→ Celebrate SysAdmin Day 2024 with Lansweeper Enter our Giveaway here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ProfessorNerdly
Engaged Sweeper II
Every day when my daily scan runs, I get at least a handful of PCs showing up on the AV disabled report. When I rescan them, I they almost always disappear from that report.

I know the AV is enabled because I have watched my AV server console to see if there was any loss in communication while the scan was running and none of them go offline.

We use Trend Micro OfficeScan on the latest version.

Does anyone have any ideas as to what is causing the bad reporting?
1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
It may well be that the anti-virus software isn't fully started yet when the scan takes place. Perhaps you could run a more frequent scheduled scan on the anti-virus reports with the Asset Collection Scanning method under Configuration\Scanning Methods. You'll need to change the wait time for anti-virus to 0 under Configuration\Item Wait Time as well, to ensure anti-virus is rescanned during every scan attempt. If you are scanning with the LsPush scanning agent, using a logon script instead of a startup script will likely resolve the issue too.

View solution in original post

8 REPLIES 8
Bruce_B
Lansweeper Alumni
I was going off the assumption that Windows Defender was actually disabled in your environment. If you're actively using Windows Defender and are seeing misreporting of its status, this will likely be caused by the anti-virus not being fully initialized yet at the moment of scanning as Susan indicated.

Susan's solution should be functional here and still allow you to use an email alert that can be accurate:
  • Go to Scanning\Scanned Item Interval and set the antivirus item to 0 (always rescanned).
  • Set up a scanning target under Scanning\Scanning Targets for your Antivirus disabled report and schedule it at a time that will allow the scans to complete before your scheduled email alert time hits. This will allow another rescan to occur just prior to when the email alert would be sent out.
rseiler
Engaged Sweeper III
As a follow-up, why is it then that minutes after receiving such an email alert, I can go to the LS admin console (which lists the AV status as "disabled" for that PC just like the email alert says), click the LS rescan button for that PC, and a minute later, when the rescan is done, see that it's no longer listed as disabled in LS?

Doesn't that suggest that there's some kind of timing issue in the automatic scan, or some other similar issue?

It's nice that the report can be modified to ignore Defender, but that's all that we use. At least just disabling the email report still allows me to see what might be listed as disabled when visiting LS admin.
rseiler
Engaged Sweeper III
Started happening with Defender on one W10 PC (using last couple versions of Lansweeper). I disabled the email alert that I had setup for it, since using the above workaround had no effect.

Hoping that something more solid can be added to the next LS maintenance release.
Bruce_B
Lansweeper Alumni
rseiler wrote:
Started happening with Defender on one W10 PC (using last couple versions of Lansweeper). I disabled the email alert that I had setup for it, since using the above workaround had no effect.

Hoping that something more solid can be added to the next LS maintenance release.


Lansweeper scans anti-virus status information from WMI on the local computer, more info on that can be found here. If Windows Defender being disabled is found while scanning, this can indeed make the anti-virus disabled report less reliable. Do note that this is not something that can be patched within Lansweeper, as Lansweeper is merely listing the information it finds, and there IS a disabled anti-virus program on the computer. To resolve this you can do one of the following:
  • Remove Windows Defender entirely from these computers.
  • Modify the anti-virus disabled report to ignore Windows Defender. Open the "Workstation: Anti-virus Disabled" report and click Edit Report. In the Criteria column for tblAntivirus.Displayname enter the following: Not Like '%Windows Defender%'


yossiz
Engaged Sweeper
HI All,

I encountered the same issue with TrendMicro Officescan XG.

Click on the Scanning menu options in Lansweeper -> Scanned Item Interval -> First Entry should the be antivirus settings.

Change from 1 to 0 to force scan every time.

(click on the 1 to make the change)

Everton_Almeida
Engaged Sweeper
Did not quite understand the procedure for solution , could explain how I , for me is happening the same with the AV Trend Micro OfficeScan
Susan_A
Lansweeper Alumni
It may well be that the anti-virus software isn't fully started yet when the scan takes place. Perhaps you could run a more frequent scheduled scan on the anti-virus reports with the Asset Collection Scanning method under Configuration\Scanning Methods. You'll need to change the wait time for anti-virus to 0 under Configuration\Item Wait Time as well, to ensure anti-virus is rescanned during every scan attempt. If you are scanning with the LsPush scanning agent, using a logon script instead of a startup script will likely resolve the issue too.
Lennart
Engaged Sweeper III
I have the same issue, but running Symantec Endpoint.
I think it has something to do that when the klient PC starts, lansweeper do a quick scan/check before antivirus program have had the chans to "get green", do its updates, check connection to antivirus manager and so on.

So i wonder if there is a delay you can set in lansweeper to hold its scan for say 2-3min?
What do you think?