Educause Security Discussion mailing list archives
Re: windows AV policy support
From: Randy Grimshaw <rgrimsha () SYR EDU>
Date: Wed, 10 Jan 2007 15:19:41 -0500
Mike: I have written a prototype that uses EICAR and the Security Center among other things. Ther are some obsevations that raise some red flags and I wondered how you handle these. One is that the Security Center only knows a boolean up-to-date == non zero. The observation is that a machine off the network for a couple of days is zero. The red flag is that a student might pack their system days before arriving on campus to register their system. In your NAC would these students be prevented from registering/accessing the network? Another is that testing the EICAR pattern triggers an ALERT from any active AV package. Based on the sense of humor or the skill of the dialog author this can be quite disconcerting. Think screeching monkeys. The managers that have seen the prototype so far think this may cause too many support calls despite my good efforts to warn the user in advance. How do you test the EICAR pattern and handle the alert issue? McAfee pre 8.5 did not update the Security Center. Symantec ??? We are leaning towards becomming experts at many packages. Enough at least to know where to look for the virus definition file date. Can you please provide any other details that might be helpful such as apparent market share. (Which products are seen the most). You may see me post this to the list as well. Much appreciated <><Randy <><Randall Grimshaw Room 203 Machinery Hall Syracuse University Syracuse, NY 13244 315-443-5779 rgrimsha () syr edu
mike.wiseman () UTORONTO CA 11/30/2006 4:15 PM >>>
There are two tests that I can suggest: -to check for AV real time detection functionality, use a script to attempt to write the EICAR pattern to a file. An AV configured to do real time detection should block this attempt. -to check for AV up-to-date status, this information is stored in the WMI database. There are tools available to retreive this information. I don't know of any AV products that don't support both of these so we have no AV product restrictions. We use these checks in our in-house NAC system. Mike Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto
Background: we are cosidering a change to our AV policy. In the past
we
have required that one provided and supported product be used. We
are
thinking it might be better to let the students choose from a long
list.
Question: how best to enforce that one of a long list is not only installed but functioning. Thank you. <><Randy <><Randall Grimshaw Room 203 Machinery Hall Syracuse University Syracuse, NY 13244 315-443-5779 rgrimsha () syr edu
Current thread:
- Re: windows AV policy support Randy Grimshaw (Jan 10)