On May 12, 2006, at 3:37 PM, King, Michael wrote:
> Funny.
>
> I just had a discussion similar to this with one of our support staff.
>
>> -----Original Message-----
>> I don't have control over the servers, but I've heard its
>> possible to copy the Cisco rules and then update the copy (or
>> recreate) the rules as Cisco updates them for new Windows
>> Updates, etc.
>
> Yes it is possible. In fact it's actually our policy now, due to the
> exact reasons you've outlined.
>
>
>> Do you do this rule copy and update as needed and if so, what
>> rules do you do it with? What's your experience been with
>> it?
>
> One of the rules is named pr_xphotfixes. I click the copy button.
> A new rule called copy of pr_xphotfixes is created. I've edited my
> requirements to use this rule.
>
> My experience has been mixed. We control exactly what is going
> on, so
> we know the exact instant the rule changes. (While pr_xphotfixes is
> still autoupdating, so I can use it for comparison)
>
> However, when Microsoft releases patches, sometimes they supersede
> existing ones. IE updates almost ALWAYS supersede the previous one.
> This means our now out of date rule is still requiring patches that
> are
> no longer on Windows Update site. However, since everyone had them
> installed at one point, the registry key is still there, so people
> that
> passed the rule before, still pass. It's just fresh / unpatched
> machines that fail the rule, and going to windows update doesn't fix
> them.
>
> Basically I try to look up the new updates, and see if they directly
> supersede any (Usually it's listed in the TechNet article)
This is why we've chosen not to track all Windows updates, too much
effort. Instead, we track just the major ones, like SP2 and
occasionally critical fixes. We check to make sure that Auto Updates
is on and set to the recommended SP2 setting (auto download and
install every day at 3 am) and rely on Auto Updates to manage the
other patches.
>
>> If you do AV checks based on the automatic Cisco rules,
>> have you heard any complaints or anything about it always
>> requiring updates?
Yes, even with our SAV CE centrally managed, occasionally CCA would
get ahead of it for an hour or two. AVG was a problem too.
>
> The AV checks are a different animal, and are a little harder to this
> way. Actually I can't think of a way to do this with the AV rules.
>
> You could always create your own check/rule and add it to your
> requirement so that if either the Cisco AV passes, or your AV passes,
> the requirement is passed.
>>
>> It seems like there should be some kind of 'delay rule
>> updates from Cisco for x days/hours' option somewhere, is
>> there?
>
> Well, you could just turn autoupdates off, and do it manually. But
> then
> you run into issues with people having newer virus defs than Cisco is
> aware of. (I think, I don't have much experience with the AV / AS
> rules)
You can also set the CCA update period to be fairly long (Device
Management > Clean Access > Clean Access Agent > Updates). We have
the update interval set to 168 hours (one week) and we manually
update it when we feel there are critical updates from cisco that we
need to check for. This way, it's usually looking for AV defs that
are same as or newer than a few days ago (unless it just updated).
Haven't heard many complaints since we did this.
Hope that helps,
Michael Grinnell
Network Security Administrator
The American University
|
