So here I am on the new 3.5.x release, and I'm trying to decipher the
new AVRules.

Our intention here at BSC was to be as liberal as possible, and allow as
many clients as feasible.

From what I understand, CCAA using some API talks to the AV installed on
the client machine, and this is what drives the new rules.

The new AV rules only provide the test for installation, and for latest
definitions, it does not provide any rules for "Running".  

So what are you guys doing?  Allowing anything that is installed, but
not check if it's running?

Also, in our testing with the Update rule, we've noticed that if your
definitions subscription is expired, you cannot pass the rule. \

For example, we tested with Mcaffee 9.0 which came with a 90 day license
(that you usually get with a new computer) after the license expired, it
would attempt the update, and McAffee would say all your products were
up to date.  Since your license is not valid, McAffee won't allow you an
update, but the updater doesn't return that error message, it just says
"All products are updated".  However, since your definitions are not
*really* updated, the rule won't allow you by.

I assume we can mitigate this two ways, by providing directions on how
to update, and reference a webpage in the text if you are having
problems (Which would explain the problem, and would explain on how to
remove your existing expired AV, and install the one that your
institution provides.)  The second option is to not make it required,
and just have them ignore it. (Because if they figure out if they hit
the Next Button, they will just ignore it)

So again, I ask what are your institutions doing?