Re: Checking for AV software on students' machines

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

We also have implemented an endpoint security system on residence networks. It consists
of:

-a wizard-like wrapper utility for MBSA (built using the great NSIS open-source kit)
-a modified NetReg system. (the quarantine system uses no DNS restrictions, filtering HTTP
via Squid, and blocking all other network applications via firewall)

See: http://www.utoronto.ca/security/UTORprotect/ESP/index.htm for more info.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

> Here are the links to our control, test pages, source and server source:
>        http://141.166.174.241/TestMachineCheckServer.htm
>        http://is.richmond.edu/techsupport/security/Downloads.htm
>
> We redirect unregistered machines:
>        1. Lack of MAC address recognition places port into Neverland VLAN
>        2. Redirect all port 80 and 443 in Neverland vlan to the
> registration page
>
> OS / Patch detection:
>        We use a combination of Nmap and Nessus scans to determine machine
> type and test for patch compliance.
>
> Best,
> Chris Faigle
> IS Security
> University of Richmond
> security () richmond edu
>
>
> -----Original Message-----
> From: Michael Mills [mailto:mmills () RKON COM]
> Sent: Thursday, September 16, 2004 2:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> One way that this can be done (if you have Cisco gear), is to institute a
> Cisco NAS policy that check for the installation of a AV client, and if so
> also will check that the current AV pattern is installed BEFORE access to
> the network is given.
>
> If those tests fail, you can then force that user to only have outbound
> internet access (through firewall policy of course).  And if they need to
> access any of the colleges IT resources (email, Applications) they would
> have to go back in through the firewall.
>
>
>
> Michael Mills
> mmills () rkon com
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gibbs, Aaron M.
> Sent: Thursday, September 16, 2004 11:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> Are you forcing the foreign PC to the webpage once it is connected, if so
> how?
>
> Aaron M Gibbs
> Director
> Networking and Telecommunications
> St. Augustine's College
> Center for Information Technology
> 919-516-4237 (Office)
> 919-516-4382 (Fax)
> amgibbs () st-aug edu
> www.st-aug.edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Ariel Silverstone
> Sent: Wednesday, June 09, 2004 2:06 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
>
> We are doing it at Temple.  Firstly, we mandate our AV via policy, then when
> connects occur, they must go to a webpage that initiates a test.  The test
> is a combination of ActiveX and ports open.
>
> Thank you,
>
> Ariel Silverstone, CISSP
> Chief Information Security Officer
> Temple University
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rivers, Christopher R
> Sent: Wednesday, June 09, 2004 1:26 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> I would be interested any any responses to this as well.
>
> Many thanks,
> Chris Rivers - CEH, A+
> Technology Support Coordinator
> Indiana University Kokomo
> Department of Information Technologies
> http://www.iuk.edu/IT
>
> "He is no fool who gives what he cannot keep to gain what he cannot
> lose." -- Jim Elliot
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe
> > Sent: Wednesday, June 09, 2004 12:13 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Checking for AV software on students' machines
> >
> > Nathan-
> >
> > I unfortunately don't have an answer to your questions regarding
> > verification of AV software on client machines, but I was wondering if
> > you could provide some details on how you accomplished your first goal
> > - verifying for patches before a student machine is allowed on the
> > network.
> >
> > We are currently investigating ways to drop student machines into a
> > "quarantine" VLAN if they are not up to the latest Windows patches,
> > but so far have not found an effective way to do that check. Does your
> > solution require some kind of pre-installed client agent?
> >
> > I didn't see anything in a previous thread, but if you've already
> > answered that question my apologies. Any insight, advice, horror
> > stories you could provide would be greatly appreciated.
> >
> > Thanks,
> >
> > Jeff Giacobbe
> > Director of Systems, Security, and Networking Montclair State
> > University
> >
> >
> > Nathan Hall wrote:
> > > Now that we have found a way to check students' machines for missing
> > > patches before they are allowed on the network, we are
> > looking to expand
> > > to checking for the presence of updated anti-virus software. This
> > > requires access to the students' machines, so we are
> > looking at using a
> > > web page with a .NET component to perform the check. A few
> > questions:
> > >
> > > 1) Is anyone else doing something like this currently?
> > > 2) How have you implemented this (web page w/ ActiveX/.Net,
> > downloadable
> > > program...)?
> > > 3) What do you look for to determine if AV software is
> > present (registry
> > > entries, services, running processes...)?
> > > 4) How successful has it been?
> > > 5) Pitfalls?
> > >
> > > Any other input would be appreciated too. Thanks in advance.
> > >
> > > Nathan Hall
> > > System Administrator
> > > SUNY Oneonta
> > > Oneonta, NY 13820
> > > (607) 436-2708
> > >
> > > **********
> > > Participation and subscription information for this
> > EDUCAUSE Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion
> list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.