This being on autofix in LANDesk v9 SP2 deleted a valid program "toad.exe," on 20 computers and we add to reinstall.
Since this issue has been reported in various forums - why doesn't LANDesk alert more of their customers on this potential issue?
Same here.... Just wanted to say thanks for posting this, it confirmed my suspicions. Removed toad from several machines here too. Guess I should be more careful in setting these malware definitions to autofix, though they should already be tested in my opinion to weed out most problems.
This spyware def has deleted our toad.exe and lot of other .dll and .ocx on all of our computers !!!
I removed it from scan but maybe too late !
I'm glad others are speaking up about this one!!!! As thought was only our company which seemed not likely to me!
For anyone experiencing problems with spyware detection, I would recommend the following:
From there we can work to improve the spyware detection in LANDesk.
Take a look at Process for submitting requests for Spyware Content:
Also, a special note for the Genotype definition:
This is a "catch-all" sort of definition. It is intended to analyze the file, its behaviors or other characteristics to determine if it is malicious. The primary purpose it to catch spyware early that doesn't yet have a specific definition. Because of this nature, it is usually where we occationally see "false-positives" as you are describing here.
The recommendation for this definition is to not set it to Autofix. That way it can scan and notify you of potential concerns, but not act on them. You can review the report of detected files and take (or not take) appropriate action.
have already done these but the team didn't find anything
Just happened to us for the 2nd time in 3 months. Since its obviously a flase-positive on toad.exe that has been reported previously, why is this still an issue?
The Malware.Genotype detection is rather heavy-handed and must be used with caution, as you have seen in other threads.
Typically the vulscan.log that was populated at the time of the spyware scan will contain details about the specific files that were seen as "infected".
A common file to be deleted are Internet Tracking cookies.
In this case the vulscan log will show something like this:
Infection found of (family: Malware.Genotype) with family id 0, item id 408921. Reason - type-cookie, description-*adserv*, category-Privacy ObjectInfection found.
A newer version of CEAPI.DLL (part of the Spyware scanning engine) is included in the April Patch Manager MCP available here:
The newer CEAPI.DLL resolves issues with the Malware.Genotype definition incorrectly detecting innocous files as being infected.
LANDesk Antispyware uses the Lavasoft engine.
Here is some detailed information about the Malware.Genotype definition and how it works.
I hope this helps.