locked
How do I know if my AV will work with NAP, same goes for my anti-spyware?? RRS feed

  • Question

  • So I have been reading everything I can on NAP with DHCP and creating and using SHV's to either grant or deny access to the network.

    Seems to me that certain details are missing. For instance, while I check to make sure that AV is installed and up to date, where do I configure NAP to look for my AV vendor? And regarding if the AV is up to date, McAfee releases daily DAT updates. Can I configure a threshold of say being out of compliance if it's more than three or five DATs behind?

    Regarding anti-spyware, we do not use a traditional anti-spyware application but rather an application white listing program that will deny anything being installed if it's not first added to a white list. This application also incorporates device control. We've found it tremendously more effective that they range of anti-spyware tools out there. Since this is our current anti-spyware solution, can I use NAP to make sure that this app is installed and running? Can I use NAP to check for the presence of the programs process running?

    Finally, relating to patch and update status, I find it comical that my patch management company, Shavlik is listed on the page of NAP partners, yet no one there knows anything about integration with NAP. What the heck MS?

    Can a NAP team member please get back to me on my concerns.

    Thanks,

    Michael P
    SDSU
    Wednesday, April 9, 2008 6:28 PM

Answers

  • Michael,

     

    Your AV vendor should provide you with their plug-ins to our NAP platform.  These plug-ins are called System Health Agent (SHA), and System Health Validator (SHV).  McAfee is still developing their SHA/V.  You should sync up with them to see when they could release a stable version. 

     

    Regarding your anti-spyware application, the same plug-ins (SHA/V) have to be present.  In this case, your institute will have to develop your own SHA/V pair to plug in to the NAP platform.  For developing SHA/V, you could use our sample code in the NAP SDK.  You may download Windows SDK from http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en  We've also annouced updates at this page: http://blogs.technet.com/nap/archive/2006/10/17/nap-sdk-updates-for-sha-v-developers.aspx  After your SHA/V pair is plugged in to NAP platform, NAP could be configured to make sure that your app is running properly before granting appropriate access to the client machine.  Regarding checking for the presence of the programs or processes running, as long as there is a SHA/V pair that does the checking, NAP could be configured to facilitate the enforcement. 

     

    I just found an article about Shavlik's annoucement about their integration with NAP.  Please see http://goliath.ecnext.com/coms2/summary_0199-487791_ITM.  They are definitely aware of their integration with NAP.  Please double check with them.

    Sunday, April 13, 2008 7:50 AM

All replies

  • Michael,

     

    Your AV vendor should provide you with their plug-ins to our NAP platform.  These plug-ins are called System Health Agent (SHA), and System Health Validator (SHV).  McAfee is still developing their SHA/V.  You should sync up with them to see when they could release a stable version. 

     

    Regarding your anti-spyware application, the same plug-ins (SHA/V) have to be present.  In this case, your institute will have to develop your own SHA/V pair to plug in to the NAP platform.  For developing SHA/V, you could use our sample code in the NAP SDK.  You may download Windows SDK from http://www.microsoft.com/downloads/details.aspx?FamilyID=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en  We've also annouced updates at this page: http://blogs.technet.com/nap/archive/2006/10/17/nap-sdk-updates-for-sha-v-developers.aspx  After your SHA/V pair is plugged in to NAP platform, NAP could be configured to make sure that your app is running properly before granting appropriate access to the client machine.  Regarding checking for the presence of the programs or processes running, as long as there is a SHA/V pair that does the checking, NAP could be configured to facilitate the enforcement. 

     

    I just found an article about Shavlik's annoucement about their integration with NAP.  Please see http://goliath.ecnext.com/coms2/summary_0199-487791_ITM.  They are definitely aware of their integration with NAP.  Please double check with them.

    Sunday, April 13, 2008 7:50 AM
  •  

    An alternative (or addition) to specific plug-ins for each AV or AS vendor providing an SHV/SHA plug-in, the AV or AS vendor may choose to integrate their software in such a way as to provide their status directly to the Vista built-in Security Center.

     

    If they choose to do this, then the checks performed by the built-in Windows Security Health Validator on Windows Server 2008 can be used to validate the health of clients.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, April 22, 2008 6:44 PM