Generally I'm not a fan of reviving old theads, but this seemed relevant.

I've loaded 8.0R1 on my test cluster. As I was going through the host checker policy I found an option for Statement of Health based evaluation, which seems in line with what I had envisioned erlier. IC specific references aside, I cant seem to find any documentation for this functionality on the IVE. Curious if anyone has seen it and gotten it to work.

Hi,

We can click on help section on admin UI and search " Health based"

Regards,

Jay

You ca use a process check to verify that the process is running.

There is nothing available, that I am aware of, that allows for querying the status of security center; but it may be possible it is in the registry or another option available within Host Checker custom checks

Hi Red,

I understand that you wnated to know the possibility of creating a policy  to detect presense of a running AV/firewall product without using ESAP in SA. Yes this is possible. You can craete hostchecker policy based on process and registry check. This will help you to detect the presence of product and their associated process runnning.

Hope this clarifiies your query.

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

Regards,
Kannan

Thanks for the input.

I do realize that a rule can be written to check for a registry entry. With that said, I am curious to see if there is a way to do this specifically looking for status of the Microsoft Action/Security.  The goal is not merely to bypass ESAP, but to actually leverage Microsoft's Security Center/Action Center status to get compliance information. Again, I realize it wont be as granular, at least no in terms of determining age of virus definition file, or the last time a scan was performed, but to simply find out whether machine has AV/Firewall sofrware running, I would think it should be sufficient. The key is to determine whether status information can somehow be extracted from the registy, or if there is another means of obtaining it without using ESAP.

Regards,

Hi red,

I belive that  checking the status of the softwares running  is possible throughj process and registry check however this needs 

to be tested . You can check this by making test configuration in test setup 

Regards,

Kannan

Not the answer I was hoping to find, but it does address my question. We have reached out to Microsoft for some ideas on this as well, but it sounds as if this may be a time to ping my account team with an enhancement request. Considering some of the feedback regarding ESAP, I think this would be well received.

Thanks for the info.

i'm sorry i had bad news to bear.

which feedback are you referring to...that it has limitations?

it would be interesting to hear if microsoft has feedback on how to check this information.