LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

May 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS May 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: How do you handle AV/Windows updates?
From:	"King, Michael" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Fri, 12 May 2006 15:37:39 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

Funny.

I just had a discussion similar to this with one of our support staff. 

> -----Original Message-----
> I don't have control over the servers, but I've heard its 
> possible to copy the Cisco rules and then update the copy (or 
> recreate) the rules as Cisco updates them for new Windows 
> Updates, etc. 

Yes it is possible.  In fact it's actually our policy now, due to the
exact reasons you've outlined.

 
> Do you do this rule copy and update as needed and if so, what 
> rules do you do it with?  What's your experience been with 
> it? 

One of the rules is named pr_xphotfixes.  I click the copy button.
A new rule called copy of pr_xphotfixes is created.  I've edited my
requirements to use this rule.

My experience has been mixed.   We control exactly what is going on, so
we know the exact instant the rule changes. (While pr_xphotfixes is
still autoupdating, so I can use it for comparison)

However, when Microsoft releases patches, sometimes they supersede
existing ones.  IE updates almost ALWAYS supersede the previous one.
This means our now out of date rule is still requiring patches that are
no longer on Windows Update site.  However, since everyone had them
installed at one point, the registry key is still there, so people that
passed the rule before, still pass.  It's just fresh / unpatched
machines that fail the rule, and going to windows update doesn't fix
them.

Basically I try to look up the new updates, and see if they directly
supersede any  (Usually it's listed in the TechNet article)


> If you do AV checks based on the automatic Cisco rules, 
> have you heard any complaints or anything about it always 
> requiring updates?

The AV checks are a different animal, and are a little harder to this
way.  Actually I can't think of a way to do this with the AV rules.

You could always create your own check/rule and add it to your
requirement so that if either the Cisco AV passes, or your AV passes,
the requirement is passed.  
> 
> It seems like there should be some kind of 'delay rule 
> updates from Cisco for x days/hours' option somewhere, is 
> there? 

Well, you could just turn autoupdates off, and do it manually.  But then
you run into issues with people having newer virus defs than Cisco is
aware of.  (I think, I don't have much experience with the AV / AS
rules)

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU