Re: windows AV policy support

[Randy Grimshaw <rgrimsha () SYR EDU>]

Mike:
   I have written a prototype that uses EICAR and the Security Center
among other things. Ther are some obsevations that raise some red flags
and I wondered how you handle these.

   One is that the Security Center only knows a boolean up-to-date ==
non zero. The observation is that a machine off the network for a couple
of days is zero. The red flag is that a student might pack their system
days before arriving on campus to register their system. In your NAC
would these students be prevented from registering/accessing the
network?

   Another is that testing the EICAR pattern triggers an ALERT from any
active AV package. Based on the sense of humor or the skill of the
dialog author this can be quite disconcerting. Think screeching monkeys.
The managers that have seen the prototype so far think this may cause
too many support calls despite my good efforts to warn the user in
advance. How do you test the EICAR pattern and handle the alert issue?

  McAfee pre 8.5 did not update the Security Center. Symantec ???

  We are leaning towards becomming experts at many packages. Enough at
least to know where to look for the virus definition file date. Can you
please provide any other details that might be helpful such as apparent
market share. (Which products are seen the most). You may see me post
this to the list as well.

  Much appreciated

<><Randy





<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha () syr edu

> > > mike.wiseman () UTORONTO CA 11/30/2006 4:15 PM >>>
There are two tests that I can suggest:

-to check for AV real time detection functionality, use a script to
attempt to write the EICAR pattern to a file. An AV configured to do
real time detection should block this attempt.
-to check for AV up-to-date status, this information is stored in the
WMI database. There are tools available to retreive this information.

I don't know of any AV products that don't support both of these so we
have no AV product restrictions. We use these checks in our in-house NAC
system.

Mike


Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto




> Background: we are cosidering a change to our AV policy. In the past
we
> have required that one provided and supported product be used. We
are
> thinking it might be better to let the students choose from a long
list.
> Question: how best to enforce that one of a long list is not only
> installed but functioning.
> Thank you.
> <><Randy
>
>
>
> <><Randall Grimshaw
> Room 203 Machinery Hall
> Syracuse University
> Syracuse, NY   13244
> 315-443-5779
> rgrimsha () syr edu