Securepoint Antivirus Pro FAQ

This type of installer will be released soon.
Currently there is only the installer to the published version.

Yes, Securepoint Antivirus interacts with the Windows Security Center API and disables Windows Defender during installation.
In Windows Server up to and including version 2019 the Defender must be uninstalled manually!
The exact behavior depends on the Windows, or Windows version.

On the AD server in the group policies. Policy -> Administrative Template -> Windows Components -> Windows Defender -> Disable Windows Defender: Enabled
Alternatively still Real-Time Protection -> Disable Real-Time Protection: Enabled

Installation aborted with an error message ELAM in the log
Cause:
The installation under Windows Server 2022 requires Windows Defender to be installed so that the ELAM driver can be installed correctly.

The reason for this is that the Wizard installation is missing Windows permissions on "C:\Windows\Temp" and C:\Windows\Installer".
The Silent-Installation is not affected by this and can be used for installation.

Restarting after installation is not always necessary, but advisable and sometimes needed.

Yes. Services and drivers can only be removed from the operating system after a reboot.

A GUID is created for each device.

The AV-Remover can be found in the Reseller Portal under Downloads → Tools and removes all leftovers after uninstallation.

No, this is only to be used to remove the leftovers or in case of a failed uninstallation.

After the installation it may occur that no connection to the service can be established.
The cause of this is that the installation of the ELAM driver fails.
This can be forced by setting a registry entry.
Open Registry Editor:

\\HKLM\\System\\CurrentControlSet\\Services\\ntguard_svc\\
DWORD 
FPPIX = 0FD07

 

The installation of the AV aborts with the error message "Account already exists".
Uninstalling with AV Remover also does not bring any improvement.
Solution: Microsoft provides a tool that repairs the registry entries that prevent installation: https://support.microsoft.com/en-us/help/17588/windows-fix-problems-that-block-programs-being-installed-or-removed

This can happen when we distribute a new AV version.
The rollouts are spread over several days. Only when the regular rollout is finished, the new version is listed as Latest version in the database.

No, the client does not distinguish between systems.

See System requirements

Yes - but only as file antivirus, like on any Windows server.

Securepoint Antivirus Pro does not provide email protection within Exchange.
For this, we recommend using the Securepoint UTM firewall, which protects emails already at the gateway with a two-tier AV and a powerful spam filter.

Please use the documentation and information from Microsoft for the respective server.

Yes, the client is terminal server capable.

Exceptions can be created via the AV Portal and locally via the client.

The exclusions always apply, so even with a scan profile.

No, Securepoint Antivirus Pro is designed to monitor and secure endpoints.

To scan network drives, Securepoint Antivirus Pro can also be installed on file servers and perform regular scans there.

Yes, the default value for the maximum size is 128 MB.
This value can be adjusted up to 8 GB in the settings under Exclusions.

No. The search itself is an index of Windows, so the file is not yet scanned. The file is not scanned until something is done with it (open memory location, open file, etc...).

Yes. This provides access to the file itself.

Securepoint Antivirus Pro blocks files that contain threats.

In Thunderbird, the option Antivirus can be activated under Settings / Security / Antivirus.
This allows the AV Pro to block incoming messages separately if necessary.

Files can be sent for analysis via Quarantine → right-click on the virus and send to IKARUS.

Feedback usually follows within 24 hours.

Please send a mail with the infected file to probe(at)ikarus(dot)at. There the file will be analyzed.
A local or in the firewall integrated virus scanner can remove the file when sending.

Generally, Securepoint Antivirus Pro does not move files.
As soon as a contaminated file is found on a computer, Securepoint Antivirus Pro blocks it (copying and executing the file is then no longer possible) and displays it in the quarantine.

A special case is a corrected false alarm: the quarantine checks as soon as it is opened whether all entries can still be verified.
If an update of the virus database has taken place in the meantime and the entries are no longer verifiable with the current VDB, they are removed from the quarantine and the files are released again.

.

This feature can be configured via the AV Portal. See Configuration profiles.

The password is virus!

In Thunderbird, under "Settings -> Privacy and security -> Security -> Antivirus", you can activate the option to quarantine individual emails. If this option is not activated, the entire inbox file could be blocked.

The Securepoint Antivirus Client cannot perform NTLM authentication on the client.

As a workaround, an authentication exception can be set up in the HTTP proxy.
.*\.ikarus\.at
.*\.mailsecurity\.at
For more information, see the wiki article HTTP Proxy and Antivirus Pro

One license is required for one operating system instance (Windows). This applies to installations directly on the hardware (bare metal) as well as to virtual instances. The licensing is identical for client and server operating systems. There is no further distinction.

When uninstalling, the activation in the portal is removed.

The device can be moved to another group, which is assigned to another license.

Updating the license reloads the information about the license and the devices.

Yes, notifications for reaching a number of activations can be set up in the license.

The transfer of settings is cached in the backlog for up to 7 days and then transferred to the client.
After that, the job is considered failed and is not transferred to the client.

No, the management is only done via the Securepoint [av.securepoint.de AV-Portal].

USB ports cannot be locked, but can be checked when plugged in.

See Client Overview

If transparent mode is enabled in the HTTP proxy, these regexes must be entered as exceptions in the UTM virus scanner:
.

^[^:]*://[^\.]*\.ikarus\.at/
^[^:]*://[^\.]*\.mailsecurity\.at/

For more information, see the wiki article HTTP Proxy and Antivirus Pro

A process exclusion of the bRCT.exe avoids problems with the detection of Windows updates by Baramundi in interaction with Server-Eye.

In the device overview and in the device information, the information can be updated.

The logs are stored in the installation directory under /logs.

Securepoint Antivirus Pro takes the available power to adjust the speed of scans according to the workload.

Securepoint Antivirus Pro can be extensively monitored with many RMM and monitoring tools.
Monitoring is done locally on the end device.
The Antivirus Pro Portal currently does not provide an interface for monitoring
For details see our wiki article: Monitoring

It is possible to participate in the Reseller Preview as a verified reseller.

Activation in AV-Portal / menu cofiguration profiles / edit corresponding profile / tab client configuration / last entry: Participate in Reseller Preview / activate    and Save & Transfer

The abbreviation stands for Possible Unwanted Program (or Application).
This term is used to define programs and applications that are of no use to the user or are not desired by the user.

PUA and PUP applications are not removed from the virus database.

Here you can either set an exclusion for the file paths or disable the check for potentially unwanted applications in Guard.

See Save support information

The portal is hosted on our geo-redundant servers in Germany.

Yes, this is possible.

The client checks every 60 seconds if the status has changed, if there was a change this is reported to the portal.

Infections are transmitted immediately after detection.

If the client has not connected to the backend for 7 days, the jobs will be considered failed.
The status in the portal in the action log will then change from pending to failed.

There is no rescue CD of Securepoint Antivirus Pro.

The names can be renamed via the AV Portal.

If a user is to be deleted from the AV and Reseller Portal, an email must be sent to vertrieb(at)securepoint(dot)de for this purpose.

The cache limit for all operating systems under Windows 10 can be adjusted via the following script.
If you have any questions about this, please contact our support.

@echo off
echo Detecting installation...
for /f "tokens=2*" %%a in ('REG QUERY "HKEY_LOCAL_MACHINE\Software\Ikarus\guardx" /v MainPath') do set "AppPath=%%~b"  
echo SPAV found in %AppPath%
"%AppPath%\bin\guardxup" -cfgwrite  "%AppPath%\conf\guardx.conf" cache/limit 4000000
echo .
echo The Limit for the Cache has been updated.
 
pause.