none
Endpoint Compliance: Windows Update & AV RRS feed

  • Question

  • Hi,

    Q1) Can UAG check for connecting clients' Patch Level status? Can it check if Microsoft Updates have been done in the past few weeks? (Without using NAP?)

    I found this for IAG: http://iag.elear.net/index.php/tag/endpoint-detection/ - isnt there an easier way of doing this?

    Q2) Can UAG check if 'Any antivirus is running AND has been updated in the past few weeks'?

    Q3) the obvious question follows here, if the above is true, how do we actually do it ;-)

    Thanks

    Wednesday, April 21, 2010 7:40 AM

Answers

  • Correct! Thought you're missing a character:

    (DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<8)

    • Marked as answer by Erez Benari Tuesday, April 27, 2010 11:43 PM
    Friday, April 23, 2010 1:45 PM

All replies

  • A1: Not without custom scripts like you found. I think you already know that NAP is probably the best option ;)

    A2: Yes, the AV checks usually supports different Installed and Updated assessments.

    A3: You should be able to build most of what you need using the GUI, but you may need to convert the policy to a script for more advanced needs. The script uses UAG endpoint variables combined with standard boolean logic.

    Here is an example script, but there should be some good tutorials around for IAG and the process is very similar for UAG.

    ( (  (  (  ( AV_VendorX_Installed AND AV_VendorX_Running )  AND (  CDbl(Left(AV_VendorX_Version_Product,3))>=8 )  AND  ( DateDiff("d",AV_VendorX_LastUpdate,Now)<=7 OR AV_VendorX_UptoDate )  )  )  AND  (  (  ( PFW_2K3_Running )  ) OR  (  ( PFW_Vista_Running )  ) OR  (  ( PFW_XPSP2_Running )  ) OR  (  ( PFW_Win7_Running )  )  )  ) AND (Network_Domains_NetBIOS = "CONTOSO") )

    This script look for a particular AV vendor, checks it is installed and running, checks it is at least version 8, checks it was updated within the last 7 days, checks for the use of Windows Firewall across various client OS, checks for a NETBIOS domain name setting.

    This hopefully shows you the approach, but the scripts tend to be very environmental and need your own design input :)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 21, 2010 8:24 AM
    Moderator
  • OK...so

    Q1 - The NAP solution will only work for people with the NAP Agent running though.

    Q2 - From what I can see this method will work per AV Vendor...so we'd need to stipulate all vendors (using whatever Vendor variable UAG understands)

    Pity there isn't a way to check for: "Is ANY AV Runnning AND is it up-to-date"

    Thanks for your continuous feedback :-)

     

    Wednesday, April 21, 2010 8:37 AM
  • There is, I just gave a specific example for VendorX ;)

    You also have 'Any Antivirus' and 'Any WMI Antivirus' expressions if these better suit your needs...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 21, 2010 8:44 AM
    Moderator
  • I saw the 'Any antivirus' but how do you check if 'any antivirus' is up to date?

    Would this work?

     (  ( Any_antivirus_Installed AND Any_antivirus_Running )  AND  ( DateDiff ("d",Any_antivirus_LastUpdate,Now)<=7))

    Or is this the only way to check (and even this is limited):

    Any_WMI_Anti_Virus or (AV_Norton_Installed And AV_Norton_Running And (DateDiff("d",AV_Norton_LastUpdate,Now)<8 OR AV_Norton_UptoDate) ) or (AV_McAfee_Installed And AV_McAfee_Running And (DateDiff("d",AV_McAfee_LastUpdate,Now)<8 OR AV_McAfee_UptoDate) )  or (AV_McAfeeVirusScanASAP_Installed And AV_McAfeeVirusScanASAP_Running And (DateDiff("d",AV_McAfeeVirusScanASAP_LastUpdate,Now)<8 OR AV_McAfeeVirusScanASAP_UptoDate) ) or (AV_OfficeScan_Installed And AV_OfficeScan_Running And (DateDiff("d",AV_OfficeScan_LastUpdate,Now)<8 OR AV_OfficeScan_UptoDate) ) or (AV_PCCillin_Installed And AV_PCCillin_Running And (DateDiff("d",AV_PCCillin_LastUpdate,Now)<8 OR AV_PCCillin_UptoDate) ) or (AV_Sophos_Installed And AV_Sophos_Running And (DateDiff("d",AV_Sophos_LastUpdate,Now)<8 OR AV_Sophos_UptoDate) )or (AV_eTrust_Installed And AV_eTrust_Running And (DateDiff("d",AV_eTrust_LastUpdate,Now)<8 OR AV_eTrust_UptoDate) ) or(AV_CA_SCM_Installed And AV_CA_SCM_Running ) or(AV_TMServerProtect_Installed And AV_TMServerProtect_Running And (DateDiff("d",AV_TMServerProtect_LastUpdate,Now)<8 OR AV_TMServerProtect_UptoDate) ) or (AV_CommandAuthentium_Installed And AV_CommandAuthentium_Running And (DateDiff("d",AV_CommandAuthentium_LastUpdate,Now)<8 OR AV_CommandAuthentium_UptoDate) ) or (AV_CoxAuthentium_Installed And AV_CoxAuthentium_Running And (DateDiff("d",AV_CoxAuthentium_LastUpdate,Now)<8 OR AV_CoxAuthentium_UptoDate) ) or (AV_ZoneAlarm_Installed And AV_ZoneAlarm_Running And (DateDiff("d",AV_ZoneAlarm_LastUpdate,Now)<8 OR AV_ZoneAlarm_UptoDate) ) or (AV_VComSS_Installed  And (DateDiff("d",AV_VComSS_LastUpdate,Now)<8 OR AV_VComSS_UptoDate) ) or (AV_FProt_Installed And AV_FProt_Running And (DateDiff("d",AV_FProt_LastUpdate,Now)<8 OR AV_VComSS_UptoDate) ) or (AV_HBEDVAntiVir_Installed And AV_HBEDVAntiVir_Running And (DateDiff("d",AV_HBEDVAntiVir_LastUpdate,Now)<8 OR AV_HBEDVAntiVir_UptoDate) ) or (AV_NOD32_Installed And AV_NOD32_Running And (DateDiff("d",AV_NOD32_LastUpdate,Now)<8 OR AV_NOD32_UptoDate) ) or (AV_AVG_Installed And AV_AVG_Running And (DateDiff("d",AV_AVG_LastUpdate,Now)<8 OR AV_AVG_UptoDate) ) or (AV_FSecure_Installed And AV_FSecure_Running And (DateDiff("d",AV_FSecure_LastUpdate,Now)<8 OR AV_FSecure_UptoDate) ) or ((AV_MSOneCare_Installed And AV_MSOneCare_Running And (DateDiff("d",AV_MSOneCare_LastUpdate,Now)<8 OR AV_MSOneCare_UptoDate) And (not (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_MSOneCare_Installed And AV_MSOneCare_Running And (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_McAfeeTotalProtection_Installed And AV_McAfeeTotalProtection_Running And (DateDiff("d",AV_McAfeeTotalProtection_LastUpdate,Now)<8 OR AV_McAfeeTotalProtection_UptoDate) ) or (AV_PandaCS_Installed And AV_PandaCS_Running And (DateDiff("d",AV_PandaCS_LastUpdate,Now)<8 OR AV_PandaCS_UptoDate) ) or ((AV_MSForefront_Installed And AV_MSForefront_Running And (DateDiff("d",AV_MSForefront_LastUpdate,Now)<8 OR AV_MSForefront_UptoDate) And (not (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_MSForefront_Installed And AV_MSForefront_Running And (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_Norton360_Installed And AV_Norton360_Running And (DateDiff("d",AV_Norton360_LastUpdate,Now)<8 OR AV_Norton360_UptoDate) ) or (AV_eTrustITM_Installed And AV_eTrustITM_Running And (DateDiff("d",AV_eTrustITM_LastUpdate,Now)<8 OR AV_eTrustITM_UptoDate) ) or (AV_Kaspersky_Installed And AV_Kaspersky_Running And (DateDiff("d",AV_Kaspersky_LastUpdate,Now)<8 OR AV_Kaspersky_UptoDate) ) or (AV_BitDefender_Installed And AV_BitDefender_Running And (DateDiff("d",AV_BitDefender_LastUpdate,Now)<8 OR AV_BitDefender_UptoDate) ) or (AV_SymantecEndpointProtection_Installed And AV_SymantecEndpointProtection_Running And (DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<8 OR AV_SymantecEndpointProtection_UptoDate) ) or (AV_TrendMicroInternetSecurity_Installed And AV_TrendMicroInternetSecurity_Running And (DateDiff("d",AV_TrendMicroInternetSecurity_LastUpdate,Now)<8 OR AV_TrendMicroInternetSecurity_UptoDate) )

     

    Wednesday, April 21, 2010 9:02 AM
  • The 'Any WMI Antivirus' and it's associated 'UpToDate' expression query the Windows Security Center for it's values.  Essentially if Windows thinks AV is installed and up to date, so will IAG/UAG.  Hope that makes sense.

    This is probably the simplest option as long as it fits with your security policies and what you ar trying to accomplish.

    Wednesday, April 21, 2010 12:53 PM
  • Ah, I see these settings in UAG:

    AV_WMI_Installed, AV_WMI_Running, AV_WMI_UpToDate

    will try them, but if you say it check Security Centre, then this should do the trick :-)

    Thanks

    Wednesday, April 21, 2010 1:18 PM
  • You can access it throught the Policy GUI, or:

    (AV_WMI_Installed_1 AND AV_WMI_Running_1 AND AV_WMI_UptoDate_1)

    Wednesday, April 21, 2010 1:22 PM
  • So the Microsoft Update script as found on  http://iag.elear.net/index.php/tag/endpoint-detection/

    How do I import this into UAG? Must I create a new Expression and paste the code in, then create a new Access Policy?

    This needs to run against both non-domain joined machines and domain joined.

    Wednesday, April 21, 2010 2:57 PM
  • http://www.ssl-vpn.de/wiki/(S(xsb1s3b522zo1z3bgpxadimj))/Default.aspx?Page=Custom%20endpoint%20detection%20scripts&AspxAutoDetectCookieSupport=1

    Between that site and the one you've found you should be able to create your custom detection script.

    Scripts will run against all computers accessing a trunk, as long as they have the client components installed (regardless of domain/non-domain).

    Wednesday, April 21, 2010 3:13 PM
  • ok...back to the dev table then...thanks
    Wednesday, April 21, 2010 5:29 PM
  • So if we look at this:

    (DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<8

    Does this mean Symantec Updates occurred less then 8 days ago?

    Friday, April 23, 2010 1:42 PM
  • Correct! Thought you're missing a character:

    (DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<8)

    • Marked as answer by Erez Benari Tuesday, April 27, 2010 11:43 PM
    Friday, April 23, 2010 1:45 PM
  • The link pointed to in the original question has changed to:

    http://tech.familyofgoldsteins.com/?p=10

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    Tuesday, March 22, 2011 7:31 PM