For anyone experiencing problems with spyware detection, I would recommend the following:
- Zip up the file that having problems, either as a false positive, or not getting detected
- Password protect the zip with the password 'infected'
- Upload the file to ftp.landesk.com/spyware
- Open a case with LANDesk. Let them know the name of the file and how the detection isn't working.
From there we can work to improve the spyware detection in LANDesk.
Take a look at Process for submitting requests for Spyware Content:
Also, a special note for the Genotype definition:
This is a "catch-all" sort of definition. It is intended to analyze the file, its behaviors or other characteristics to determine if it is malicious. The primary purpose it to catch spyware early that doesn't yet have a specific definition. Because of this nature, it is usually where we occationally see "false-positives" as you are describing here.
The recommendation for this definition is to not set it to Autofix. That way it can scan and notify you of potential concerns, but not act on them. You can review the report of detected files and take (or not take) appropriate action.
The Malware.Genotype detection is rather heavy-handed and must be used with caution, as you have seen in other threads.
Typically the vulscan.log that was populated at the time of the spyware scan will contain details about the specific files that were seen as "infected".
A common file to be deleted are Internet Tracking cookies.
In this case the vulscan log will show something like this:Infection found of (family: Malware.Genotype) with family id 0, item id 408921. Reason - type-cookie, description-*adserv*, category-Privacy ObjectInfection found.
A newer version of CEAPI.DLL (part of the Spyware scanning engine) is included in the April Patch Manager MCP available here:
The newer CEAPI.DLL resolves issues with the Malware.Genotype definition incorrectly detecting innocous files as being infected.
LANDesk Antispyware uses the Lavasoft engine.
Here is some detailed information about the Malware.Genotype definition and how it works.
I hope this helps.