Re: Checking for AV software on students' machines

[Brian Eckman <eckman () UMN EDU>]

Bill Frazier wrote:
> I agree.  To amplify on what I said about our effort, we are
> preparing an application which will run on the client system
> to do tests.  A firewall may protect against intrusion, but it
> says nothing about pre-existing state.  A well patched and AV
> current system is less likely to be carrying infection.
>
> Bill


I've mentioned a couple of things regardling this offlist to a few
people, and decided perhaps its just time to mention it on the list.

Someone else is addressing this idea of looking for pre-infected
computers by checking for traffic originating from the scanned box going
to destinations other than the scanner, DHCP and DNS servers. I'm not
sure exactly how they made it work, but it seems smart to me. One
approach is to make the scanning machine also be the router for that
jailed environment, and have it looking for this kind of traffic.

The approach we are hoping to take is to have some form of IDS running
on the firewall that routes packets to/from our dorms, so even if the
machine passes the test, if it sets off IDS alarms, it can be taken back
offline promptly.

Just like another poster mentioned, perhaps others have different goals
than us. We're also mostly looking to slow the spread of worms to/from
these basically unmanaged computers. For the most part, a firewall does
that. The machines can still spread E-mail worms and such, and we have
methods of rapidly detecting that and dealing with it. At least the
backdoor ports these worms open up will not be accessible on the
firewalled computers.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.