Yeah, wasn't using them ... am now but now I have other weird stuff:
I have people failing CCA on A/V install and A/V up-to-date and it says to
look at the Client AV info (which is very nice and i wish it would show on
successes as well as failures so we can better diagnose systematic
issues by confirming working cases vs. non-working cases), but it shows
A/V software and A/V up-to-date. I'm confused ?
User: <username> Operating System: Windows XP Agent Version: 3.6.1.0
1. AV_Def_Update (Mandatory)
* Passed Checks:
* Failed Checks:
av_def_ANY, Antivirus Check [Any supported AV software up to date] see Client AV Info for details
* Not executed Checks:
.....
3. HAS_AV (Mandatory)
* Passed Checks:
* Failed Checks:
av_inst_ANY_vendor, Antivirus Check [Any supported AV software installed] see Client AV Info for details
* Not executed Checks:
......
Client AV Info
Product ID: NortonAV
Product Name: Symantec AntiVirus
Product Version: 10.0.1000.1
Virus Definition File Version: 2/26/2006 rev. 4
Virus Definition File Date: 2/26/2006
Thoughts ?
-S
On Mon, 27 Feb 2006, Rajesh Nair (rajnair) wrote:
> Return-Path: <[log in to unmask]>
> Received: from localhost by genesis with LMTP; Mon,
> 27 Feb 2006 12:39:02 -0600
> Received: from smtp01.valpo.edu (smtp01.valpo.edu [152.228.33.51])
> by genesis.valpo.edu (Switch-3.1.7/Switch-3.1.0) with ESMTP id
> k1RId2E5003618;
> Mon, 27 Feb 2006 12:39:02 -0600 (CST)
> Received: from localhost (localhost [127.0.0.1])
> by smtp01.valpo.edu (8.12.11/8.12.9) with ESMTP id k1RId2NX001453;
> Mon, 27 Feb 2006 12:39:02 -0600 (CST)
> Received: from smtp01.valpo.edu ([127.0.0.1])
> by localhost (smtp01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
> id 27057-22; Mon, 27 Feb 2006 12:38:48 -0600 (CST)
> Received: from listserv.muohio.edu (listserv.muohio.edu [134.53.7.26])
> by smtp01.valpo.edu (8.12.11/8.12.9) with ESMTP id k1RIclPt001253;
> Mon, 27 Feb 2006 12:38:48 -0600 (CST)
> Received: from nasw2k01 (listserv.muohio.edu) by listserv.muohio.edu
> (LSMTP for Windows NT v1.1b) with SMTP id
> <[log in to unmask]>; Mon, 27 Feb 2006 13:38:47 -0500
> Received: by LISTSERV.MUOHIO.EDU (LISTSERV-TCP/IP release 14.3) with
> spool id
> 44858876 for [log in to unmask]; Mon, 27 Feb 2006 13:37:23
> -0500
> Received: from mulnx11.mcs.muohio.edu by listserv.muohio.edu (LSMTP for
> Windows
> NT v1.1b) with SMTP id <[log in to unmask]>; Mon,
> 27 Feb
> 2006 13:37:23 -0500
> Received: from mulnx23.mcs.muohio.edu (mulnx23.mcs.muohio.edu
> [134.53.6.10]) by
> mulnx11.mcs.muohio.edu (Switch-3.1.6/Switch-3.1.6) with ESMTP id
> k1RIbJqq029401 for <[log in to unmask]>; Mon, 27 Feb 2006
> 13:37:19 -0500
> Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com
> [171.71.176.70])
> by mulnx23.mcs.muohio.edu (Switch-3.1.6/Switch-3.1.6) with SMTP
> id
> k1RIbIRj006159 for <[log in to unmask]>; Mon, 27 Feb 2006
> 13:37:18 -0500
> Received: from sj-core-5.cisco.com ([171.71.177.238]) by
> sj-iport-1.cisco.com
> with ESMTP; 27 Feb 2006 10:37:18 -0800
> Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com
> [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with
> ESMTP
> id k1RIbHVb009286 for <[log in to unmask]>; Mon,
> 27 Feb 2006
> 10:37:17 -0800 (PST)
> Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by
> xbh-sjc-231.amer.cisco.com with Microsoft
> SMTPSVC(6.0.3790.211); Mon,
> 27 Feb 2006 10:37:17 -0800
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: problem with antivirus update checks
> Thread-Index: AcY7v36SsUezjh00R2GkhbBzJ4O1KgADTKSw
> X-OriginalArrivalTime: 27 Feb 2006 18:37:17.0727 (UTC)
> FILETIME=[D60E5AF0:01C63BCC]
> X-Real-ConnectIP: 171.71.176.70
> Message-ID:
> <[log in to unmask]>
> Date: Mon, 27 Feb 2006 10:37:17 -0800
> Reply-To: Perfigo SecureSmart and CleanMachines Discussion List
> <[log in to unmask]>
> Sender: Perfigo SecureSmart and CleanMachines Discussion List
> <[log in to unmask]>
> From: "Rajesh Nair (rajnair)" <[log in to unmask]>
> Subject: Re: problem with antivirus update checks
> To: [log in to unmask]
> Precedence: list
> X-Virus-Scanned: by amavisd-new at valpo.edu
>
> Sirs,
>
> The Clean Access Agent Report (CAM -> Clean Access -> Clean Access Agent
> -> Reports) will clearly show which checks passed and you should see the
> AV type checks only (not pc_ type checks).
>
> -Rajesh.
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Simon Kissler
> Sent: Monday, February 27, 2006 8:59 AM
> To: [log in to unmask]
> Subject: Re: problem with antivirus update checks
>
> Ok, I'm gonna ask the stupid question that's been lingering in my head
> and I've been wanting to do some reading on for a while but realities
> have not given me that luxury lately. I'm under the impression that
> we're using the AV Rules from what I'm seeing on the CCA Manager,
> however, we are seeing a similar problem to this on and off. How do I
> tell for sure which ones we're using ? (yes I know this is probably
> somewhere in a manual that I should be reading, but I've done my fair
> share of Cisco reading in the last two days and would just appreciate an
> easy and clear answer to maybe get this taken care of)
>
> Thanks,
>
> -S
>
>
>
> On Mon, 27 Feb 2006, Rajesh Nair (rajnair) wrote:
>
> > Return-Path: <[log in to unmask]>
> > Received: from localhost by genesis with LMTP; Mon,
> > 27 Feb 2006 10:47:13 -0600
> > Received: from smtp01.valpo.edu (smtp01.valpo.edu [152.228.33.51])
> > by genesis.valpo.edu (Switch-3.1.7/Switch-3.1.0) with ESMTP id
> > k1RGlDnu014733;
> > Mon, 27 Feb 2006 10:47:13 -0600 (CST)
> > Received: from localhost (localhost [127.0.0.1])
> > by smtp01.valpo.edu (8.12.11/8.12.9) with ESMTP id
> k1RGlD5e006289;
> > Mon, 27 Feb 2006 10:47:13 -0600 (CST)
> > Received: from smtp01.valpo.edu ([127.0.0.1]) by localhost (smtp01
> > [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04193-10; Mon,
> > 27 Feb 2006 10:47:10 -0600 (CST)
> > Received: from listserv.muohio.edu (listserv.muohio.edu [134.53.7.26])
> > by smtp01.valpo.edu (8.12.11/8.12.9) with ESMTP id
> k1RGlA2B006230;
> > Mon, 27 Feb 2006 10:47:10 -0600 (CST)
> > Received: from nasw2k01 (listserv.muohio.edu) by listserv.muohio.edu
> > (LSMTP for Windows NT v1.1b) with SMTP id
> > <[log in to unmask]>; Mon, 27 Feb 2006 11:47:10 -0500
> > Received: by LISTSERV.MUOHIO.EDU (LISTSERV-TCP/IP release 14.3) with
> > spool id
> > 44856094 for [log in to unmask]; Mon, 27 Feb 2006
> 11:47:05
> > -0500
> > Received: from mulnx11.mcs.muohio.edu by listserv.muohio.edu (LSMTP
> for
> > Windows
> > NT v1.1b) with SMTP id <[log in to unmask]>;
> Mon,
> > 27 Feb
> > 2006 11:47:05 -0500
> > Received: from mulnx23.mcs.muohio.edu (mulnx23.mcs.muohio.edu
> > [134.53.6.10]) by
> > mulnx11.mcs.muohio.edu (Switch-3.1.6/Switch-3.1.6) with
> ESMTP id
> > k1RGl2Ka024780 for <[log in to unmask]>; Mon, 27
> Feb 2006
> > 11:47:02 -0500
> > Received: from sj-iport-3.cisco.com (sj-iport-3-in.cisco.com
> > [171.71.176.72])
> > by mulnx23.mcs.muohio.edu (Switch-3.1.6/Switch-3.1.6) with
> SMTP
> > id
> > k1RGl1Fn007888 for <[log in to unmask]>; Mon, 27
> Feb 2006
> > 11:47:01 -0500
> > Received: from sj-core-1.cisco.com ([171.71.177.237]) by
> > sj-iport-3.cisco.com
> > with ESMTP; 27 Feb 2006 08:47:00 -0800
> > X-IronPort-AV: i="4.02,150,1139212800"; d="scan'208,217";
> > a="410336728:sNHT61193000"
> > Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com
> > [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6)
> with
> > ESMTP
> > id k1RGl0Hf011688 for <[log in to unmask]>; Mon,
> > 27 Feb 2006
> > 08:47:00 -0800 (PST)
> > Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by
> > xbh-sjc-221.amer.cisco.com with Microsoft
> > SMTPSVC(6.0.3790.211); Mon,
> > 27 Feb 2006 08:47:00 -0800
> > X-MimeOLE: Produced By Microsoft Exchange V6.5
> > Content-class: urn:content-classes:message
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="----_=_NextPart_001_01C63BBD.6D9E9E8D"
> > X-MS-Has-Attach:
> > X-MS-TNEF-Correlator:
> > Thread-Topic: problem with antivirus update checks
> > Thread-Index: AcY7tLcuzJTFwpSBSfWVoOPIAsNoxgAAnERwAACe+yAAANFb8A==
> > X-OriginalArrivalTime: 27 Feb 2006 16:47:00.0336 (UTC)
> > FILETIME=[6DC89F00:01C63BBD]
> > X-Real-ConnectIP: 171.71.176.72
> > Message-ID:
> >
> > <[log in to unmask]>
> > Date: Mon, 27 Feb 2006 08:46:59 -0800
> > Reply-To: Perfigo SecureSmart and CleanMachines Discussion List
> > <[log in to unmask]>
> > Sender: Perfigo SecureSmart and CleanMachines Discussion List
> > <[log in to unmask]>
> > From: "Rajesh Nair (rajnair)" <[log in to unmask]>
> > Subject: Re: problem with antivirus update checks
> > To: [log in to unmask]
> > Precedence: list
> > X-Virus-Scanned: by amavisd-new at valpo.edu
> >
> > Brian,
> >
> > All the AV type rules use >= for virus definition versions and "later
> > than" for virus definition dates.
> >
> > Based on what you mentioned in your first email, you are most
> > certainly using the older pr_ type rules for checking virus
> definitions.
> >
> > If you are using an AV-rule for virus definition, you can see what
> > values it is checking for at the bottom of the page when you edit/view
>
> > the rule.
> >
> > Also, you mentioned that the student failed the requirement once.
> > Take a look at the user's report (Clean Access Agent report on the
> > CAM: CAM
> > -> Clean Access -> Clean Access Agent -> Reports and then search for
> > -> her
> > report) and see which rule/check failed. That will tell you for sure
> > whether you are using AV rules or pr_ rules.
> >
> > HTH,
> > -Rajesh.
> >
> > ________________________________
> >
> > From: Perfigo SecureSmart and CleanMachines Discussion List
> > [mailto:[log in to unmask]] On Behalf Of Brian Beausoleil
> > Sent: Monday, February 27, 2006 8:21 AM
> > To: [log in to unmask]
> > Subject: Re: problem with antivirus update checks
> >
> >
> >
> > I am using the AV rules, but looking in the check/rule section. Are
> > the AV rules using their own set of checks? Is there a way to verify
> > the values if they are?
> >
> >
> >
> > ________________________________
> >
> > From: Perfigo SecureSmart and CleanMachines Discussion List
> > [mailto:[log in to unmask]] On Behalf Of King, Michael
> > Sent: Monday, February 27, 2006 11:03 AM
> > To: [log in to unmask]
> > Subject: Re: problem with antivirus update checks
> >
> >
> >
> > Brian, are you using the AV rules, or are you using the actually
> > Check/Rule in the rule list?
> >
> >
> >
> >
> > ________________________________
> >
> >
> > From: Perfigo SecureSmart and CleanMachines Discussion List
> > [mailto:[log in to unmask]] On Behalf Of Brian Beausoleil
> > Sent: Monday, February 27, 2006 10:45 AM
> > To: [log in to unmask]
> > Subject: problem with antivirus update checks
> >
> > I have been battling with the Norton rules for a while now and
> found
> > something I am wondering about. I have a student with Norton 2006 and
>
> > definitions of 2/26/2006. Upon logging in, she fails. I look at the
> > Norton Update rules and see it looks for a string ending in 2/22/2006.
>
> > Her definitions are newer, so in reality she should pass. I created a
>
> > rule that looks for a version later than 2/22/2006 and she passes. I
> > just checked a McAfee update rule and see it said a string contains
> > version. Why don't these update rules use the version later than
> > feature?
> >
> >
> >
> > Is there a reason Cisco uses the current method (string ending
> in and
> > string contains) and not the version later than? It seems to me this
> > would be more flexible since these companies produce def updates more
> > often than once a week.
> >
> >
> >
> > Thanks for any feedback.
> >
> >
> >
> > Brian
> >
> >
>
> ------------------------------------------------------------------------
> -------
> Simon Kissler [log in to unmask]
> UNIX Systems Administrator Phone: (219) 464 6773
> Electronic Information Services Fax : (219) 464 5381
> Valparaiso University
> Kretzmann Hall B22
> Valparaiso, IN 46383
> ------------------------------------------------------------------------
> -------
>
> "There are two ways to write error-free programs.
> Only the third one works."
> -Anon.
>
> ------------------------------------------------------------------------
> -------
>
-------------------------------------------------------------------------------
Simon Kissler [log in to unmask]
UNIX Systems Administrator Phone: (219) 464 6773
Electronic Information Services Fax : (219) 464 5381
Valparaiso University
Kretzmann Hall B22
Valparaiso, IN 46383
-------------------------------------------------------------------------------
"The moment you have in your heart
this extraordinary thing called love
and feel the depth, the delight, the ecstasy of it,
you will discover that for you
the world is transformed."
-J. Krishnamurti
-------------------------------------------------------------------------------
|
