properties, and then 

the LANDesk Antivirus section. 

From within the dropdown within the LANDesk 

Antivirus section of the Agent Configuration 

properties, you can then select the Antivirus 

settings you wish to use, or click Configure to 

modify the Antivirus settings. 


Agent Installation – Possible issues 

Agent install will not reboot initially in LDMS 9. For an Antivirus 

upgrade from an older version, a separate reboot task will be 

required. A fresh install may or may not require a reboot. 

After an upgrade installation, if the end user attempts to start 

realtime protection on a computer where a reboot has not taken 

place after installation, they will be presented with the message 

“Another Antivirus solution is installed. To avoid compatibility, 

LANDesk® Antivirus service will not start.” This is due to the prior 

LDMS 8.x Antivirus driver still being installed. 

Note: In instances where LANDesk Antivirus is uninstalled and the 

reinstalled without a reboot, a failure message may appear during 

the installation of the real-time driver. The message may read 

“Installation failed”. This is due to the real-time driver from the 

original installation being installed. A reboot must take place 

between an uninstallation and a reinstallation. 


Antivirus Settings – General tab 

A note regarding e-mail scanning. E-mails are scanned as 

they are selected, not as they are received. 


Use this tab to configure the basic antivirus scanner settings on 

target devices. 

This tab contains the following options: 

Show LANDesk Antivirus icon in system tray: Makes the 

LANDesk Antivirus icon appear in the device system tray. The 

icon's appearance depends on the status of antivirus protection, 

indicating whether real-time protection is enabled. If the arrow icon 

is yellow, real-time protection is enabled meaning the device is 

continuously being monitored for viruses. If the icon is gray, realtime 

protection is not enabled. 

End users can double-click the icon to open the LANDesk 

Antivirus client and perform tasks. They can also right-click the 

icon to access the shortcut menu and select to run a scan and update 

antivirus files. 

Enable email scanning: Enables real-time email scanning on 

target devices. Real-time email scanning continuously monitors 

incoming and outgoing messages (supported applications include: 

Microsoft Outlook), checking for viruses in both the body of the 

message and any attached files and messages. Any detected viruses 

are removed.

Antivirus Settings – General tab continued 


Enable right-click scanning: Provides an option on the LANDesk 

Antivirus client that allows end users to select a file, group of files, 

folder, or group of folders, and right click the selection to perform an 

antivirus scan. 

Scan for risky software in addition to viruses (extended database): 

Provides an option on the LANDesk Antivirus client that allows end users 

to scan for riskware (i.e., spyware, FTP, IRC, remote control utilities, 

etc.) using an extended database that is loaded on the managed device. 

Allow user to add files and folders to Trusted Items list: Provides an 

option on the LANDesk Antivirus client that lets users identify files and 

folders they don't want scanned for viruses. Files and folders in this list 

are ignored by an antivirus scan. Users should be made aware that they 

should move only safe files to their trusted items list. 

CPU utilization when scanning: Lets you control CPU usage on target 

machines when LANDesk Antivirus runs an antivirus scan. This setting 

will actually have less effect on CPU usage than overall I/O on the 

computer. You will feel a difference between having this set on low and 

this set on high, however the cpu usage will only change very minimally. 

It will take nearly twice as long to scan a system at the low setting vs. the 

high setting.

Antivirus settings – Right-click scanning 

The right-click scan menu option is added by AVScanShlExt.dll or 

AVScanShlExt64.dll. If this option does not show up, the .DLL likely 

failed to register correctly. It can be reregistered using REGSVR32. 

When right-clicking a drive or folder, Antivirus exceptions do not take 

effect. Files within a trusted (ie – excluded) folder are scanned. 

A right-click scan will spawn an additional AVService.exe process, 

and an additional Kavehost.exe process. 


LANDesk Antivirus – Risky Software 

What is "Risky Software"? Without this option set, LANDesk 

Antivirus will scan for viruses, but will not scan for other 

malware. Risky software is essentially client software whose 

installation presents a possible but not definite risk for the end 

user. For example: Adware, proxy-programs, pornware, remote 

admin utilities, IRC, dialers, activity monitors, password utilities, 

and Internet tools such as FTP, Web, Proxy and Telnet. 

Once enabled, if a program that is in this extended database of 

Risky Software is desired to be used, an exception will need to 

be made in the Real-time protection and Virus scan Exceptions 

section. 


Antivirus Settings – General tab continued 


Owner: Lets you specify an owner for the antivirus setting 

in order to prevent unauthorized modification. Only the 

owner and users with the LANDesk Administrator right can 

access and modify the setting. Other users can only view the 

setting. The public user option allows universal access to 

the setting. 

Set as default: Establishes this antivirus setting (including 

the option settings on all of the Antivirus setting dialog's 

tabs) as the default on target devices. Unless an antivirus 

scan task has a specific antivirus setting associated with it, 

the default settings are used during scan and definition file 

update tasks. If this setting is already the default, this will 

show a green checkmark with the words “Default setting”. 

Restore defaults: Restores the predefined default settings 

for all of the antivirus options on the dialog's tabs.

Antivirus Settings – Real time protection 

tab 


We now move on to the Realtime 

Protection Tab 

Use this tab to enable and configure 

real-time file protection, which files to 

protect and what to exclude, and end 

user notification. 

Real-time protection is an ongoing 

(background) scan of specified files, 

folders, and file types by extension. 

When real-time protection is running, 

files are scanned for viruses every 

time they are opened, closed, 

accessed, copied, or saved. 

When real-time protection is enabled, 

the LANDesk Antivirus system tray 

icon is yellow. The icon is gray when 

real-time protection is turned off. 

This tab contains the following options 

(Next slide)

Realtime protection tab continued… 

Enable real-time file protection: Turns on real-time file protection on target devices. Real-time file protection runs in the 

background and scans for known viruses according to the downloaded virus definition files. 

Also show real-time messages on client: Displays messages on target devices to notify users of certain LANDesk 

Antivirus activities. End users are notified when an infected file is detected, quarantined, deleted, skipped, or cleaned. 

Message dialogs show the path, file name, virus name, and a note telling the end user to contact their network 

administrator. 

Allow user to disable real-time scanning for up to: Provides an option on the LANDesk Antivirus client that allows the 

end user to turn off real-time file protection for a specified period of time. You should keep the amount of time to a 

minimum so that users can't disable real-time protection long term. 

Scan all file types: Specifies that files of all types on the target device are scanned by an antivirus scan. This may take 

a long time so it is a good idea to scan all file types with an on-demand scan rather than real-time protection. 

Scan infectable files only: Specifies that infectable files only are scanned. Infectable files are those types of files known 

to be vulnerable to virus infections. Scanning only infectable files is more efficient than scanning all files because some 

viruses affect only certain file types. However, you should make a habit of regularly scanning all the files with an ondemand 

scan in order to ensure devices are clean. 

Infectable file types are identified by their format identifier in the file header rather than by their file extension, ensuring 

that renamed files are scanned. Infectable files include: document files such as Word and Excel files; template files that 

are associated with document files; and program files such as Dynamic Link Libraries (.DLLs), communication files 

(.COM), Executable files (.EXEs), and other program files. A complete list of file extensions that are considered 

infectable files follow: 


Realtime protection tab continued… 

ACM ACV ADT AX BAT BIN BTM CLA COM CPL CSC CSH DLL DOC DOT DRV EXE HLP 

HTA HTM HTML HTT INF INI JS JSE JTD MDB MSO OBD OBT OCX PIF PL PM POT PPS 

PPT RTF SCR SH SHB SHS SMM SYS VBE VBS VSD VSS VST VXD WSF WSH, XLS 

Use heuristics to scan for suspicious files: Utilizes the scanner's heuristic analysis 

capability when scanning target devices. 

Heuristic scanning attempts to detect files suspected of being infected by a virus by looking 

for suspicious behavior such as a program that: modifies itself, immediately tries to find 

other executables, or is modified after terminating. Using heuristic scanning may negatively 

affect speed/performance on managed devices. 

Exclude the following files and folders 

› Add: Opens the Add excluded path dialog where you can create new exclusions to specify the files, 

folders, or file types (by extension) you want to exclude from an antivirus scan associated with this 

setting. 

› Edit: Opens the selected exclusion so you can modify a file path, file name, file extension, and 

variables. 

› Delete: Removes the selected exclusion from the antivirus setting. 

Note: When adding extensions, do not include the leading period, simply add the letters of 

the extension. 


Antivirus Settings – Virus scan tab 


This tab is almost identical to the 

Real-time Protection tab, however it 

only applies to manual scans. 

A manual scan can be initiated in the 

following ways. 

1. Double-clicking the shield icon in the 

system tray and selecting “Scan my 

computer” 

2. Right-clicking a file, folder, or drive and 

selecting “Scan for viruses” 

3. A scheduled scan that runs from the 

local scheduler on the client computer. 

4. Selecting “LANDesk Antivirus Scan” in 

the “Create a task” dropdown in the 

Security and Patch Manager tool. 

(This is the 2 nd icon).

Antivirus Settings – Scheduled scan tab 


Use this tab to enable and configure a recurring 

scheduled antivirus scan on target devices. 

LANDesk Antivirus scan types 

You can scan your managed devices for viruses with 

scheduled scans, on-demand scans, as well as realtime 

file and email protection. End users can also 

perform on-demand scans of their own computer. 

This tab contains the following options: 

Have LANDesk Antivirus scan devices for viruses 

at a scheduled time: Enables a recurring scheduled 

antivirus scan that runs on target devices according to 

the start time, frequency, time restriction, and 

bandwidth requirement you specify. 

Change settings: Opens the Schedule dialog where 

you can set the scheduling options. 

Allow user to schedule scans: Lets the end user 

create a local scheduled antivirus scan on their own 

machine. This is done by double-clicking the shield 

icon on the system tray, selecting “view details” next to 

the “Scheduled Scan” option, and then clicking “New”. 

If this option is not selected, the user will be able to 

view details of the scheduled scan, but will not be able 

to add their own scans.

Scheduled virus definitions updates dialog 


This controls the local scheduler task that is created on the client. 

This dialog is identical for both scheduled scans and definition 

updates. 

Start time: Specifies the time the virus definition update runs on 

target devices. By default, this field displays the current time. 

Repeat after: Schedules the virus definition update to recur 

periodically. Select the number of minutes, hours, and days to 

control how often the task repeats. If the time period is longer 

than one day, the update runs at the start time above. 

Restrictions: Allows you to disable the virus definition file update 

at certain times, days, 

and dates. 

Device must have enough bandwidth: Enforces a minimum 

bandwidth requirement for target devices in order for the virus 

definition update to run successfully. If this option is enabled and 

the target device's currently available bandwidth does not meet 

the requirement, the update doesn't run. 

Minimum bandwidth: Specifies the minimum network bandwidth 

required in order for the task to run. Select either RAS, WAN, or 

LAN. 

Computer name: Identifies the computer that is used to test the 

device bandwidth. The test transmission is between a target 

device and this computer.

Antivirus Settings – Virus Definitions Updates 


LDMS 9 includes a 

default definition 

update schedule of 

daily at 12:00pm.

Antivirus Settings – Quarantine/Backup tab 


Virus definition files 

Using the Download “pilot” versions of virus definition files option will allow any computer that has these settings applied to act 

as a pilot computer to test new definition files before they are released to other computers. 

Note: Pilot definitions are not available for LDMS 8.x clients reporting to an LDMS 9 server. 

Selecting the option “Users may download virus definition updates” adds the option “Update Now” to the LANDesk Antivirus dialog. 

Again, you get to this screen by double clicking the shield icon on the client system tray. 

As discussed in the last slide, the virus definition updates can and should be scheduled to run regularly. 

LANDesk pattern file updates take advantage of both peer download technology and preferred server technology. This 

helps greatly to save bandwidth back to the core server. LDDWNLD and Peer Download technology is much improved in LDMS 9. 

The Bases.cab compressed file no longer exists in LDMS 9. Definition files are downloaded 1 file at a time. 

Options are available to select the default behavior for downloading pattern files. 

The options listed as shown in the graphic on the right are: 

Core only – Only download pattern files directly from the core server. 

Core only. Fall back to internet if core is not available. 

Internet only. Only download from the internet. 

Internet first. Fall back to the core if internet is not available. 


LANDesk Antivirus Installation 

Four ways to install LANDesk 

Antivirus. 


“Standalone” Antivirus Installation 

New in LDMS 9: 

Run LDMAIN\AVStandaloneBuilder.exe 

This creates \LDLogon\AVStandalonesetup.exe 

Installation is logged in AVStandaloneSetup.exe.log, 

written to the location the installation is launched from. 

Alternative way to create a “Standalone” Antivirus installation: 



Scheduling an Antivirus scan task 

This dialog will create a new task, 

either a standard push task, or a policy 

task that will appear in the Scheduled 

Tasks tool. 

The option “Update virus definitions 

(including pilot) on the core will cause 

the definitions to be updated on the 

core server prior to updating the client 

definitions. This will ensure that the 

clients have the very latest definitions. 


Changing Antivirus Settings 

You can also change the current Antivirus Settings that the 

client uses, by creating a Change Settings task. 

This is done by selecting the “Create a Task” dropdown 

(Second icon in “Security Configurations”). You can then 

select different Antivirus settings for the client to use. 

This will change the default settings that the client will use. 

If you have simply made a change to the existing Antivirus 

settings, those changes will take place the next time the 

vulnerability scanner runs on the client. 


Antivirus Activity tool 


This screen displays the Antivirus Activity tool. This is 

opened by clicking the yellow shield icon with an 

exclamation mark in the Security and Patch Manager 

tool, as pictured. 

This screen displays recent activity in your environment 

for infections, quarantined infections, trusted items, 

computers that have not recently sent in status, etc. 

You can right-click each area and select “View as 

report”.

LANDesk Antivirus Reports 


LANDesk Antivirus Alerts 

By default, the following alerts are configured for LANDesk Antivirus. 

These alerts are configured by default to log to the event viewer on the core server. They can be modified to 

perform the following actions: 

Standard, Run on Core, Run on Client, Send e-mail, Send SNMP trap 

For further information about setting up LANDesk Alerts, please 

see the following Community Article: 



LANDesk Antivirus – Inventory Information 


This is the Antivirus information gathered by 

the Inventory Scanner. Antivirus information 

is gathered not only for LANDesk Antivirus, 

but for various other vendors. 

This information is gathered as part of the 

inventory scan by LDAVHLPR.DLL. If you 

are having issues gathering accurate data 

about your Antivirus solution, make sure you 

have the latest version of LDAVHLPR.DLL. 

It may be useful to create a custom column set 

or create a query showing the Last Virus Scan 

and Definition Publish dates to ensure that the 

computers are up to date with pattern files and 

are scanning regularly.

Antivirus – Security and Patch Definitions 

There are 12 Antivirus definitions that can be used to help control Antivirus 

programs in your environment. These definitions serve various purposes. 

The definitions that check the status of other Antivirus vendor products check the 

following products: 

Symantec Antivirus, Norton Antivirus, PCCillin, Trend Officescan, Trend 

ServerProtect, Sophos Enterprise, Sophos Small Business, Etrust, and Eset 

NOD32. 

AV-100 will of course check to see if there is a virus scanner installed. 

AV-101 will check to see if the realtime engine is enabled on various vendor 

products 

AV-103, AV-105, AV-106, AV-107, AV-111, and AV-112 will check to see if 

the particular vendor’s definition files are up to date. Note the days the pattern 

file can be out of date is set in the Custom Definitions tab of the definition. 

AV-104 checks the number of days since a last full system scan (default is 2 

days) 

AV-109 reports whether the last scan succeeded or failed 

AV-110 reports computers that had remediation errors during the last scan 

The vulnerability scan category “Antivirus Updates” must be enabled in the Scan 

tab of the Scan and Repair settings for these definitions to be scanned. 


Antivirus – Pattern file content 

Security and Patch Manager also includes definitions to download the latest 

pattern files from other Antivirus Vendors. 

As you can see pattern files can be downloaded for ESET NOD32, eTrust, 

LANDesk, McAfee, Sophos, Symantec, and Trend Micro. 

When you select other vendors Antivirus Updates category, you must accept 

an agreement that you own and are adequately licensed for the software you 

are downloading updates for. 


Server initiated scans and pattern file 

updates 

There are several ways to initiate 

an antivirus scan and pattern file 

update from the core. 

The first, pictured here is to go to 

the “Create a task” icon in the 

Security Configurations tool, and 

then select “LANDesk Antivirus 

task”. This can be set up as a 

scheduled push task or a policy, 

with the option to run the scan with 

different antivirus setting options, 

and also the option to update virus 


Important client side Antivirus program files 

C:\Documents and Settings\All Users\ 

Application Data\LANDeskAV (Windows 2000/XP/2003) 

or C:\ProgramData\LANDeskAV (Windows Vista/7/2008) 

File name Purpose 

AVBehavior_(Corename)[#].xml Antivirus behavior file 

(settings) 

C:\Program Files\LANDesk\LDClient 


Vulscan.exe Installs LDAV, downloads updated 

settings, etc 

The Current Antivirus Behavior in use on a client can be 

verified by viewing the following registry key: 

HKLM\Software\LANDesk\ManagementSuite\WinClient\Vulscan 


C:\Program Files\LANDesk\LDClient\Antivirus 


AVService.exe Main Antivirus Engine 

LDAV.EXE LANDesk Antivirus GUI (Systray 

Icon and related dialogs) 

KaveHost.exe Processes that perform scanning 

functions 

Udinstaller32.exe 

Or Udinstaller64.exe 

AVScanShlExt.dll or 

AVScanShlExt64.dll 

32 and 64-bit versions of the realtime 

driver installer 

Windows Shell Plug-in. 

(Adds right-click “Scan for 

viruses”option) 

*.ppl Plug-in files to perform specific 

functions (such as scanning 

compressed files, etc) 

Av.key Product license file. Real-time 

service will not start with an expired 

key. (Also is in the LDClient\Bases 

directory)

Antivirus real-time driver 

The real-time driver is installed by udinstaller32.exe or udinstaller64.exe. This installation is logged in udinstaller.log. The 

registry key HKLM\System\CurrentControlSet\Services\KLIF should be checked to verify it points to the correct location, and the 

correct driver exists in that location. 

The realtime driver is installed from \LDClient\Antivirus\Install\Instdrivers\mklif and then a subdirectory depending on the major 

and minor version of Windows. This is controlled by Udinstaller.ini. 

The following table shows the Operating System, 

32-Bit Clients Installed From File Size Version 64-Bit Clients (x64 only) Installed From File Size Version 

Windows 7 fre_wlh_x86 299KB 8.4.0.76 Windows 7 x64 fre_wlh_amd64 344KB 8.4.0.76 

Server 2008 R2 fre_wlh_x86 299KB 8.4.0.76 Server 2008 R2 x64 fre_wlh_amd64 344KB 8.4.0.76 

Server 2008 fre_wlh_x86 299KB 8.4.0.76 Server 2008 x64 fre_wlh_amd64 344KB 8.4.0.76 

Windows Vista fre_wlh_x86 299KB 8.4.0.76 Windows Vista x64 fre_wlh_amd64 344KB 8.4.0.76 

Server 2003 R2 fre_wnet_x86 306KB 8.4.0.76 Server 2003 R2 x64 fre_wnet_amd64 319KB 8.4.0.76 

Server 2003 fre_wnet_x86 306KB 8.4.0.76 Server 2003 x64 fre_wnet_amd64 319KB 8.4.0.76 

Windows XP fre_wxp_x86 310KB 8.4.0.76 Windows XP x64 fre_wnet_amd64 319KB 8.4.0.76 

Note: 64-bit support is for the x64 platform only. Itanium (IA-64) is not supported 


Active LANDesk Antivirus processes 

AVService.exe LDAV.exe 

One instance active if LANDesk Antivirus 

Service is running. 

One instance if a pattern file 

update is running. 

Once instance for each active scan. 

One instance active if 

LANDesk Antivirus System Tray 

shield icon is running. 

One process for each open LDAV GUI 

Window (Active Scan, etc) 

(These will usually show as running 

under the SYSTEM account) 


KaveHost.exe 

One KaveHost process per CPU core 

(These will usually show as running 


One more KaveHost process if 

e-mail scanning is enabled and 

Outlook installed and running 

(This will show up as running 

under the logged in user) 

You will have a KaveHost process 

for each active scan 

(these will usually show as running 


By default, 1 KaveHost.exe is opened per CPU core on Desktop operating systems. 

On Server operating systems 2 cpu cores are used. 

To limit this behavior, see the following community article. 

http://community.landesk.com/support/docs/DOC-5714

Local Scheduler Antivirus Tasks 

Local scheduler tasks can be viewed by typing 

“Localsch /tasks | more” at a DOS prompt from the 

LDCLIENT directory. 

LDAV /scancomputer – Scheduled scan 

LDAV /update – virus definition update 


These can also be viewed within the 

Inventory for a client computer under 

Computer LANDesk Management 

Local Scheduler Scheduled Tasks. 

These will typically be somewhere around 

tasks #8 or #9.

Steps to enable verbose logging 

1. Stop the LANDesk antivirus service. 

2. Run AVSERVICE.EXE /LOG 

This will enable the logging level of 10. 

Antivirus – Verbose logging 

These settings are enabled in the KAVE.INI 

file. 

Here is what is written to the 

KAVE.INI file: 

[LOGGING] 

WriteLog=10 

WriteFileMonitorLog=10 

WriteScanningProcessLog=10 

Note: Logging will log a LOT of data and can use a large 

amount of disk space. To turn the logging back off, run 

AVService /RemoveLog and restart the LANDesk Antivirus 

Service. 

This will create several log files in the LDCLIENT\ANTIVIRUS 

directory that will be named KAVE_{PID}.log 

{PID} = the Process ID of the process being logged 

http://community.landesk.com/support/docs/D 

OC-6537 

Adding “Append=1” to the KAVE.INI will cause the logs to 

remain when the service starts and append the logging 

information to the existing log. 

To change the log location, add the following line in the 

KAVE.INI: LogsFolder=“C:\{directory}" 

You can also get valuable system information by running this 

utility: 

http://telecharger.kaspersky.fr/GSI/GetSystemInfo.exe 


Antivirus licensing issues 

Issues with the Antivirus license key can be caused by many factors. This is discussed in the 

following knowledgebase article. 


Two licenses exist. One for the Antivirus tools and one for the pattern file content. 

In the Core Server Activation tool, if you click “Licenses” the Antivirus licensing will show up like this: 

(Click on Product Name to sort alphabetically) 

In the above example, the product was originally licensed as LANDesk 8.7, and then was upgraded to LDMS 

8.8. A newly licensed 8.8 install would show “LANDesk Antivirus 8.8 License” and “LANDesk Antivirus 

8.8 Subscription”. 


Important Community Articles 


LANDesk Antivirus Recommended Patch List 


How to send LANDesk an infected or suspicious file 


NEW LANDesk Antivirus Engine 


LANDesk Antivirus Tool and/or Content not appearing in Management Console 


How to limit the number of active ScanningProcess.exe (KaveHost.exe) processes 


How to send LANDesk a valid file (Non-infected) that is being detected as a virus 


LANDesk Antivirus not detecting a suspected virus 


LANDesk Antivirus supported Operating Systems 


LANDesk Antivirus Logging Information 


44 

Thank You! 

The information herein is the confidential information and/or proprietary property of LANDesk Software, Inc. and its affiliates (referred to collectively as 

“LANDesk”), and may not be disclosed or copied without prior written consent of LANDesk. 

To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, 

relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or 

infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright. 

LANDesk retains the right to make changes to the information herein or related product specifications and descriptions, at any time, without notice. 

LANDesk makes no warranty for the use of the information herein and assumes no responsibility for any errors that can appear nor does it make a 

commitment to update the information contained herein. For the most current product information, please visit www.landesk.com. 

Copyright © 2010, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of 

LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of 

others.

Best Know Methods for LANDesk Anti-Virus and Spyware

Create successful ePaper yourself

Delete template?

Save as template?