Securepoint Antivirus Pro FAQ

Possible solutions for frequently asked questions

Last adaption: 01.2024

New:

Problemes with Thunderbird

notempty

This article refers to a Resellerpreview

-

Installation - Uninstallation

Why does the installer not always include the latest version?

This type of installer will be released soon.
Currently there is only the installer to the published version.

Is Windows Defender disabled during installation?

Yes, Securepoint Antivirus interacts with the Windows Security Center API and disables Windows Defender during installation.

In Windows Server up to and including version 2019 the Defender must be uninstalled manually!
The exact behavior depends on the Windows, or Windows version.

Is it possible to disable Windows Defender with a group policy?

On the AD server in the group policies. Policy -> Administrative Template -> Windows Components -> Windows Defender -> Disable Windows Defender: Enabled
Alternatively still Real-Time Protection -> Disable Real-Time Protection: Enabled

Cancel and Rollback of Installation under Windows Server 2022

Installation aborted with an error message ELAM in the log
Cause:
The installation under Windows Server 2022 requires Windows Defender to be installed so that the ELAM driver can be installed correctly.

Error code 2502 or 2503 are displayed during installation

The reason for this is that the Wizard installation is missing Windows permissions on "C:\Windows\Temp" and C:\Windows\Installer".
The Silent-Installation is not affected by this and can be used for installation.

Does the client need to be restarted after installation?

Restarting after installation is not always necessary, but advisable and sometimes needed.

Does the computer need to be restarted after an uninstallation?

Yes. Services and drivers can only be removed from the operating system after a reboot.

What is used as a clear reference for the recognition of a device?

A GUID is created for each device.

Is there a remover that removes all remnants from Antivirus Pro?

The AV-Remover can be found in the Reseller Portal under Downloads → Tools and removes all leftovers after uninstallation.

Can AV-Remover be used for uninstallation?

No, this is only to be used to remove the leftovers or in case of a failed uninstallation.

Error message: No connection to the service on Windows 8 / 8.1

After the installation it may occur that no connection to the service can be established.
The cause of this is that the installation of the ELAM driver fails.
This can be forced by setting a registry entry.
Open Registry Editor:

\\HKLM\\System\\CurrentControlSet\\Services\\ntguard_svc\\
DWORD 
FPPIX = 0FD07

Error message: Account Already Exists

The installation of the AV aborts with the error message "Account already exists".
Uninstalling with AV Remover also does not bring any improvement.
Solution: Microsoft provides a tool that repairs the registry entries that prevent installation: https://support.microsoft.com/en-us/help/17588/windows-fix-problems-that-block-programs-being-installed-or-removed

Updates

In the AV-Portal, an older version is entered in the device information under Version as Latest (e.g.: 3.2.20) than is displayed in the column Installed (e.g.: 3.2.32)

This can happen when we distribute a new AV version.
The rollouts are spread over several days. Only when the regular rollout is finished, the new version is listed as Latest version in the database.

Platform / Compatibility

Is there a difference between workstation and server for the AV client?

No, the client does not distinguish between systems.

On which operating systems can the client be installed?

See System requirements

Can Securepoint Antivirus Pro be used on an Exchange Server?

Yes - but only as file antivirus, like on any Windows server.

Securepoint Antivirus Pro does not provide email protection within Exchange.
For this, we recommend using the Securepoint UTM firewall, which protects emails already at the gateway with a two-tier AV and a powerful spam filter.

Are there any recommendations for AV on an exchange server?

Please use the documentation and information from Microsoft for the respective server.

Is it possible to install Securepoint Antivirus Pro on a terminal server?

Yes, the client is terminal server capable.

Recognition

Is it possible to define exceptions for virus scans?

Exceptions can be created via the AV Portal and locally via the client.

Do file or folder exclusions apply to all scans or is this setting ignored for certain scans, e.g. "entire computer"?

The exclusions always apply, so even with a scan profile.

Are network drives scanned during a scan?

No, Securepoint Antivirus Pro is designed to monitor and secure endpoints.

To scan network drives, Securepoint Antivirus Pro can also be installed on file servers and perform regular scans there.

Is there a maximum size for files when scanning?

Yes, the default value for the maximum size is 128 MB.
This value can be adjusted up to 8 GB in the settings under Exclusions.

If something is searched via Windows 10, is the respective file accessed so that the AV scans it?

No. The search itself is an index of Windows, so the file is not yet scanned. The file is not scanned until something is done with it (open memory location, open file, etc...).

Does opening the properties of a file already trigger a scan?

Yes. This provides access to the file itself.

Why is access to the Thunderbird inbox file blocked by Securepoint Antivirus Pro?

Securepoint Antivirus Pro blocks files that contain threats.

In Thunderbird, the option Antivirus can be activated under Settings / Security / Antivirus.
This allows the AV Pro to block incoming messages separately if necessary.

Virus detection

A virus was detected as false positive, can the file be verified?

Files can be sent for analysis via Quarantine → right-click on the virus and send to IKARUS.

How long does it take for the laboratory to provide feedback on an analysis?

Feedback usually follows within 24 hours.

A virus was not detected, how can this be checked?

Please send a mail with the infected file to probe(at)ikarus(dot)at. There the file will be analyzed.
A local or in the firewall integrated virus scanner can remove the file when sending.

Files in quarantine are always moved back to quarantine, even if they were detected incorrectly. Now when the corrected virus database update comes, are the incorrectly detected files automatically restored?

Generally, Securepoint Antivirus Pro does not move files.
As soon as a contaminated file is found on a computer, Securepoint Antivirus Pro blocks it (copying and executing the file is then no longer possible) and displays it in the quarantine.

A special case is a corrected false alarm: the quarantine checks as soon as it is opened whether all entries can still be verified.
If an update of the virus database has taken place in the meantime and the entries are no longer verifiable with the current VDB, they are removed from the quarantine and the files are released again.

.

Can information about virus detections be sent by mail?

This feature can be configured via the AV Portal. See Configuration profiles.

What is the password of the ZIP archive when a threat was saved?

The password is virus!

After the AV has found a virus for Thunderbird users, no more attachments can be opened or even all emails have disappeared. How can I ensure that only the virus emails are blocked?

In Thunderbird, under "Settings -> Privacy and security -> Security -> Antivirus", you can activate the option to quarantine individual emails. If this option is not activated, the entire inbox file could be blocked.

Authentication / Licensing

Proxy authentication with NTLM

The Securepoint Antivirus Client cannot perform NTLM authentication on the client.

As a workaround, an authentication exception can be set up in the HTTP proxy.
.*\.ikarus\.at
.*\.mailsecurity\.at
For more information, see the wiki article HTTP Proxy and Antivirus Pro

How is the licensing done?

One license is required for one operating system instance (Windows). This applies to installations directly on the hardware (bare metal) as well as to virtual instances. The licensing is identical for client and server operating systems. There is no further distinction.

How can an activated license be released?

When uninstalling, the activation in the portal is removed.

How to exchange the license from the device?

The device can be moved to another group, which is assigned to another license.

What is the "Update license" action in the AV Portal for?

Updating the license reloads the information about the license and the devices.

Can notifications be created for activations?

Yes, notifications for reaching a number of activations can be set up in the license.

Configuration

What happens to the clients that are not online when the settings are transferred?

The transfer of settings is cached in the backlog for up to 7 days and then transferred to the client.
After that, the job is considered failed and is not transferred to the client.

Can the AV be managed via a server?

No, the management is only done via the Securepoint [av.securepoint.de AV-Portal].

Can USB ports be locked?

USB ports cannot be locked, but can be checked when plugged in.

What is the update function for?

See Client Overview

The client cannot download updates

If transparent mode is enabled in the HTTP proxy, these regexes must be entered as exceptions in the UTM virus scanner:
.

^[^:]*://[^\.]*\.ikarus\.at/
^[^:]*://[^\.]*\.mailsecurity\.at/

For more information, see the wiki article HTTP Proxy and Antivirus Pro

Miscellaneous

Server-Eye reports that the check for Windows updates by Baramundi fails

A process exclusion of the bRCT.exe avoids problems with the detection of Windows updates by Baramundi in interaction with Server-Eye.

How is the device information updated?

In the device overview and in the device information, the information can be updated.

Where are the logs of Securepoint Antivirus Pro

The logs are stored in the installation directory under /logs.

Why is the load high on a computer that is hardly used?

Securepoint Antivirus Pro takes the available power to adjust the speed of scans according to the workload.

Is there an interface for monitoring?

Securepoint Antivirus Pro can be extensively monitored with many RMM and monitoring tools.
Monitoring is done locally on the end device.
The Antivirus Pro Portal currently does not provide an interface for monitoring
For details see our wiki article: Monitoring

How can I test the latest features in advance?

It is possible to participate in the Reseller Preview as a verified reseller.

Activation in AV-Portal / menu / edit corresponding profile / tab client configuration / last entry: Participate in Reseller Preview / activate and Save & Transfer

What are PUPs or PUAs?

The abbreviation stands for Possible Unwanted Program (or Application).
This term is used to define programs and applications that are of no use to the user or are not desired by the user.

How are PUA and PUPs removed from the virus database?

PUA and PUP applications are not removed from the virus database.

Here you can either set an exclusion for the file paths or disable the check for potentially unwanted applications in Guard.

Is there a way to store support information?

See Save support information

Where are the servers for the AV Portal located?

The portal is hosted on our geo-redundant servers in Germany.

Can Medical IT customers use the AV?

Yes, this is possible.

At what interval does the AV Client report the status to the portal?

The client checks every 60 seconds if the status has changed, if there was a change this is reported to the portal.

Infections are transmitted immediately after detection.

When are the jobs for transfer marked as failed?

If the client has not connected to the backend for 7 days, the jobs will be considered failed.
The status in the portal in the action log will then change from pending to failed.

Is there a Rescue CD?

There is no rescue CD of Securepoint Antivirus Pro.

Can the name of devices, groups and licenses be customized?

The names can be renamed via the AV Portal.

Delete user

If a user is to be deleted from the AV and Reseller Portal, an email must be sent to vertrieb(at)securepoint(dot)de for this purpose.

How can the cache limit be adjusted?

The cache limit for all operating systems under Windows 10 can be adjusted via the following script.
If you have any questions about this, please contact our support.

@echo off
echo Detecting installation...
for /f "tokens=2*" %%a in ('REG QUERY "HKEY_LOCAL_MACHINE\Software\Ikarus\guardx" /v MainPath') do set "AppPath=%%~b"  
echo SPAV found in %AppPath%
"%AppPath%\bin\guardxup" -cfgwrite  "%AppPath%\conf\guardx.conf" cache/limit 4000000
echo .
echo The Limit for the Cache has been updated.
 
pause.