- LANDesk Management Suite 8.8 SP4 (Earlier Service Pack versions are not supported)
- LANDesk Management Suite 9
LANDesk has updated the Antispyware tool. With this update, LANDesk Antispyware utilizes SDK version 8.2. This has been integrated into the spyware scans and the real-time scanning. It resolves several issues as well as adds new functionality.
This patch can be applied to LANDesk Management Suite 9 and LANDesk Management Suite 8.8 SP4.
Service Pack 4 is REQUIRED to apply this patch to LDMS 8.8.
Getting the Patch
The patch can be downloaded from this article, or it has been made available as a LANDesk update available through the Patch Manager tool in the LANDesk console.
Installing the Patch
- The patch needs to be installed on the Core server first using the primary patch. If you download the patch, run the self-extracting exe then run setup.exe from C:\LANDesk_Patches\PAT-45869xxxx.
If you downloaded the patch through the Patch Manager tool, you can extract the files from the .zip that is in your patches directory.
VERY IMPORTANT: The files in this patch are AUTOMATICALLY updated on the client when vulscan runs. This means that once the patch is installed on the core server, the next time a client runs a scheduled vulscan it will AUTOMATICALLY be updated with part of the new patch files. The remainder of the files will be downloaded to the client the next time it does a SPYWARE scan. That means that if you have a daily spyware scan, the client will update to the new spyware engine AUTOMATICALLY once the patch is installed on the core server.
Once the patch is installed on the core server, you must immediately update the spyware content. This can be done by opening the Download Updates dialog, making sure Microsoft Windows Spyware is checked and selecting Download Now.
Important Note:Updating the definition files is essential due to an internal validation that must occur to help ensure there are no incompatible versions of files. This update can only be run from ONE console. Updating the definitions from two consoles at the same time will break the validation/synchronization mechanism. Also, DO NOT cancel the download of the definitions after applying the patch. This will cause the validation to fail. The download may take a long time the first time. DO NOT CANCEL the content download.
The client machines will AUTOMATICALLY update to the new spyware engine the next time a SPYWARE scan is run. Parts of the patch (softmon.exe, vulscan.exe, vulscan.dll etc) will update the next time ANY security scan runs, but the full patch will not be applied to the machine until a spyware scan is run. When using this method, a reboot is NOT needed in order for the patched files to be in place and in use.
The update can be applied to the machines through a new agent deployment. All agent deployments that occur after the patch has been installed on the core server will already contain the updated spyware engine.
If you would like to manually apply the patch, you can use the setup.exe that is in the PAT-45869xxxx-client folder\zip. However, some of the files that are patched will be in use, so they will not be replaced until the client machine reboots. This is NOT the case when patched through an automatic update. Vulscan.exe will stop any needed processes, replace the file, and immediately use the updated file.
The patch can also be "manually" installed as a software deployment task. The primay file will be setup.exe from the client patch folder and ALL of the files in that folder must be included as additional files. The silent install command for the patch is "/s". In the configuration of the package, placing a "/s" in the Install commands field will install the patch silently. However, because some of the files will be in use, in order for the patch to be completely installed the client must be rebooted.
Changes in new spyware engine
The new spyware engine contains a number of improvements to performance, detection and resolves some previous problems. It also adds some new scanning functionality to allow greater control over spyware scans.
There are now four possible scan types to allow you to control the type and scope of the spyware scan. These options are configured in the Scan and Repair settings under the Scan section/tab. These options are: Default scan, Smart scan, Full scan, Download only. There is also an options to allow you to EXCLUDE files larger than a certain size. This can be set by checking the "Only scan files of size less than" box and set the maximum file size to scan. This can improve performance of the scan.
The following scan type behave in the following ways:
- Smart scan: A Smart scan will only scan for critical locations of the computer, such as running processes, loading points, browser hijacks, LSPs, etc.
- Default scan: A Default scan will scan for all the items in a Smart scan. Additionally it will scan all files under the Windows directory, Program Files directories (including both C:\Program Files and C:\Program Files (x86) on x64 platforms) and the current user's personal folder(s). It will also scan all files on the root of the system drive.
- Full scan: A Full scan includes the Smart scan options and it will scan all the files on all of the drives on the computer.
- Download only: Download only mode will download the agent update, agent configurations, engine update and content update from the core server. No spyware scan will run in this mode.
Spyware scan commands
A spyware scan can be run manually though vulscan. The command to do so is: vulscan /scan=1. For more information on vulscan switches, please see : Vulscan Switches for Windows Agents.
When you run vulscan /scan=1, vulscan will run a Default scan. If you would like to specify the scan type, you can use the following commands which have been added.
- /spywarescanmode=default - This will perform a Default scan. It is the default behavior.
- /spywarescanmode=smart - This will perform a Smart scan
- /spywarescanmode=full - This will perform a Full scan
- /spywarescanmode=justdownload - This will do just the download. No spyware scan will be run.