Educause Security Discussion mailing list archives
Re: Checking for AV software on students' machines
From: Nathan Hall <hallnk () ONEONTA EDU>
Date: Fri, 17 Sep 2004 15:06:27 -0400
As I started this thread on checking for AV software about four months ago, I thought I would give an update on what we have done in the meantime. When I started the thread we were using Nessus to scan machines before allowing them to register. This worked well, but could only check for a few updates. Since that time my colleague Justin St. Onge has created a web based scanner using .NET. Before running the scanner students must install a prerequisites package which installs any components which are not already installed (.NET 1.1, .Net J# package, MBSA, anti-virus installer). The installer also changes the .NET framework permissions so that our scanner has the access it needs. They then visit a web page which contains our scanner. As the scanner is a .NET web component we can update the code at any time without forcing students to download a new installer. The configuration files are XML files loaded by the scanner at scan time, so they can also be changed as needed. The scanner uses MBSA to check for missing Windows patches, and our own definitions to search for current anti-virus from several vendors (McAfee, Norton, and the campus provided Sophos). If patches are missing students are given a link to Windows Update and told to install updates. If they are missing an updated anti-virus they are given a link which executes our anti-virus installer. This installer searches for other anti-virus software, removes any it finds, and then installs and configures Sophos. In addition to these new components we continue to use the pieces we had in place previously. These include a transparent Squid proxy with SquidGuard url redirection, a homegrown NetReg-like system, background scanning for unpatched machines using Nessus, and Snort for detection of infected machines. We deployed the new scanner before students returned this Fall, and have been very pleased with the results. The majority of the problems we encountered were with machines badly infected with Trojans, viruses, and spyware. In the week students returned machines on our isolated network downloaded over 65 GB from Microsoft sites (an average of 30 MB per machine). Roughly 40% of this traffic was cached with Squid, significantly speeding up patch downloads for the students. We also saw many machines installing our campus anti-virus, but I don't have exact numbers for that yet. While we are only a few weeks into the semester, things look very promising so far. We have not had any significant issues with virus infections or network problems on our resnet and only about 1% of student machines have been removed from the network for virus activity. We do not have a more detailed write-up at this time, but you can download and try out our scanner at http://autoregadmin.oneonta.edu/test.htm (you must use IE to run the scanner, we check for this in the real process but not on the demo page). Nathan Hall IT Security Administrator SUNY Oneonta -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman Sent: Friday, September 17, 2004 10:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines We also have implemented an endpoint security system on residence networks. It consists of: -a wizard-like wrapper utility for MBSA (built using the great NSIS open-source kit) -a modified NetReg system. (the quarantine system uses no DNS restrictions, filtering HTTP via Squid, and blocking all other network applications via firewall) See: http://www.utoronto.ca/security/UTORprotect/ESP/index.htm for more info. Mike Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto
Here are the links to our control, test pages, source and server
source:
http://141.166.174.241/TestMachineCheckServer.htm http://is.richmond.edu/techsupport/security/Downloads.htm We redirect unregistered machines: 1. Lack of MAC address recognition places port into Neverland
VLAN
2. Redirect all port 80 and 443 in Neverland vlan to the registration page OS / Patch detection: We use a combination of Nmap and Nessus scans to determine
machine
type and test for patch compliance. Best, Chris Faigle IS Security University of Richmond security () richmond edu -----Original Message----- From: Michael Mills [mailto:mmills () RKON COM] Sent: Thursday, September 16, 2004 2:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines One way that this can be done (if you have Cisco gear), is to
institute a
Cisco NAS policy that check for the installation of a AV client, and
if so
also will check that the current AV pattern is installed BEFORE access
to
the network is given. If those tests fail, you can then force that user to only have
outbound
internet access (through firewall policy of course). And if they need
to
access any of the colleges IT resources (email, Applications) they
would
have to go back in through the firewall. Michael Mills mmills () rkon com -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gibbs, Aaron M. Sent: Thursday, September 16, 2004 11:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines Are you forcing the foreign PC to the webpage once it is connected, if
so
how? Aaron M Gibbs Director Networking and Telecommunications St. Augustine's College Center for Information Technology 919-516-4237 (Office) 919-516-4382 (Fax) amgibbs () st-aug edu www.st-aug.edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Ariel Silverstone Sent: Wednesday, June 09, 2004 2:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines We are doing it at Temple. Firstly, we mandate our AV via policy,
then when
connects occur, they must go to a webpage that initiates a test. The
test
is a combination of ActiveX and ports open. Thank you, Ariel Silverstone, CISSP Chief Information Security Officer Temple University -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rivers,
Christopher R
Sent: Wednesday, June 09, 2004 1:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines I would be interested any any responses to this as well. Many thanks, Chris Rivers - CEH, A+ Technology Support Coordinator Indiana University Kokomo Department of Information Technologies http://www.iuk.edu/IT "He is no fool who gives what he cannot keep to gain what he cannot lose." -- Jim Elliot-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe Sent: Wednesday, June 09, 2004 12:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students'
machines
Nathan- I unfortunately don't have an answer to your questions regarding verification of AV software on client machines, but I was wondering
if
you could provide some details on how you accomplished your first
goal
- verifying for patches before a student machine is allowed on the network. We are currently investigating ways to drop student machines into a "quarantine" VLAN if they are not up to the latest Windows patches, but so far have not found an effective way to do that check. Does
your
solution require some kind of pre-installed client agent? I didn't see anything in a previous thread, but if you've already answered that question my apologies. Any insight, advice, horror stories you could provide would be greatly appreciated. Thanks, Jeff Giacobbe Director of Systems, Security, and Networking Montclair State University Nathan Hall wrote:Now that we have found a way to check students' machines for
missing
patches before they are allowed on the network, we arelooking to expandto checking for the presence of updated anti-virus software. This requires access to the students' machines, so we arelooking at using aweb page with a .NET component to perform the check. A fewquestions:1) Is anyone else doing something like this currently? 2) How have you implemented this (web page w/ ActiveX/.Net,downloadableprogram...)? 3) What do you look for to determine if AV software ispresent (registryentries, services, running processes...)? 4) How successful has it been? 5) Pitfalls? Any other input would be appreciated too. Thanks in advance. Nathan Hall System Administrator SUNY Oneonta Oneonta, NY 13820 (607) 436-2708 ********** Participation and subscription information for thisEDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/. This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only
for the
individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion
list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Checking for AV software on students' machines Gibbs, Aaron M. (Sep 16)
- <Possible follow-ups>
- Re: Checking for AV software on students' machines Michael Mills (Sep 16)
- Re: Checking for AV software on students' machines Faigle, Chris (Sep 16)
- Re: Checking for AV software on students' machines Mike Wiseman (Sep 17)
- Re: Checking for AV software on students' machines Paul Crittenden (Sep 17)
- Re: Checking for AV software on students' machines Christopher Misra (Sep 17)
- Re: Checking for AV software on students' machines Nathan Hall (Sep 17)