FAQs about IKARUS anti.virus with cloud Interface

IKARUS anti.virus

1 Installation – Uninstallation

  • Is Windows Defender disabled during installation?

    Yes, IKARUS anti.virus interacts with the Windows Security Center API and disables Windows Defender during installation.

    The exact behavior depends on the Windows or Windows version.

  • How can I deactivate Windows Defender using Group Policy?

    On the AD server in Group Policy. Policy -> Administrative Template -> Windows Components -> Windows Defender -> Disable Windows Defender: Activates

    Alternatively, real-time protection -> Disable real-time protection: Enabled

  • Error code 2502 or 2503 is displayed during installation

    The reason for this is that during the wizard installation Windows permissions for “C:WindowsTemp” and C:WindowsInstaller” are missing.

    The silent installation is not affected by this and can be used for installation.

  • Does the client need to be restarted after the installation?

    No, a restart after the installation is not necessary.

  • What is used as a unique reference for the recognition of a device?

    A GUID is created for each device.

     

  • Does the client need to be restarted after uninstalling?

    Yes, a restart after uninstalling is mandatory.

  • Is there a remover that removes all remains of IKARUS anti.virus?

    The AV Remover can be found in the Reseller Portal under Downloads -> Tools and removes all remnants after uninstallation.

2 Updates

  • In the AV portal, an outdated version is entered as the newest version under Version (e.g. 2.14.98) and a more recent version (3.0.14) under Current.

    This can happen when we distribute a new AV version. The rollouts are spread over several days. Only when the regular rollout is finished, the new version will be kept as the latest version in the database.

3 Platform / Compatibility

  • Is there a difference between workstation and server for the AV client?

    No, the client does not differentiate between the systems.

  • On which operating systems can the client be installed?

    Recommended operating systems

    • Windows 10 or higher
    • Windows Server® 2016 or higher
  • Can IKARUS anti.virus also be used on an Exchange Server?

    Yes – but only as File Antivirus, as on any Windows server.

    IKARUS anti.virus does not provide email protection within Exchange.

  • Can IKARUS anti.virus be installed on a terminal server?

    The client is terminal server capable.

4 Detection

  • Can exceptions for virus scans be defined?

    Exceptions can be created via the AV portal and locally via the client.

  • Do file or folder exclusions apply to all scans or is this setting ignored for certain scans, e.g. "entire computer"?

    The exclusions always apply, even for a scan profile.

  • Are network drives scanned with a scan?

    No, IKARUS anti.virus was designed for monitoring and securing endpoints.

    To scan network drives, IKARUS anti.virus can also be installed on file servers and perform regular scans there.

  • Is there a maximum file size for scanning?

    The answer is yes, the size for on-access scans is the predefined 128 MB, this value cannot be changed.

    On-demand scans can limit the size of the files to be scanned. For example: Do not scan files larger than 1 MB. This limit can be adjusted to up to 8 GB in the settings under Exclusions. If no adjustments are made, the default size is 128 MB.

  • Are there recommendations for AV on an Exchange server?

    Please use Microsoft’s documentation and information on the respective server.

5 Virus detection

  • A virus was detected as a false positive. Can the file be scanned?

    Files can be sent to IKARUS for analysis via Quarantine -> Right-click on the virus and send to IKARUS.

  • A virus was not detected. How can this be checked?

    Please send an email with the infected file to probe(at)ikarus(dot)at. The file will be analyzed there.
    A local virus scanner or one integrated in the firewall can remove the file when sending it.

  • What does "delete list" mean in quarantine?

    This removes the entries from the quarantine list.
    Entries older than 7 days are automatically removed from the list.

  • Files in the quarantine are always moved back to the quarantine, even if they were detected by mistake. When the corrected virus database update is released, are the incorrectly detected files automatically restored?

    IKARUS anti.virus does not move any files.
    As soon as a contaminated file is found on a computer, IKARUS anti.virus blocks it (copying and executing the file is no longer possible) and displays it in quarantine.

    A special case is a corrected false alarm: The quarantine checks as soon as it is opened whether all entries are still verifiable.
    If the virus database has been updated in the meantime and the entries are no longer verifiable with the current VDB, they are removed from quarantine and the files are released again.

  • Is it possible to send out information about virus detections via email?

    This feature can be configured via the AV Portal. See also Configuration Profiles

6 Authentication / Licensing

  • Proxy authentication with NTLM

    IKARUS anti.virus Client cannot perform NTLM authentication on the client.
    As a workaround, an authentication exception can be set up in the HTTP proxy.
    .*.ikarus.at
    .*.mailsecurity.at
    For more information, see the Wiki article -> HTTP proxy and IKARUS anti.virus

  • How is it licensed?

    A license is required for one operating system instance (Windows). This applies to installations directly on the hardware (bare metal) as well as for virtual instances. The licensing is identical for client and server operating systems. A further distinction does not exist.

  • How can an activation be approved?

    When uninstalling, the activation is removed in the portal.

  • What is the action "Update license" in the AV portal for?

    Updating the license reloads the information about the license and devices.

  • Can notifications for activations be created?

    Yes, notifications can be set up in the license for reaching a number of activations.

7 Configuration

  • Where can the password protection be activated?

    Via the AV portal or under Extras -> Settings -> Extras in the client.

  • Can the AV be managed via a server?

    No, the administration is only possible via the AV portal in the reseller portal.

  • Can USB ports be blocked?

    USB ports cannot be blocked, but can be checked when plugged in.

  • What is the update function for?

    See Client Overview

  • The client cannot download updates

    If transparent mode is activated in the HTTP proxy, these rules must be entered as exceptions in the virus scanner.
    ^[^:]*://[^.]*.ikarus.at/
    ^[^:]*://[^.]*.mailsecurity.at/

8 Debugging

  • How do protocols and logs work?

    For the complete log, all for options under

    Extras -> Settings -> Protocols

    must be activated.

    • Protocols

    Extras -> Protocols

    • Each scan profile has its own protocol
    • Protocol for update
    • Protocol for system cleaning
    • Log

    C:Program FilesIKARUSanti.viruslog

    • log
  • Debugging - Logs in the Client: What do the supplied information mean?

    info [ 870](compattelrunne,2,s)[s] on-access scan of "c:Program Files (x86)Mozilla
    Thunderbirddistributionextensions{e2fda1a4-762b-4020-b5ad-a41df1933103}chrome.jar", size 1048196 B,
    CRC: 5188e7c97a1401c3 in 1.008 sec [B: 0.003 C1: 0.0000 C2: 0.0000 S: 1.005 A: 0.0000]

    1. [25.04.2019 08:08:27]
    2. info
    3. [ 870]
    4. (compattelrunne,2,s)
    5. „c:Program Files (x86)Mozilla
      Thunderbirddistributionextensions{e2fda1a4-762b-
      4020-b5ad-a41df1933103}chrome.jar„
    6. size 1048196 B
    7. CRC: 5188e7c97a1401c3
    8. in 1.008 sec
      [B: 0.003 C1: 0.0000 C2: 0.0000 S: 1.005 A: 0.0000]

    Description:

    1. Timestamp of the log entry
    2. Log level of the entry
    3. LogID, which log entries belong to a process
    4. Service that has accessed the following file
    5. File accessed by the service
    6. Size of the file in bytes
    7. Test value, checks if the file scanner is already known
    8. Time the scan took
      • B: Time before performing the scan (exclusions etc.)
      • C1:Time to get information about the file
      • C2: Time to process the information from C1
      • S: Time of the scan engine
      • A: Time to release data
  • Debugging – No connection

    AV_Registration: INFO: Using TID for registration: xxxx-xx-xx-xx-xxxxxx
    AV_Registration: INFO: No proxy will be used for connection.
    AV_Registration: INFO: Connecting to server: https://avitc.ikarus.at
    AV_Registration: ERROR: Could not establish connection to the server. Please check your internet connectivity.
    Cause: No connection to the backend servers.
    Solution: Check the Internet connection.

  • Debugging – New installation

    CAQuietExec: Entering CAQuietExec in C:WindowsInstallerMSIF3D9.tmp, version 3.11.2318.0
    CAQuietExec: ” C:Program FilesIKARUSanti.virusbinguardxservice_x64.exe” -install
    CAQuietExec: Service already installed, but stopped. Starting it.
    CAQuietExec: Error: Starting service ‘start service: :(2) The system cannot find the specified file. ‘
    CAQuietExec: Error 0xffffffff: Command line returned an error.
    CAQuietExec: Error 0xffffffff: QuietExec Failed
    CAQuietExec: Error 0xffffffff: Failed in ExecCommon method
    CustomAction InstallService64 returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Cause: Residuals present on the operating system after the AV could not be installed correctly.
    Solution: Remove the remains with AV Remover.

  • Error messages

    AV_Registration: INFO: Backend return code: 402
    AV_Registration: ERROR: An error occured while checking validity of License. Aborting!
    AV_Registration: ERROR: The server returned an error message: ‘License TID has reached usercount limit!‘
    Reason: No further activations available, the license is full.
    Solution: The license must be checked.

    AV_Registration: INFO: Connecting to server: https://avitc.ikarus.at
    AV_Registration: ERROR: Could not establish connection to the server. Please check your internet connectivity.
    Returncode: 400 BAD_REQUEST
    Response:

    400 Bad Request

     

    No required SSL certificate was sent

    Cause: SSL interception without exceptions.
    Solution: Exceptions for SSL interception must be entered in the firewall.

    Error: Starting service ‘start service starten : :(577) The digital signature of this file cannot be verified.
    A recent hardware or software change may have installed an incorrectly signed or corrupted file or a file that is malicious software from an unknown source.

    Cause 1:
    Operating system is Windows 7: The update KB3033929 is missing (support for SHA-2 certificates)

    Solution 1:
    Install KB3033929 and reboot the operating system.

    Cause 2:
    Operating system is not Windows 7: AV was already installed and there are still remnants of the service or driver.

    Solution 2:
    Remove the remnants of the installation with the remover and then perform installation.

9 Other

  • How can I test the latest features in advance?

    It is possible to participate as a verified reseller in the Reseller Preview.
    Activation in the AV Portal / menu Configuration Profiles / edit corresponding profile / tab Client Configuration / last entry: Participate in Reseller Preview / activate and save & transfer

  • What are PUPs or also called PUAs?

    The abbreviation stands for Possible Unwanted Program (or Application) and means translated a possibly unwanted program.
    This term is used to define programs and applications that are of no use to the user or are not desired by him.

  • How can PUA and PUPs be removed from the virus database?

    PUA and PUP applications are not removed from the virus database.
    Here you can either set an exclusion for the file paths or deactivate scanning for potentially unwanted applications in the Guard.

  • Where are the servers for the AV portal?

    The portal is hosted on our georedundant servers in Germany.

  • At what interval does the AV client report the status to the portal?

    The client checks every 60 seconds if the status has changed, if there has been a change it is reported to the portal.
    Infections are transmitted immediately after detection.

  • When are the transfer jobs marked as failed?

    If the client has not connected to the backend for 7 days, the job will be marked as failed.
    The status in the portal in the action log then changes from pending to failed.
    Is there a rescue CD?
    There is no IKARUS anti.virus Rescue CD.

  • Can the names of devices, groups, and licenses be customized?

    The names can be renamed using the AV Portal.

  • How can the cache limit be adjusted?

    The cache limit for all operating systems under Windows 10 can be adjusted using the following script. If you have any questions, please contact our support.
    @echo off
    echo Detecting installation…
    for /f “tokens=2*” %%a in (‘REG QUERY “HKEY_LOCAL_MACHINESoftwareIkarusguardx” /v MainPath’) do set “AppPath=%%~b”
    echo SPAV found in %AppPath%
    “%AppPath%binguardxup” -cfgwrite “%AppPath%confguardx.conf” cache/limit 4000000
    echo .
    echo The Limit for the Cache has been updated.

    pause.

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download