In the case of CA it might be needed to check for both, but
that can be done in 2 checks too, don't you think?
As for the check of the engine/software version, that could
be done. BUT a lot of the AV makers don't list a valid version number
of the signature versions, and for the engine/software version it's even
worse. We could it for the few ones that have it listed, but I can assure
you it's realy not many....(1 or 2 maybe)
Dirk Bulinckx.
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Michael Shook
Sent: Wednesday, August 16, 2006 3:31 PM
To: Servers Alive Discussion List
Subject: RE: [SA-list] Anti-virus signature checker
I'll send you what I see, because yes, it
differs.
As for the checks, what I mean is, CA recommends using the
InnoculateIT engine for realtime scanning and using the VET engine for the local
scanner (full or file scans), or vice versa
So, most people will need to know that BOTH sig files are
up to date.
My other question then was (and this would apply for all AV
software packages), should we be checking the version of the software itself? If
so, how?
Michael D.
Shook
Technical Analyst
Saddle Creek Corporation
Michael.Shook@saddlecrk.com
863 668 4477 (work)
863 860 4070 (cell)
863 665 1261 (fax)
www.saddlecrk.com
Technical Analyst
Saddle Creek Corporation
Michael.Shook@saddlecrk.com
863 668 4477 (work)
863 860 4070 (cell)
863 665 1261 (fax)
www.saddlecrk.com
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx
Sent: Wednesday, August 16, 2006 8:41 AM
To: Servers Alive Discussion List
Subject: RE: [SA-list] Anti-virus signature checker
Not sure to understand.
When you enable the "local system must have AV product
installed" option, then it will give an UP if the version on the web and on the
local system are the same. If the versions are different then it will show
both versions (and give a down), if it can not find the local version it will
give a down and tell what the webversion is (and say it can't find the local
version).
When the option is disabled (not checked - and this is the
default), then it will simple give the version that is on the web (as a number
without extra text).
Are you seeing a different behaviour?
If so, please send me (offlist) a screenshot of how it's
configured and one that also shows the "output" in the "response column" of the
main interface of SA.
About the engine, do you mean that it should do both within
the same check or have 2 entries for it (one for the AV signature version and
one for the AV engine version)?
Dirk Bulinckx.
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Michael Shook
Sent: Wednesday, August 16, 2006 2:26 PM
To: Servers Alive Discussion List
Subject: RE: [SA-list] Anti-virus signature checker
Ok, here's what I have:
CA eTrust
With the check looking for the software, it doesn't find
the local info
With the check NOT looking for the software, it does find
the info.
Also, since CA best practices call for the real time scan
to use one engine and the full files scan to use the other engine, the check
really needs to examine both signature files.
Also, shouldn't we be examining the engine version as
well?
Great work!!!!!
Michael D.
Shook
Technical Analyst
Saddle Creek Corporation
Michael.Shook@saddlecrk.com
863 668 4477 (work)
863 860 4070 (cell)
863 665 1261 (fax)
www.saddlecrk.com
Technical Analyst
Saddle Creek Corporation
Michael.Shook@saddlecrk.com
863 668 4477 (work)
863 860 4070 (cell)
863 665 1261 (fax)
www.saddlecrk.com
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx
Sent: Wednesday, August 16, 2006 5:51 AM
To: Servers Alive Discussion List
Subject: RE: [SA-list] Anti-virus signature checker
Change was done.
There is an option in the GUI, were you can say "Local
system must have AV product installed". If that is enabled then it will
give a down when the AV is not installed (the %e parameter will include the
version from the web), with this option disabled (default) the %e parameter will
only show the webserver (without any other text).
As for the McAfee version issue, that's also fixed in build
7 which can be downloaded from http://beta.woodstone.nu/soft/setup_avcom.exe
Dirk Bulinckx.
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx
Sent: Wednesday, August 16, 2006 11:26 AM
To: Servers Alive Discussion List
Subject: RE: [SA-list] Anti-virus signature checker
People will also use it ,just to get the latest
info.
Maybe that I should add an option in the GUI for it.
That way the mesage (%e parameter) can also be different.
As for the version thing with McAfee....I'll remove the
first digit from the web-version before doing the compare.
Dirk Bulinckx.
From: Servers Alive Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 16, 2006 9:57 AM
To: Servers Alive Discussion List
Subject: Re: [SA-list] Anti-virus signature checker
*Very* cool Dirk. One immediate problem, when I try it with McAfee: it finds version 4830 on the web, but version 830 on the machine (i.e. it's losing the initial digit).
What's the logic of giving an "up" if there's nothing in the registry? I would have thought that nothing in the reg implies that AV isn't installed, which would be a *bad* thing.
Ian
_________________________________
Ian K Gray
OEL IS - European Infrastructure Support
Tel: +44 1236 502661
Mob: +44 7881 518854
| "Dirk Bulinckx"
<[EMAIL PROTECTED]> Sent by: Servers Alive Discussion List <salive@woodstone.nu> 15/08/2006 17:50
|
|
A while ago (June) there were some talks about a COM check that would see if
your anti-virus product was up-to-date or not.
We have a little COM check that is already able to do a little.
* Aladin eSafe:
get the version number from the internet (if they change the
look of their website we have a problem)
* Symantec AV:
get the version number from the internet (if they change the
look of their website we have a problem)
* CA eTrust (both for the VET and the Innoculate engine)
get the version number from a TXT file they have on the
internet
* McAfee (NAI)
get the version number from an INI file they have on the
internet
compare that to the version that is in the registry of the
system running SA.
* versions are the same gives an up
* versions are different gives a down
* nothing in the registry give an up too
All of them (except for CA eTrust which uses FTP) are using the HTTP
protocol to get the info from the internet. This is via a direct connection
(NO proxy support!)
This is a FIRST version. We would like to extend the possibilities to more
AV products (internet part) and also the local part (get the version numbers
on the local system too).
So if you have info on were we can find the info (internet & local) for a
specific product, then please let us know so we can extend/enhance this
check.
You can download it from http://beta.woodstone.nu/soft/setup_avcom.exe
Dirk Bulinckx.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
--------------------------------------
The information contained in this
message is intended only for the use of the addressee. If the reader of this
message is not the intended recipient or agent of the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of the
message is strictly prohibited.
To unsubscribe send a message with
UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders
(like out-of-the-office messages), then make sure that they are not send to the
list nor to the individual members of the list that send a message. Doing this
will get you removed from the list.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
--------------------------------------
The information contained in this
message is intended only for the use of the addressee. If the reader of this
message is not the intended recipient or agent of the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of the
message is strictly prohibited.
To unsubscribe send a message with
UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders
(like out-of-the-office messages), then make sure that they are not send to the
list nor to the individual members of the list that send a message. Doing this
will get you removed from the list.
To unsubscribe send a message with UNSUBSCRIBE as subject to salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), then make sure that they are not send to the list nor to the individual members of the list that send a message. Doing this will get you removed from the list.
