Purpose
This document is meant to help understand why a threat may not have been detected by the Shavlik Protect agent and what actions to take in such a scenario as well as best practices for using/configuring threat protection with Shavlik Protect agents.
Description
Why didn’t Shavlik Protect agent catch 'xxx' threat?
While this sounds like a straight-forward question, the reality is there are so many variables that come into play when you try to protect a machine against malware that it is almost impossible to give any one reason.
The most likely cause is improper configuration or outdated threat definitions being used. We will go into how to ensure you've configured everything correctly and how to check the threat definitions version later. First, some background.
The Shavlik Protect agent's Threat Protection engine is based on the Vipre SDK engine and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). At this point there are over 13 million detections in the Vipre signature files. There are hundreds of generic detections that can catch some new malcode before the Vipre analysts even see it. Also the Vipre threat engine has the ability to detect and stop a great deal of virus-like behavior. However, it is worth noting that there may be as many as 50,000 new pieces of malcode arriving somewhere on the Internet EVERY day. The Vipre team see cases in which new malcode does make it through the threat protection defenses, but it is not a common occurrence.
Is there a place I can check if a certain threat should be detected?
Since the Shavlik Protect agent uses Vipre (ThreatTrack) threat definitions you can search the database, here:
http://sunbeltsecurity.com/BrowseCategories.aspx
How to verify your threat definitions are up-to-date
There are a few places you may need to check to verify the threat definitions in-use by Shavlik Protect agents in your environment are up-to-date.
1. Ensure that the threat definitions downloaded on the Protect console system are current. (This is especially important if you are using distribution servers.)
-Go to Help > About within Protect. If your definitions are current you should see a green check under 'Data versions' next to Threat definitions.
-If the threat definitions displays a red x you should run Help > Refresh Files to perform the update of definitions.
-When running Help > Refresh Files you will see that the 'Threat Definitions download will complete in the background.'
-Make sure to give it a few minutes to update. Then you should see a green check next to Threat definitions in Help > About.
2. You can use Machine View to see some threat definition information from your agents.
-Go to View > Machines.
-You can use the columns 'Threat Definition', 'Threat Definition Age', and 'Latest Threat Scan Date' to help in determining if your agents are current.
-Keep in mind that these columns only update when the agent reports back results of a threat scan. That's why 'Latest Threat Scan Date' is important.
-It is also worth noting that if the agent uses vendor-over-internet download settings the definition number may be slightly off from the console definition version from Help > About. It's nothing to worry about - just a difference in Major vs Minor versions.
-Some of these columns are not shown by default - you can add them by right-clicking on a column title and clicking 'Column Chooser'.
3. If necessary, you can check the definition version on the agent itself.
-Open the agent by double clicking the taskbar tray icon, or by going to Start > All Programs > Shavlik Protect > Shavlik Protect Agent.
-Go to the Overview tab if you are not brought there by default. Here you can see the threat definition version used during the last threat scan.
-If you have not recently run a threat scan this can be misleading. You can run a threat scan via the Threat tab, if configured.
-To update the threat definitions from the agent GUI or run a threat scan, use the tasks in the upper left when on the Threat tab.
-Note: Depending on the settings in the agent policy you may not be able to access the agent or access certain tabs. To change these settings go to the Protect console, and edit the agent policy. The settings are under General Settings > 'Allow the user to'.
*Note: For offline or disconnected environments refer to this document for instructions on manually updating threat definition files:
DOC-23162: Manually downloading threat definitions for Protect
Why does the console (Help > About) threat definition version differ from the latest threat definition version on an agent?
There can be a slight variation in the version numbers due to a minor and major version number system that the Vipre threat engine uses. The major, or 'Package Version' in the examples above is 27274 where the Minor or 'MinVersion' is 27270. Both versions are the current definition versions. These can be manually found by looking at the latest entry in the ThreatManifest.xml on the console sytem. Before checking this make sure the console threat definitions are up-to-date (step one above).
The ThreatManifest.xml can be found in the Datafiles folder, most commonly:
C:/ProgramData/LANDesk/Shavlik Protect/Console/ThreatData/ThreatManifest.xml
Generally the latest will be the last entry, but it's best to base it on highest version number found or newest date. The entry in the xml will look something like this:
<SpursPackage MinVersion="27270" PackageVersion="27274" URL="http://av.shavlik.com/av/CSE39-EN-27274-I.sbr.sgn" MD5="62FF771EAAE285B172A3A5EA2C8E7DB2" FileSize="103114" ReleaseDate="2014-03-10T16:12:48.250" IsIncrementalPackage="1"><SpursPackageType PackageType="ThreatDef" Language="EN" PackageTypeData=""/></SpursPackage>
Notice the MinVersion and PackageVersion numbers. Note the ReleaseDate value - this will help determine the latest entry in the ThreatManifest.xml.
Ensuring the Agent Policy, Distribution Server(s), and other settings are configured correctly
Here are the best practices for ensuring the threat protection is configured correctly. You may need to verify agent policy settings in each agent policy you are using.
1. Open the agent policy.
2. Go to the General Settings tab.
-Check on how your agent policy is set for the agent to obtain its definitions under 'Engines, data, and patch download location'.
-If this is set to vendor over internet the agent will attempt to obtain definitions directly from the vendor site, so you may need to ensure that the internet connection is working properly and that the vendor site(s) are not blocked.
-See this document for the URL exception list: DOC-2155: Shavlik Protect firewall and proxy exceptions URL list
-Additionally if the agent policy is set to use vendor over internet and you use a proxy in your environment, it is pertinent that you verify your proxy settins and provide any required proxy credentials to authenticate. This can be done under the 'Network' section of the General Settings tab.
3. Go to the Threat Tab
-In the tabs above go to 'Threat Tasks'
-Ensure that you have at least one threat task set up. There are options of quick or full scan.
-Note: Quick scan covers common locations and runs within a few minutes. Full scan will scan all files on the system and may take up to an hour.
4. Once you have your Threat Task(s) set up, go to the Active Protection tab.
-Ensure to have a check next to 'Enable Active Protect'
-Set the file access level that you would like active protection to use. Using the 'limit to high risk file types' or 'on execute' settings will increase performance but not all things will be checked by active protection.
5. Check your settings on all other Threat tabs - Threat Actions, Allowed Threats, Exceptions to ensure they are set correctly.
6. Save the changes to your policy.
Ensuring Distribution Servers are configured correctly and synchronizing
This section only applies if your agent policy is currently set to use a distribution server under 'Engine, data, and patch download location'.
1. Verify the distribution server settings in-use by your agent policy or policies. If you have multiple distribution servers in-use you may need to perform the following steps for each distribution server. If your agent systems have internet connectivity available it's recommended to allow the 'Use vendor as backup source' setting.
2. Go to Tools > Operations > Distribution Servers to verify the setup and sync of your distribution server(s).
3. Make sure to verify the paths to each distribution server is still valid, and verify there are valid credentials set on each distribution server.
4. Make sure that automatic synchronization is set up for each distribution server.
-You can add a scheduled sync by highlighting the distribution server, choose 'Threat engines/definitions' from the drop-down above, then click on the '+ Add scheduled sync' button.
-You will see the scheduled sync added to the list of 'Scheduled automatic synchronization' below.
5. Manually run the synchronization to make sure it completes successfully.
-To do this, highlight the scheduled sync for threat data, then click 'Run now' above it.
6. If you want to manually verify the files are synchronizing properly you can compare the files in your share to what exists on your Protect console.
-The ThreatData directory of the console is: C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData
-If the sync has worked correctly you should have a ThreatData folder on your distribution server share with the same files in it as the above directory.
For more information about configuring distribution servers, see this Protect Help article:
Configuring a New or Existing Distribution Server
Setting up automatic recurring download of threat definitions
Follow these steps if you would like to set up the automatic download of threat definitions. This will help to ensure your definitions are always at the latest.
1. Go to Tools > Operations > Downloads.
2. Under the 'Schedule automatic downloads' section choose 'Threat engines/definitions' from the drop-down, then click '+Add'.
3. You'll be brought to the Schedule Download screen where you can set up a recurring schedule to automatically download new definitions.
4. Once you have this set up how you like, click 'Save.'
5. You should now see a task for 'Download threat data' showing the next run time and recurrence. You can also highlight this and click 'Run now'.
Other Considerations
1. Use of Protect Cloud Agents
-If you are using the Protect Cloud agent functionality you may need to ensure that your Protect cloud account is set up correctly.
-Go to Tools > Operations > Protect Cloud Sync for these settings.
-Make sure the Protect Cloud account credentials are correct, and you may need to run a 'Force full update now'.
-You may also need to go into your agent policy or policies and ensure the policy is set to sync with Protect Cloud if using this feature.
-This setting is a checkbox found in agent policy > General Settings > Network > Sync with the Protect Cloud.
For more information about Protect Cloud Sync see the following Protect Help articles:
-Protect Cloud Sync Operations
What do I do if I have verified everything appears to be working properly and threat definitions are current, but a threat is still not detected by the Shavlik Protect Agent?
Here is what to do:
1. Obtain as much of the following information as possible to provide to support:
-Threat definition version currently used. (See above on how to find this)
-
-Any applicable screenshots, a link to threat download if from a website, or a zipped copy of files that are suspected to be infected.
-Logs from the agent. Make sure logging is set to 'All' in your agent policy. Follow steps for agent logging in DOC-22921.
2. Submit the information to support by creating a case at https://support.shavlik.com/.
3. The Shavlik support team will work with ThreatTrack (Vipre) to ensure the threat is assessed and added to future threat definitions.
Additional Information
More information about Shavlik Protect agents and threat protection can be found at the following resources:
-Creating and Configuring a Threat Task
-Configuring Active Protection
Affected Product(s)
Shavlik Protect 9.x