Subject: | |
From: | |
Reply To: | |
Date: | Tue, 26 Jul 2005 10:48:38 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Just in case some of you are struggling in vain, The all inclusive AV
rule was actually broken in 3.5.2- the 3.5.2.1 patch fixed it. I got
that straight from the horse's mouth!
>>> [log in to unmask] 7/26/2005 10:23:28 AM >>>
One should be able to construct a running check from scratch by finding
out what services are running for what AV function you want to check
for
(use process explorer or something equivalent) and just create a new
service check for it. At least that's how I understand it is supposed
to work. I had trouble with it myself and just ended up making
application checks instead. It is encouraging to note that Georgia did
not see a lot of fails for a running check; now I don't feel so bad
about not including one :)
On the McAfee note, I have an open TAC with Cisco, and apparently a lot
of other schools do too. The McAfee update function in the CCA agent
is tricky. It seems to have problems contacting certain servers and
loading the correct active-x stuff if the connection is restricted.
--Homer Manila
Network Security Administrator
e-Operations,
Network Security
American University
King, Michael wrote:
> > We used the old-fashion style
>
>
>>checks to construct a rule to make sure the service is
>>running (we just lower the priority of that one such that
>>none could fail it without having av software installed).
>>
>>
>
>Ok, but how about an AV-package like Grisoft (An example, there are
17
>AV vendors supported now, but only 4 AV running rules) that is
allowed
>by both the installation and the Definitions rules, but does not have
a
>rule pre-built that checks if it's running?
>
>
>
>
>>On the issue of subscriptions reporting that the software is
>>current, we view that as a "bug" with some av product
>>vendors.
>>
>>
>
>I'd very much agree with you their, I would consider this a bug. I
have
>only tested the scenario with one vendor, McAfee, which I believe has
>one of poorer implementations of AV. (Any product that can be
disabled
>by breaking Internet Explorer does not seem very robust to me, but
this
>is my personal opinion) I believe from memory that Symantec tells
you
>your subscription has expired at every liveupdate session.
>
>One further Caveat I've noticed, the win98/ME support is almost
>nonexistent, you might want to construct your rules accordingly on
those
>platforms. (I.E. not even check)
>
>
|
|
|