Re: Checking for AV software on students' machines

["Helms, Sandra" <SANDY () BUMAIL BRADLEY EDU>]

Thank you so much!  You might want to save what you sent me - I have a
feeling others will be asking as well...  I understand from our sys
admins that if the Windows XP firewall is turned on (which we want) the
Nessus scan will not then be able to scan the machine to see if NAV
exists, daily updates are set, Windows updates are current, etc.  Is
there a work-around for that?  I'm concerned kids will turn on the
firewall with a worm-infected machine and still be able to spread it to
others via their network port.

Thanks again.

Sandy

-----Original Message-----
From: Nathan Hall [mailto:hallnk () ONEONTA EDU] 
Sent: Wednesday, June 09, 2004 1:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Checking for AV software on students' machines


Our system was based on descriptions I had heard of the system used at
other schools, mostly Brown. Josh Richard (U. of Minnesota Duluth) and
Nancy Magers (Brown) presented on this topic at the Educause Security
Professionals Workshop. You can view the slides from their presentation
at http://www.educause.edu/ir/library/pdf/SPC0404.pdf. The Brown system
integrates Nessus (www.nessus.org) with NetReg through the use of the
Perl Net::Nessus::ScanLite module. The presentation contains information
on the Brown system. For comparison I'll give a brief describe of our
system.

Here at Oneonta we don't use NetReg, but we use a similar homegrown
system. Rather than integrating with the DHCP server our system
dynamically sets the vlan of a switch port when a NIC plugs in. The
first time a NIC is plugged in it is placed on an isolated vlan. 

Once on this vlan a user opens a web browser and all requests are
redirected to a registration page. This registration page is written in
Perl and uses the Net::Nessus::ScanLite module to request a Nessus scan
of the machine attempting to register. This Nessus scan only uses a
limited number of checks to keep the process fast enough. If the machine
passes they are allowed to continue, if it does not pass they are given
a link to windowsupdate.microsoft.com and told to apply all security
updates.

Access to windows update from the isolated vlan is accomplished through
the use of a transparent Squid proxy (www.squid-cache.org). The proxy
server is configured as the gateway for the isolated vlan. Only HTTP and
HTTPS traffic are allowed from the isolated vlan, and all HTTP requests
are checked using the SquidGuard (www.squidguard.org) redirector. If the
request is not for a windows update related page it is redirected to the
registration page described above. This Squid/SquidGuard configuration
was used to avoid the problems involved with maintaining local patches,
required Service Packs, and directions on how to use them. 

In addition to this scan of machines when they register on the network
there is a constant background scan of the network. When a machine
missing patches is found and e-mail is generated and sent to the
student. The e-mail notifies them that they have 24 hours to patch their
machine. After 24 hours their machine is checked again. If it is still
missing patches it is moved to the isolated vlan, removing internet
access and forcing them to go through a modified registration process.

This system will not detect unpatched machines if they are protected by
a firewall, but these machines will also be protected from viruses/worms
which take advantage of the vulnerability, so we consider that
acceptable. 

I hope that helps. If you have further questions let me know and I will
try to answer them.

Nathan

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman
Sent: Wednesday, June 09, 2004 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Checking for AV software on students' machines

I'd be interested to hear the details of your patch version checking
system. Our group is in the process of combining NetReg (www.netreg.org)
and Nessus for this purpose. In regards to your quest to obtain more
information from an unmanaged end station, I too am looking for this
next step and have begun to look at adapting open-source software
installer packages. The intention is for the end user to download/run
this application which would gather pertinent data and send it to the
admin host.

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

> Now that we have found a way to check students' machines for missing 
> patches before they are allowed on the network, we are looking to
expand
> to checking for the presence of updated anti-virus software. This 
> requires access to the students' machines, so we are looking at using
a
> web page with a .NET component to perform the check. A few questions:
>
> 1) Is anyone else doing something like this currently?
> 2) How have you implemented this (web page w/ ActiveX/.Net,
downloadable
> program...)?
> 3) What do you look for to determine if AV software is present
(registry
> entries, services, running processes...)?
> 4) How successful has it been?
> 5) Pitfalls?

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.