LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

July 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS July 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: New Av Rules
From:	Homer Manila <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Tue, 26 Jul 2005 10:23:28 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

One should be able to construct a running check from scratch by finding 
out what services are running for what AV function you want to check for 
(use process explorer or something equivalent) and just create a new 
service check for it.  At least that's how I understand it is supposed 
to work.  I had trouble with it myself and just ended up making 
application checks instead. It is encouraging to note that Georgia did 
not see a lot of fails for a running check; now I don't feel so bad 
about not including one :)

On the McAfee note, I have an open TAC with Cisco, and apparently a lot 
of other schools do too.  The  McAfee update function in the CCA agent 
is tricky. It seems to have problems contacting certain servers and 
loading the correct  active-x stuff  if the connection  is restricted.

--Homer Manila
Network Security Administrator
e-Operations,
Network Security
American University

King, Michael wrote:

> > We used the old-fashion style 
>  
>
>>checks to construct a rule to make sure the service is 
>>running (we just lower the priority of that one such that 
>>none could fail it without having av software installed). 
>>    
>>
>
>Ok, but how about an AV-package like Grisoft (An example, there are 17
>AV vendors supported now, but only 4 AV running rules) that is allowed
>by both the installation and the Definitions rules, but does not have a
>rule pre-built that checks if it's running?
>
>
>  
>
>>On the issue of subscriptions reporting that the software is 
>>current, we view that as a "bug" with some av product 
>>vendors. 
>>    
>>
>
>I'd very much agree with you their, I would consider this a bug.  I have
>only tested the scenario with one vendor, McAfee, which I believe has
>one of poorer implementations of AV.  (Any product that can be disabled
>by breaking Internet Explorer does not seem very robust to me, but this
>is my personal opinion)  I believe from memory that Symantec tells you
>your subscription has expired at every liveupdate session.
>
>One further Caveat I've noticed, the win98/ME support is almost
>nonexistent, you might want to construct your rules accordingly on those
>platforms. (I.E. not even check)
>  
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU