locked
IAG antivirus / endpoint detection not working RRS feed

  • Question

  • Hello,

    We are running the latest version of IAG (with all service packs and updates installed). This was previously setup by someone else.

    IAG used to be able to detect office scan 8.0 and any other antivirus. After updating IAG - no antivirus endpoints are detected.

    we have tried everything we can think of. I have tried creating specific policies - using WMI antivirus expressions - it still does not work.

     

    Does anyone know of a script I could use that detects WMI antivirus scanners? (though I believe this was already written).... (see below)

    bascially we can login - any all appications work apart from RDP access (because we dont want people to be able to RDP into our network

    without having an antivirus). If we remove our current policy... which supposibly scans for AV's - and 'allow everyone access'

    it works fine - but we want to force people to have an up to date AV.

     

    Any Ideas???

     

     

     

     

     

     (  (  (  ( AV_Norton_Installed AND AV_Norton_Running )  AND  ( CInt(Left(AV_Norton_Version_Product,2))>=7 )  AND  ( DateDiff("d",AV_Norton_LastUpdate,Now)<=7 OR AV_Norton_UptoDate )  ) OR  (  ( AV_OfficeScan_Installed AND AV_OfficeScan_Running )  AND  ( CDbl(Left(AV_OfficeScan_Version_Product,3))>=8 )  AND  ( DateDiff("d",AV_OfficeScan_LastUpdate,Now)<=7 OR AV_OfficeScan_UptoDate )  ) OR  (  ( AV_eTrustITM_Installed AND AV_eTrustITM_Running )  AND  ( CInt(Left(AV_eTrustITM_Version_Product,2))>=8 )  AND  ( DateDiff("d",AV_eTrustITM_LastUpdate,Now)<=7 OR AV_eTrustITM_UptoDate )  ) OR  (  ( AV_TrendMicroInternetSecurity_Installed AND AV_TrendMicroInternetSecurity_Running )  AND  ( CInt(Left(AV_TrendMicroInternetSecurity_Version_Product,2))>=16 )  AND  ( DateDiff("d",AV_TrendMicroInternetSecurity_LastUpdate,Now)<=7 OR AV_TrendMicroInternetSecurity_UptoDate )  ) OR  (  ( AV_TMServerProtect_Installed AND AV_TMServerProtect_Running )  AND  ( CInt(Left(AV_TMServerProtect_Version_Product,2))>=5 )  AND  ( DateDiff("d",AV_TMServerProtect_LastUpdate,Now)<=7 OR AV_TMServerProtect_UptoDate )  ) OR  (  ( AV_CoxAuthentium_Installed AND AV_CoxAuthentium_Running )  AND  ( CInt(Left(AV_CoxAuthentium_Version_Product,1))>=1 )  AND  ( DateDiff("d",AV_CoxAuthentium_LastUpdate,Now)<=7 OR AV_CoxAuthentium_UptoDate )  ) OR  (  ( AV_FSecure_Installed AND AV_FSecure_Running )  AND  ( CInt(Left(AV_FSecure_Version_Product,2))>=5 )  AND  ( DateDiff("d",AV_FSecure_LastUpdate,Now)<=7 OR AV_FSecure_UptoDate )  ) OR  (  ( AV_McAfeeTotalProtection_Installed AND AV_McAfeeTotalProtection_Running )  AND  ( CInt(Left(AV_McAfeeTotalProtection_Version_Engine,2))>=4 )  AND  ( DateDiff("d",AV_McAfeeTotalProtection_LastUpdate,Now)<=7 OR AV_McAfeeTotalProtection_UptoDate )  ) OR  (  ( AV_PandaCS_Installed AND AV_PandaCS_Running )  AND  ( CInt(Left(AV_PandaCS_Version_Product,1))>=4 )  AND  ( DateDiff("d",AV_PandaCS_LastUpdate,Now)<=7 OR AV_PandaCS_UptoDate )  ) OR  (  ( AV_Kaspersky_Installed AND AV_Kaspersky_Running )  AND  ( CInt(Left(AV_Kaspersky_Version_Product,2))>=6 )  AND  ( DateDiff("d",AV_Kaspersky_LastUpdate,Now)<=7 OR AV_Kaspersky_UptoDate )  ) OR  (  ( AV_Norton360_Installed AND AV_Norton360_Running )  AND  ( CInt(Left(AV_Norton360_Version_Product,2))>=1 )  AND  ( DateDiff("d",AV_Norton360_LastUpdate,Now)<=7 OR AV_Norton360_UptoDate )  ) OR  (  ( (AV_WMI_Installed_1 AND AV_WMI_Running_1) OR (AV_WMI_Installed_2 AND AV_WMI_Running_2) OR (AV_WMI_Installed_3 AND AV_WMI_Running_3) OR (AV_WMI_Installed_4 AND AV_WMI_Running_4) )  AND  ( (AV_WMI_Installed_1 AND AV_WMI_Running_1 AND AV_WMI_UptoDate_1) OR (AV_WMI_Installed_2 AND AV_WMI_Running_2 AND AV_WMI_UptoDate_2) OR (AV_WMI_Installed_3 AND AV_WMI_Running_3 AND AV_WMI_UptoDate_3) OR (AV_WMI_Installed_4 AND AV_WMI_Running_4 AND AV_WMI_UptoDate_4) )  ) OR  (  ( AV_FProt_Installed AND AV_FProt_Running )  AND  ( CInt(Left(AV_FProt_Version_Product,2))>=3 )  AND  ( DateDiff("d",AV_FProt_LastUpdate,Now)<=7 OR AV_FProt_UptoDate )  ) OR  (  ( AV_Sophos_Installed AND AV_Sophos_Running )  AND  ( CInt(Left(AV_Sophos_Version_Product,2))>=3 )  AND  ( DateDiff("d",AV_Sophos_LastUpdate,Now)<=4 OR AV_Sophos_UptoDate )  ) OR  (  ( AV_SymantecEndpointProtection_Installed AND AV_SymantecEndpointProtection_Running )  AND  ( CInt(Left(AV_SymantecEndpointProtection_Version_Product,2))>=11 )  AND  ( DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<=7 OR AV_SymantecEndpointProtection_UptoDate )  ) OR  (  ( AV_HBEDVAntiVir_Installed AND AV_HBEDVAntiVir_Running )  AND  ( CInt(Left(AV_HBEDVAntiVir_Version_Product,2))>=6 )  AND  ( DateDiff("d",AV_HBEDVAntiVir_LastUpdate,Now)<=7 OR AV_HBEDVAntiVir_UptoDate )  ) OR  (  ( AV_McAfee_Installed AND AV_McAfee_Running )  AND  ( CInt(Left(AV_McAfee_Version_Engine,2))>=4 )  AND  ( DateDiff("d",AV_McAfee_LastUpdate,Now)<=7 OR AV_McAfee_UptoDate )  ) OR  (  ( AV_VComSS_Installed )  AND  ( CInt(Left(AV_VComSS_Version_Product,2))>=5 )  AND  ( DateDiff("d",AV_VComSS_LastUpdate,Now)<=10 OR AV_VComSS_UptoDate )  ) OR  (  ( AV_MSForefront_Installed AND AV_MSForefront_Running )  AND  ( CInt(Left(AV_MSForefront_Version_Product,1))>=1 )  AND  ( DateDiff("d",AV_MSForefront_LastUpdate,Now)<=7 OR AV_MSForefront_UptoDate )  ) OR  (  ( AV_MSOneCare_Installed AND AV_MSOneCare_Running )  AND  ( CInt(Left(AV_MSOneCare_Version_Product,2))>=1 )  AND  ( DateDiff("d",AV_MSOneCare_LastUpdate,Now)<=7 OR AV_MSOneCare_UptoDate )  ) OR  (  ( AV_McAfeeVirusScanASAP_Installed AND AV_McAfeeVirusScanASAP_Running )  AND  ( CInt(Left(AV_McAfeeVirusScanASAP_Version_Engine,2))>=4 )  AND  ( DateDiff("d",AV_McAfeeVirusScanASAP_LastUpdate,Now)<=7 OR AV_McAfeeVirusScanASAP_UptoDate )  ) OR  (  ( AV_ZoneAlarm_Installed AND AV_ZoneAlarm_Running )  AND  ( CInt(Left(AV_ZoneAlarm_Version_Product,2))>=5 )  AND  ( DateDiff("d",AV_ZoneAlarm_LastUpdate,Now)<=7 OR AV_ZoneAlarm_UptoDate )  ) OR  (  ( AV_eTrust_Installed AND AV_eTrust_Running )  AND  ( CInt(Left(AV_eTrust_Version_Product,2))>=6 )  AND  ( DateDiff("d",AV_eTrust_LastUpdate,Now)<=7 OR AV_eTrust_UptoDate )  ) OR  (  ( AV_CA_SCM_Installed AND AV_CA_SCM_Running )  AND  ( CInt(Left(AV_CA_SCM_Version_Product,2))>=2 )  AND  ( DateDiff("d",AV_CommandAuthentium_LastUpdate,Now)<=7 OR AV_CA_SCM_UptoDate )  ) OR  (  ( AV_CommandAuthentium_Installed AND AV_CommandAuthentium_Running )  AND  ( CInt(Left(AV_CommandAuthentium_Version_Product,1))>=4 )  AND  ( DateDiff("d",AV_CommandAuthentium_LastUpdate,Now)<=7 OR AV_CommandAuthentium_UptoDate )  ) OR  (  ( AV_NOD32_Installed AND AV_NOD32_Running )  AND  ( CInt(Left(AV_NOD32_Version_Product,2))>=2 )  AND  ( DateDiff("d",AV_NOD32_LastUpdate,Now)<=7 OR AV_NOD32_UptoDate )  ) OR  (  ( AV_PCCillin_Installed AND AV_PCCillin_Running )  AND  ( CDbl(Left(AV_PCCillin_Version_Product,5))>=11 )  AND  ( DateDiff("d",AV_PCCillin_LastUpdate,Now)<=7 OR AV_PCCillin_UptoDate )  ) OR  (  ( AV_AVG_Installed AND AV_AVG_Running )  AND  ( CInt(Left(AV_AVG_Version_Product,2))>=7 )  AND  ( DateDiff("d",AV_AVG_LastUpdate,Now)<=7 OR AV_AVG_UptoDate )  ) OR  (  ( AV_BitDefender_Installed AND AV_BitDefender_Running )  AND  ( CInt(Left(AV_BitDefender_Version_Product,2))>=8 )  AND  ( DateDiff("d",AV_BitDefender_LastUpdate,Now)<=7 OR AV_BitDefender_UptoDate )  )  )  )

     

    ( AV_WMI_Installed_1 ) AND ( AV_WMI_Running_1 ) AND ( AV_WMI_UptoDate_1 ) AND ( (Instr (LCase(AV_WMI_Name_1),"avg") >=1 )

    Wednesday, April 7, 2010 1:43 AM

Answers

  • Are you stating that this worked okay until you applied the update or has it never worked ?

     

    • Marked as answer by Erez Benari Wednesday, April 14, 2010 12:29 AM
    Monday, April 12, 2010 10:58 AM

All replies

  • Use web monitor to look at the session endpoint details and you will be able to see which of the above parameters are coming up as false.

    You also want to review the script logic to see if you can provide a better method of defining "any antivirus" than the current one...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, April 8, 2010 9:49 AM
  • Are you stating that this worked okay until you applied the update or has it never worked ?

     

    • Marked as answer by Erez Benari Wednesday, April 14, 2010 12:29 AM
    Monday, April 12, 2010 10:58 AM