|
New Spyware engine to reduce performance impact / system requirements.
Created on: Jun 12, 2009 2:45 PM by Tracy Hammond - Last Modified: Nov 11, 2009 12:05 PM by Tracy Hammond
This patch contains an upgrade for the LANDesk Spyware engine. There are some major CPU and memory enhancements in this new build.
- Uses up to 70% less memory than previous versions
- Only uses approximately 18% of the CPU during scans – nearly 60% less resources than the previous version.
- Scans 36 MB per second – faster than each competitor product tested.
*NEW* Boot Cleaner tool
Some malicious Spyware can be difficult or dangerous to remove while the OS is running because they inject themselves into system processes (for example: Winlogon.exe, Explorer.exe, etc.). The boot cleaner will remove this type of Spyware during the OS startup.
How The Boot Cleaner works.
When Spyware cannot be removed immediately by Vulscan (Spyware scanning) and Softmon (Real time blocking), the new Spyware engine will generate an encrypted file (aaw7boot.cmd) located in the root of the system drive (For example: C:\). Boot Cleaner will read the file aaw7boot.cmd and clean the Spyware files during the next client reboot.
- Supported Operating systems.
- Windows 2000.
- Windows XP.
- Windows Vista.
- Windows Vista 64.
- Landesk 8.7sp6, 8.8sp1, 8.8sp2 and 8.8sp3
Note: The new Spyware engine is currently not supported on Windows Servers or on XP 64 bit platforms. This is a change as the previous version would run on Windows 2003 Servers and XP 64bit. LANDesk is currently investigating options to return the Spyware function to these platforms.
Performance matrix:
Windows XP | Windows Vista | ||||||
P1.8GHz (Dual Core Processor) | P1.8GHz (Dual Core Processor) | P2.8GHz | P42.8GHz | P42.8GHz | P42.4GHz Hyper-Threading | ||
CPU Usage | Old SDK | 4%-58% | 4%-58% | 4%-100% | 2%-100% | 2%-100% | 2%-100% |
New SDK | 10%-58% | 10%-58% | 10%-58% | 8%-94% | 10%-96% | 10%-96% | |
Memory Usage | Old SDK | 22M-212M | 8M-210M | 29M-227M | 23M-223M | 24M-228M | 23M-217M |
New SDK | 25M-38M | 25M-35M | 25M-32M | 11M-68M | 10M-67M | 11M-68 | |
Reduced by - % | 82 | 83 | 86 | 69 | 71 | 71 | |
Scan Time | Old SDK | 9'14” | 10'49” | 9'02” | 16'8'' | 19'30'' | 19'7'' |
New SDK | 7'01” | 7'25” | 5'06” | 13'40'' | 12'50" | 20'30'' | |
Improvement | 25% | 25% | 45% | 20% | 35% | 5% | |
Install instructions
On the Core Server
Download the appropriate patch
Patch Download for LANDesk Management Suite 8.7 SP6 Users
Patch Download for LANDesk Management Suite 8.8 SP1 Users
Patch Download for LANDesk Management Suite 8.8 SP2 Users
Patch Download for LANDesk Management Suite 8.8 SP3 Users
Then run the patch on the core server. After installing the patch go to step 19.
-Or-
Download the patch using LANDesk Patch Manager. (This vulnerability was added to LANDesk patch content on 07/06/09)
- Open the LANDesk Management Suite Console on the Core Server.
- Go to Tools | Security | Security and Patch Manager
- Click on Download Updates.
- Make sure that the LANDesk 8.8(8.7) Software Updates is selected.
- Click Update Now.
- Wait for the Update to finish and close the window.
- Under All Types Click on All Items.
- From the Type drop down menu choose LANDesk Updates.
- Find the LD-Spyware-26577-88 (LD-Spyware-26577-876)
- Right click on the LD-Spyware-26577-88 (LD-Spyware-26577-876) and Select Download Associated Patches.
- Click on the Radio button "Show all associated patches"
- Highlight the file that appears and click download.
- After the download is complete click close.
- Browse to the patch folder. By default this is ....\LANDesk\ManagementSuite\LDlogon\patch folder.
- Locate LD-Spyware-26577-88.zip (LD-Spyware-26577-876.zip) and extract the files.
- Open the folder and run setup.exe.
- Run through Install.
- Let the Core Server restart if prompted.
- After the restarts browse to ...LANDesk\management suite\LDLogon\Spyware
- Delete all the files ending with .aawdef.
- Return to the Download Updates screen.
- Make sure the Windows Spyware option is selected.
- Click update now.
- Click close when the Update is complete.
Known issues with the client upgrade.
During the Update of the Windows Spyware vulnerabilites you may see the process take several hours to complete. During this process LANDesk is deleting every Spyware Vulnerability and then adding them again with the updated affected product information. Do not cancel this process once it has started.
On the Client Machines.
There is no manual update for the clients. During their normal Security Scans they will download the new files. It will require three Security Scans to run before the update is complete. So don't be surprised if you don't see your Security Scan information update for a few days.
How the update works.
- The first scan will download the new Vulscan.exe and associated files.
- The second scan will download the new Softmon.exe.
- The thrid scan will download the CEAPI.dll and the new content information. It will then complete the Security scan as normal. The CEAPI.dll will only update if it is running a spyware scan.
You can also manually schedule Security Scans to run so that your clients will upgrade sooner.
Right Clicking on a Client and choosing security/compliance scan will not update the clients. If you wish to force the client updates from the core You need to schedule a security scan. http://community.landesk.com/support/docs/DOC-6927
Known issues with the client upgrade.
We know that with Vista and Vista x64 platforms, Vulscan self-update has some issues and that it will not work in the "Show UI" mode. Please do not use "Show UI" mode and then push a Spyware scan since it will not work and may cause some compatibility issues.
Right Clicking on a computer from the Network View and choosing Security and Compliance Scan Will not update the Client Files.
Tracy Hammond
says
in response to djnilson@etmc.org:
Server support is coming soon. like in the next week or two
JonKeo
says:
Does the Vulscan we run need to have LANDESK UPDATES checked off with Autofix enabled? Our default Vulscan does not have this enabled.
Tracy Hammond
says
in response to JonKeo:
I'm not sure what you are asking. The procedure to update the Spyware engine for server support will most likely be the exact same steps as outlined for the performance update in the DOC above. We are determining this right now.
-Tracy
JonKeo
says
in response to Tracy Hammond:
Regarding the client steps, it says the security scans need to be run 3x but is that based on your security scan includes Landesk Updates with autofix? Our security scans do not include Landesk Updates with autofix. Let me know if I'm way off. Thanks
Tracy Hammond
says
in response to JonKeo:
Oh. I gotcha now. This will be the same. when Vulscan runs, it will check the core server and see that it needs an update. It will download the update and *may* relaunch on it's own (depending on previous operations). If it doesn't relaunch automatically you will need to launch it again. This time it will update softmon.exe and may need to be relaunced to perform actual scan.
It doesn't matter if you have things set to autofix. the vulscan / softmon will happen from simply running vulscan on the client device. You do not have to scan for a specific type, nor does anything have to be set to autofix.
-Tracy
Michael Baffoni
says
in response to JonKeo:
I'm pretty sure I read in the docs that if you don't have autofix enabled on the malware, proactive scanning will NOT block the malware. Talking with support, it is odd; I think there is some base-level of scanning that occurs, but without the autofix enabled on the malware definitions, you won't get updates to the definitions (and it isn't clear if that affects new as opposed to updated definitions). So if you do proactive scanning, malware needs to be set to autofix.
JonKeo
says
in response to Tracy Hammond:
Tracy, will I see an entry regarding the new spyware update under "Security and Patch information for Computername" under Installed Updates or Missing updates? Right now, I don't but when I perform an malware scan it does register as completed and records a date and time. We did update the server and pushed to our environment last WED. I also didn't notice a change in version number so I don't feel I have a clear way of distinguishing an updated computer from one that may not be.
Tracy Hammond
says
in response to JonKeo:
There won't be a change in the version number just yet. The new engine patch I mentioned earlier had a couple problems and was sent back to dev. Should be any time now.
As far as tracking which clients need the update... that is a bit tricky. You can look in inventory for the versions of softmon and vulscan, but other than that...
For example: When the new engine is made available, it will be added to patch content. As far as I know, the client machine will not show as vulnerable if the update has not been applied to the core server first. So now you apply the patch to the core and "re-scan" the client. when vulscan is launched, it will automatically get the new vulscan and softmon from the core before performing a scan. So "technically" your clent machines should never be vulnerable for the engine update (because they update before they can scan for the vulnerability).
-Tracy
JonKeo
says
in response to Tracy Hammond:
Ok, what versions of SOFTMON and VULSCAN would reveal that the malware is working?
Tracy Hammond
says
in response to JonKeo:
Depends on what you mean by "working". Any version you have should be "working", what will change in the new engine update (unless they have to pull the feature for now) is for machine doing real-time scanning will update spyware defs anytime vulscan is executed (instead of only updating on a spyware scan... which is how it works currently). The reason for this change is some customers ONLY use real-time and don't schedule regular spyware scans, which means the spyware defs never get updated. This enhancement wasn't actually supposed to be in this new build, but seems to be working anyway.... unless this feature is what is causing the random problems with the new engine patch, I would expect it to still be there when the patch is released.... hopefully soon..
-Tracy
Tracy Hammond
says
in response to Tracy Hammond:
I forgot to answer your other question about version info... I won't know the version # until the final patch is built. I will put all that info in the KB article when I release the patch.
Tracy
| ||||||
This really works well now - I'm phasing in the real time protecting again and I have not had any complaints. Memory usage in our environment is now between 10-13 MB, very reasonable compared to 120 MB previously. I'm on 8.8 Sp3 with all the required LD patches loaded. Thanks LANDesk now we can use it again