Based on a number of posts I've seen on this forum, along with having experienced it first hand. Use of ESAP tends to be a bit tedious. I have been kicking around an idea of accomplishing some of the same goals, but without having to rely on it, and wanted to bounce it off this user group to see if this is viable.
I am looking to see if there is a way for us to query state of the Windows Action Center/Windows Security Center. It seems Microsoft already privides us with the means to determine whether firewall and AV software is running on the machine by way of Windows Security Center and/or Action Center, so I am curious to see if there is a way to build a host checker policy to do nothing more than query those tools to determine compliance.
Granted this isnt as granular as the checks offered by ESAP, but would be sufficient for some of my applications. Essentially, the main goal is to detect presense of a running AV/firewall product without using ESAP. I am curious if this is possible.
Solved! Go to Solution.
Generally I'm not a fan of reviving old theads, but this seemed relevant.
I've loaded 8.0R1 on my test cluster. As I was going through the host checker policy I found an option for Statement of Health based evaluation, which seems in line with what I had envisioned erlier. IC specific references aside, I cant seem to find any documentation for this functionality on the IVE. Curious if anyone has seen it and gotten it to work.
We can click on help section on admin UI and search " Health based"
You ca use a process check to verify that the process is running.
There is nothing available, that I am aware of, that allows for querying the status of security center; but it may be possible it is in the registry or another option available within Host Checker custom checks
I understand that you wnated to know the possibility of creating a policy to detect presense of a running AV/firewall product without using ESAP in SA. Yes this is possible. You can craete hostchecker policy based on process and registry check. This will help you to detect the presence of product and their associated process runnning.
Hope this clarifiies your query.
Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!
Thanks for the input.
I do realize that a rule can be written to check for a registry entry. With that said, I am curious to see if there is a way to do this specifically looking for status of the Microsoft Action/Security. The goal is not merely to bypass ESAP, but to actually leverage Microsoft's Security Center/Action Center status to get compliance information. Again, I realize it wont be as granular, at least no in terms of determining age of virus definition file, or the last time a scan was performed, but to simply find out whether machine has AV/Firewall sofrware running, I would think it should be sufficient. The key is to determine whether status information can somehow be extracted from the registy, or if there is another means of obtaining it without using ESAP.
I belive that checking the status of the softwares running is possible throughj process and registry check however this needs
to be tested . You can check this by making test configuration in test setup
Not the answer I was hoping to find, but it does address my question. We have reached out to Microsoft for some ideas on this as well, but it sounds as if this may be a time to ping my account team with an enhancement request. Considering some of the feedback regarding ESAP, I think this would be well received.
Thanks for the info.
i'm sorry i had bad news to bear.
which feedback are you referring to...that it has limitations?
it would be interesting to hear if microsoft has feedback on how to check this information.