Re: Checking for AV software on students' machines

[Nathan Hall <hallnk () ONEONTA EDU>]

As I started this thread on checking for AV software about four months
ago, I thought I would give an update on what we have done in the
meantime. When I started the thread we were using Nessus to scan
machines before allowing them to register. This worked well, but could
only check for a few updates. Since that time my colleague Justin St.
Onge has created a web based scanner using .NET. Before running the
scanner students must install a prerequisites package which installs any
components which are not already installed (.NET 1.1, .Net J# package,
MBSA, anti-virus installer). The installer also changes the .NET
framework permissions so that our scanner has the access it needs. They
then visit a web page which contains our scanner. As the scanner is a
.NET web component we can update the code at any time without forcing
students to download a new installer. The configuration files are XML
files loaded by the scanner at scan time, so they can also be changed as
needed. The scanner uses MBSA to check for missing Windows patches, and
our own definitions to search for current anti-virus from several
vendors (McAfee, Norton, and the campus provided Sophos). If patches are
missing students are given a link to Windows Update and told to install
updates. If they are missing an updated anti-virus they are given a link
which executes our anti-virus installer. This installer searches for
other anti-virus software, removes any it finds, and then installs and
configures Sophos. 

In addition to these new components we continue to use the pieces we had
in place previously. These include a transparent Squid proxy with
SquidGuard url redirection, a homegrown NetReg-like system, background
scanning for unpatched machines using Nessus, and Snort for detection of
infected machines.

We deployed the new scanner before students returned this Fall, and have
been very pleased with the results. The majority of the problems we
encountered were with machines badly infected with Trojans, viruses, and
spyware. In the week students returned machines on our isolated network
downloaded over 65 GB from Microsoft sites (an average of 30 MB per
machine). Roughly 40% of this traffic was cached with Squid,
significantly speeding up patch downloads for the students. We also saw
many machines installing our campus anti-virus, but I don't have exact
numbers for that yet. While we are only a few weeks into the semester,
things look very promising so far. We have not had any significant
issues with virus infections or network problems on our resnet and only
about 1% of student machines have been removed from the network for
virus activity. We do not have a more detailed write-up at this time,
but you can download and try out our scanner at
http://autoregadmin.oneonta.edu/test.htm (you must use IE to run the
scanner, we check for this in the real process but not on the demo
page).  

Nathan Hall
IT Security Administrator
SUNY Oneonta

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman
Sent: Friday, September 17, 2004 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Checking for AV software on students' machines

We also have implemented an endpoint security system on residence
networks. It consists
of:

-a wizard-like wrapper utility for MBSA (built using the great NSIS
open-source kit)
-a modified NetReg system. (the quarantine system uses no DNS
restrictions, filtering HTTP
via Squid, and blocking all other network applications via firewall)

See: http://www.utoronto.ca/security/UTORprotect/ESP/index.htm for more
info.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

> Here are the links to our control, test pages, source and server
source:
>        http://141.166.174.241/TestMachineCheckServer.htm
>        http://is.richmond.edu/techsupport/security/Downloads.htm
>
> We redirect unregistered machines:
>        1. Lack of MAC address recognition places port into Neverland
VLAN
>        2. Redirect all port 80 and 443 in Neverland vlan to the
> registration page
>
> OS / Patch detection:
>        We use a combination of Nmap and Nessus scans to determine
machine
> type and test for patch compliance.
>
> Best,
> Chris Faigle
> IS Security
> University of Richmond
> security () richmond edu
>
>
> -----Original Message-----
> From: Michael Mills [mailto:mmills () RKON COM]
> Sent: Thursday, September 16, 2004 2:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> One way that this can be done (if you have Cisco gear), is to
institute a
> Cisco NAS policy that check for the installation of a AV client, and
if so
> also will check that the current AV pattern is installed BEFORE access
to
> the network is given.
>
> If those tests fail, you can then force that user to only have
outbound
> internet access (through firewall policy of course).  And if they need
to
> access any of the colleges IT resources (email, Applications) they
would
> have to go back in through the firewall.
>
>
>
> Michael Mills
> mmills () rkon com
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gibbs, Aaron M.
> Sent: Thursday, September 16, 2004 11:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> Are you forcing the foreign PC to the webpage once it is connected, if
so
> how?
>
> Aaron M Gibbs
> Director
> Networking and Telecommunications
> St. Augustine's College
> Center for Information Technology
> 919-516-4237 (Office)
> 919-516-4382 (Fax)
> amgibbs () st-aug edu
> www.st-aug.edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Ariel Silverstone
> Sent: Wednesday, June 09, 2004 2:06 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
>
> We are doing it at Temple.  Firstly, we mandate our AV via policy,
then when
> connects occur, they must go to a webpage that initiates a test.  The
test
> is a combination of ActiveX and ports open.
>
> Thank you,
>
> Ariel Silverstone, CISSP
> Chief Information Security Officer
> Temple University
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rivers,
Christopher R
> Sent: Wednesday, June 09, 2004 1:26 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Checking for AV software on students' machines
>
> I would be interested any any responses to this as well.
>
> Many thanks,
> Chris Rivers - CEH, A+
> Technology Support Coordinator
> Indiana University Kokomo
> Department of Information Technologies
> http://www.iuk.edu/IT
>
> "He is no fool who gives what he cannot keep to gain what he cannot
> lose." -- Jim Elliot
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe
> > Sent: Wednesday, June 09, 2004 12:13 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Checking for AV software on students'
machines
> > Nathan-
> >
> > I unfortunately don't have an answer to your questions regarding
> > verification of AV software on client machines, but I was wondering
if
> > you could provide some details on how you accomplished your first
goal
> > - verifying for patches before a student machine is allowed on the
> > network.
> >
> > We are currently investigating ways to drop student machines into a
> > "quarantine" VLAN if they are not up to the latest Windows patches,
> > but so far have not found an effective way to do that check. Does
your
> > solution require some kind of pre-installed client agent?
> >
> > I didn't see anything in a previous thread, but if you've already
> > answered that question my apologies. Any insight, advice, horror
> > stories you could provide would be greatly appreciated.
> >
> > Thanks,
> >
> > Jeff Giacobbe
> > Director of Systems, Security, and Networking Montclair State
> > University
> >
> >
> > Nathan Hall wrote:
> > > Now that we have found a way to check students' machines for
missing
> > > patches before they are allowed on the network, we are
> > looking to expand
> > > to checking for the presence of updated anti-virus software. This
> > > requires access to the students' machines, so we are
> > looking at using a
> > > web page with a .NET component to perform the check. A few
> > questions:
> > > 1) Is anyone else doing something like this currently?
> > > 2) How have you implemented this (web page w/ ActiveX/.Net,
> > downloadable
> > > program...)?
> > > 3) What do you look for to determine if AV software is
> > present (registry
> > > entries, services, running processes...)?
> > > 4) How successful has it been?
> > > 5) Pitfalls?
> > >
> > > Any other input would be appreciated too. Thanks in advance.
> > >
> > > Nathan Hall
> > > System Administrator
> > > SUNY Oneonta
> > > Oneonta, NY 13820
> > > (607) 436-2708
> > >
> > > **********
> > > Participation and subscription information for this
> > EDUCAUSE Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> This email and any files transmitted with it are confidential and
intended
> solely for the use of the individual or entity to whom they are
addressed.
> If you have received this email in error please notify the system
manager.
> This message contains confidential information and is intended only
for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion
> list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.