locked
IAG Policy Detection error. RRS feed

  • Question

  • Hi All
    I have been using a custom detection policy which checks for whether an antivirus is installed in the client computer or not.If the firewall is not installed than that system wont be able to access the IAG portal.It was working fine till recently but now its not working. I am guessing this is happening due to the new version of the antivirus installed in the client pcs. Is there any way that policy could be updated to enable it to detect the new version of the antivirus? I have already updated the IAG to service pack 2 update 1.

    Cheers
    Bill 
    Thursday, July 30, 2009 6:06 PM

Answers

All replies

  • Hi Bill,
    SP2 U1 does indeed include some changes to the way the policy works, and includes some fixed for modern AV products, namely Symantec SEP11 and others based on SecurityCenter 2. My blog talks a bit about this, and may help you:
    http://blogs.technet.com/ben/archive/2009/04/04/hunt-a-virus.aspx

    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, July 30, 2009 10:16 PM
    Thursday, July 30, 2009 10:16 PM
  • Hello Ben,

    The service pack 2 update 1 wont detect avg 8.5 as the whale detection script is written for avg antivirus 75XX. I tried to change it but it takes values from the registry to check the antivirus installed and compare it with the antivirus configured in the policy detection.xml and if you the change the value in the policy detction.xml than it wont detect it as the whaledetection.vbs script has to be updated for it.

    Cheers
    Bill
    Friday, July 31, 2009 12:19 PM
  • Hi Bill,

    In addition to whaledetection.vbs, IAG also runs WMI detection from Windows Security Centre as an additional check now. If your AV in security centre is reported as detected then IAG will also report it being there, you can verify in WSC in the control panel of your Win Xp/Sp2 or Vista desktop, it should show the green light then check the session parameters on IAG web monitor for any Anti-Virus or Any wmi AV detection, that could explain what in policy is not being reproted. The article Ben pointed out has an answer to the problem you are reporting.

    thanks,
    Faisal
    Faisal :>
    Friday, July 31, 2009 8:17 PM
  • Hi Amigo. I used the following piece of code for a policy checking AVG 8.5 (the version of IAG was SP1 Update 5 but I guess is gonna be very similar for SP2 Update 1).

    ( AV_WMI_Installed_1 ) AND ( AV_WMI_Running_1 ) AND ( AV_WMI_UptoDate_1 ) AND ( (Instr (LCase(AV_WMI_Name_1),"avg") >=1 )

    As commented in the previous posts by other colleagues, the vbs script checks for every single detail of the applications being detected so, a change in the version can alter the variables, registry...that the detection checks. The WMI can be more accurate as the vendor of the antimalware registers itself in WMI namespace so just checking some entries in that namespace the software can be detected. Notice that there can be more than one antivirus installed and IAG reports three or four entries (AV_WMI_Installed_2, AV_WMI_Installed_3...) so it would be a good practice to extend the code above in a loop.

    Hope it helps

    Nice weekend 
    // Raúl - I love this game
    Saturday, August 1, 2009 12:42 PM
  • Thanks all,

    I will try this for avg 8.5 version and hope that this works.....

    More on this after i test the input given by you all.

    Cheers
    Bill
    Monday, August 3, 2009 1:10 PM
  • Hello All,

    Yesterday i was reading the www.forefrontsecurity.org in which it was stated that microsoft has released the IAG service 2 update 2. In the post it will take care of the error in the policy detection with regards to avg. I tried to find the link from where i could download it but failed to do so. 


    Is anybody aware of any link from where we can download the IAG sp2 update2?

    Cheers
    Bill
    Tuesday, August 18, 2009 12:59 PM
  • Hi Bill, we were able to get the update from our OEM (Celestix).

    Best regards,
    Dennis G.
    Tuesday, September 1, 2009 9:49 PM