CLEANACCESS Archives

July 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: New Av Rules
From:
Deborah Hovey <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Tue, 26 Jul 2005 08:49:00 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (95 lines) 
We've just done the upgrade on a test server- which rule is the rule in
question here?

>>> [log in to unmask] 7/26/2005 8:38:39 AM >>>
I'm here in the same boat as you. I've been playing with the AV checks
for a little while now and have mixed feelings. As you pointed out with
the new checks, there's no more running check which means if you want to
support other AV apps AND check to see if they're running, you've got to
construct a manual check for each new app. Otherwise, you're just
checking for installation and def's.

We were deployed over the summer with "Installed, Running and
Up-to-Date" requirements. We had ~250 users and for the most part, we
really didn't experience a lot of fails for the running check. For this
reason, I've excluded this requirement as I try to deploy the new
checks.

We too are trying to be open to AV apps and are allowing McAfee, Trend
and Symantec. However, as an institution, we provide Symantec freely to
all students so this is our "recommended" and supported application. If
you have problems with McAfee or Trend, we suggest uninstalling and
installing Symantec. This brings me to a slight problem however. I
noticed yesterday that the new AV rules DON'T work with Symantec Corp
10. I'm not sure why, I've looked in the registry and \Program
Files\Common Files\Symantec Shared\VirusDefs and the new version hasn't
changed any of those variables, so I'm not sure why this app fails. It
still passes using the pc_ checks but that kinda defeats the purpose now
doesn't it. I wish we had more access to what/where the AV checks did. I
really makes troubleshooting issues with them more difficult.

I haven't experienced the McAfee issue but have noticed many users fail
the check. I didn't realize their def update didn't prompt the user to
notify them their subscription had expired. That's kinda weak.

Simon L. Bell
Network Support Specialist
Georgia Southern University
e: [log in to unmask] 
o: 912.681.5209
f:  912.681.0272

**Confidentiality Notice**
The documents accompanying this transmission contain confidential and
privileged information. The information is the property of the sender
and intended only for use by the individual or entity named above. The
recipient of this information is prohibited from disclosing the contents
of the information to another party. If you are neither the intended
recipient nor the employee or agent responsible for delivery to the
intended recipient, you are hereby notified that disclosure of contents
in any manner is strictly prohibited.

>>> [log in to unmask] 7/25/2005 4:34 PM >>>
So here I am on the new 3.5.x release, and I'm trying to decipher the
new AVRules.

Our intention here at BSC was to be as liberal as possible, and allow
as
many clients as feasible.

From what I understand, CCAA using some API talks to the AV installed
on
the client machine, and this is what drives the new rules.

The new AV rules only provide the test for installation, and for
latest
definitions, it does not provide any rules for "Running".  

So what are you guys doing?  Allowing anything that is installed, but
not check if it's running?

Also, in our testing with the Update rule, we've noticed that if your
definitions subscription is expired, you cannot pass the rule. \

For example, we tested with Mcaffee 9.0 which came with a 90 day
license
(that you usually get with a new computer) after the license expired,
it
would attempt the update, and McAffee would say all your products were
up to date.  Since your license is not valid, McAffee won't allow you
an
update, but the updater doesn't return that error message, it just
says
"All products are updated".  However, since your definitions are not
*really* updated, the rule won't allow you by.

I assume we can mitigate this two ways, by providing directions on how
to update, and reference a webpage in the text if you are having
problems (Which would explain the problem, and would explain on how to
remove your existing expired AV, and install the one that your
institution provides.)  The second option is to not make it required,
and just have them ignore it. (Because if they figure out if they hit
the Next Button, they will just ignore it)

So again, I ask what are your institutions doing?

ATOM RSS1 RSS2