Yet another update about LANDesk A/V problems

As you may or may not know, This morning was quite frustrating for most of us with the LANDesk antivirus problem. Before I go any further. Rest assured, that I am working on the problem around the clock, and so is LANDesk to help resolve our issues.

Here’s what we know so far. Please read this article in its entirety, as it may contain some information that may prove useful in providing answers to our users:

The issue that arose this morning was related to the KIDO.ih and KIDO.b not being detected on the workstations. The good news is that this particular issue, as far as we can tell so far, is not related to LANDesk, but rather the configuration of the A/V engine, as well as the KIDO virus which keeps outsmarting us.

Here’s what was happening:

What WAS:

The KIDO.ih, prior to today was installing itself as something like this in c:\windows\system32 : c:\windows\system32\qiteusk.dll. As far as we knew from reading about the virus, the string before the .dll was completely random, but the .dll was always the case for the executable for that virus. For this reason, we had the LANDesk A/V engine only scan for “Known Infect-able Files”, which is a list of extensions that are known to be infect-able. This included the .dll files which the KIDO virus was comprised of. The main reason I had done this was to keep workstations from working harder than they should when doing a full scan, and bogging down the machine CPU. Unfortunately, that back-fired on us, when the KIDO virus outsmarted us, and somehow, out of the blue, decided to start putting unknown extensions on the executable file: i.e: c:\windows\rfypynq.fvm. Obviously, that started falling under the “non infectable files”, and therefore, started slipping through the cracks of the LANDesk A/V engine.

What IS:

I have changed the behavior of the LANDesk Antivirus to scan ALL Files, and not just infect-able ones. This has immediately started catching the virus with the real-time scanner. When this setting takes effect, the users will start seeing a message that looks similar to the following:

This is actually a good sign, which means that the virus has been detected, and has been quarantined, even if not deleted. The user can safely click ok, and continue their work. There is no need for the user to contact the helpdesk in this situation. Unfortunately, there is no way that I know of to customize that message. I will look into it though.

For machines which are suspected to have the virus on them, and haven’t been detected by the current LANDesk agent, you can run a full scan on the machine, and in all my attempts, the virus has been found and quarantined.

The other issue is related some complaints received about people’s machines slowing down upon boot-up in the morning. This part, I have to admit is due to my lack of knowledge of the LANDesk configuration, and could’ve probably been avoided had I done it right in the first place. 

What WAS:

The A/V full scan was setup to run every day at 3:30PM. In the case of the workstation being turned off, that missed scan will revert to running at the next user logon, which happened to coincide with the full security Scan which was scheduled during morning time. So, inadvertently, both the full scan, and the security scan started triggering around the same time, for machines that had missed their scheduled A/V scan the prior day.

What IS:

In order to remediate that,  I have forced the scheduled A/V scans to run between 3:00 and 4:00pm, and if they get missed, they do not revert to running at next logon. This should dramatically alleviate the load on the machines when users are logging in in the morning.

The servers are also another problem, because they do not have real-time scanning enabled on them due to performance reasons. This is a bit of a double-edged sword, but we’re currently working on creating a special agent for the server with an extensive list of exceptions to the real-time scanner, in order to ultimately just enable the real-time scanner on the servers.

Other Updates:

The A/V scanner problem for Windows 2000 workstations is still pending, and is also high priority with LANDesk. I will send out an update as soon as I hear back from them. At this point, because all the topics are pretty hot, I’ve asked them to give me updates on their progress twice a day.

The issue with high CPU usage for the tmcsvc.exe is still pending a patch, and  the ETR is still sometime this week.

For any questions, please let me know,