Educause Security Discussion mailing list archives
Re: Checking for AV software on students' machines
From: "Helms, Sandra" <SANDY () BUMAIL BRADLEY EDU>
Date: Wed, 9 Jun 2004 13:18:38 -0500
Thank you so much! You might want to save what you sent me - I have a feeling others will be asking as well... I understand from our sys admins that if the Windows XP firewall is turned on (which we want) the Nessus scan will not then be able to scan the machine to see if NAV exists, daily updates are set, Windows updates are current, etc. Is there a work-around for that? I'm concerned kids will turn on the firewall with a worm-infected machine and still be able to spread it to others via their network port. Thanks again. Sandy -----Original Message----- From: Nathan Hall [mailto:hallnk () ONEONTA EDU] Sent: Wednesday, June 09, 2004 1:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines Our system was based on descriptions I had heard of the system used at other schools, mostly Brown. Josh Richard (U. of Minnesota Duluth) and Nancy Magers (Brown) presented on this topic at the Educause Security Professionals Workshop. You can view the slides from their presentation at http://www.educause.edu/ir/library/pdf/SPC0404.pdf. The Brown system integrates Nessus (www.nessus.org) with NetReg through the use of the Perl Net::Nessus::ScanLite module. The presentation contains information on the Brown system. For comparison I'll give a brief describe of our system. Here at Oneonta we don't use NetReg, but we use a similar homegrown system. Rather than integrating with the DHCP server our system dynamically sets the vlan of a switch port when a NIC plugs in. The first time a NIC is plugged in it is placed on an isolated vlan. Once on this vlan a user opens a web browser and all requests are redirected to a registration page. This registration page is written in Perl and uses the Net::Nessus::ScanLite module to request a Nessus scan of the machine attempting to register. This Nessus scan only uses a limited number of checks to keep the process fast enough. If the machine passes they are allowed to continue, if it does not pass they are given a link to windowsupdate.microsoft.com and told to apply all security updates. Access to windows update from the isolated vlan is accomplished through the use of a transparent Squid proxy (www.squid-cache.org). The proxy server is configured as the gateway for the isolated vlan. Only HTTP and HTTPS traffic are allowed from the isolated vlan, and all HTTP requests are checked using the SquidGuard (www.squidguard.org) redirector. If the request is not for a windows update related page it is redirected to the registration page described above. This Squid/SquidGuard configuration was used to avoid the problems involved with maintaining local patches, required Service Packs, and directions on how to use them. In addition to this scan of machines when they register on the network there is a constant background scan of the network. When a machine missing patches is found and e-mail is generated and sent to the student. The e-mail notifies them that they have 24 hours to patch their machine. After 24 hours their machine is checked again. If it is still missing patches it is moved to the isolated vlan, removing internet access and forcing them to go through a modified registration process. This system will not detect unpatched machines if they are protected by a firewall, but these machines will also be protected from viruses/worms which take advantage of the vulnerability, so we consider that acceptable. I hope that helps. If you have further questions let me know and I will try to answer them. Nathan -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman Sent: Wednesday, June 09, 2004 12:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines I'd be interested to hear the details of your patch version checking system. Our group is in the process of combining NetReg (www.netreg.org) and Nessus for this purpose. In regards to your quest to obtain more information from an unmanaged end station, I too am looking for this next step and have begun to look at adapting open-source software installer packages. The intention is for the end user to download/run this application which would gather pertinent data and send it to the admin host. Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto
Now that we have found a way to check students' machines for missing patches before they are allowed on the network, we are looking to
expand
to checking for the presence of updated anti-virus software. This requires access to the students' machines, so we are looking at using
a
web page with a .NET component to perform the check. A few questions: 1) Is anyone else doing something like this currently? 2) How have you implemented this (web page w/ ActiveX/.Net,
downloadable
program...)? 3) What do you look for to determine if AV software is present
(registry
entries, services, running processes...)? 4) How successful has it been? 5) Pitfalls?
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Checking for AV software on students' machines Nathan Hall (Jun 09)
- <Possible follow-ups>
- Re: Checking for AV software on students' machines Mike Wiseman (Jun 09)
- Re: Checking for AV software on students' machines Jeff Giacobbe (Jun 09)
- Re: Checking for AV software on students' machines Rivers, Christopher R (Jun 09)
- Re: Checking for AV software on students' machines Craig Blaha (Jun 09)
- Re: Checking for AV software on students' machines Brian Eckman (Jun 09)
- Re: Checking for AV software on students' machines Ariel Silverstone (Jun 09)
- Re: Checking for AV software on students' machines Nathan Hall (Jun 09)
- Re: Checking for AV software on students' machines Jeff Bollinger (Jun 09)
- Re: Checking for AV software on students' machines Helms, Sandra (Jun 09)
- Re: Checking for AV software on students' machines Bill Frazier (Jun 09)
- Re: Checking for AV software on students' machines Gibbs, Aaron M. (Jun 09)
- Re: Checking for AV software on students' machines jack suess (Jun 09)
- Re: Checking for AV software on students' machines Ariel Silverstone (Jun 09)
- Re: Checking for AV software on students' machines Gary Flynn (Jun 09)
- Re: Checking for AV software on students' machines Robert Ono (Jun 09)
- Re: Checking for AV software on students' machines Stephen Bernard (Jun 09)
- Re: Checking for AV software on students' machines Bill Frazier (Jun 10)
- Re: Checking for AV software on students' machines Nathan Hall (Jun 10)
- Re: Checking for AV software on students' machines Dunker, Mary (Jun 10)
(Thread continues...)