cancel
Showing results for 
Search instead for 
Did you mean: 

HC Changes upgrading 6.0 to 6.3

SOLVED
Highlighted
Contributor

HC Changes upgrading 6.0 to 6.3

I was prepared to fix HostCheck config issues after the upgrade due to the change from Sygate to Opswat for endpoint enforcement. I fixed the Optional: Virus Definition not older than 1 day, and reset to 10. This is much shorter than the old rule, so some users failed the new check even with 10.

My question is what else needs to be set for the Auto-Remediation of a supported AV? What I did is:

1. Require Specific Products (Which are supported)

2.Checked Optional: Virus Definition not older than 10 days.

3. Checked Optional: Monitor this rule for change in result.

I assumed that #3 must be checked, so that an updated AV would then be reclassified as passing the AV check. Is that what this does?

4. Checked "Download latest virus definition files"

At the policy level, I did the following:

5. UNChecked "Enable Custom Instructions"

I assumed this was not necessary since virus definition remediation was automatic.

6. Checked "Send Reason Strings" so the user knows there's an issue.

Do I need to check #3 and is unchecking #5 OK? This is a tricky thing to test. Wishlist: some kind of host check test mode setting.

A/P SA-4000 IVE 6.3.4

SA-4500 IVE 6.3.4

Lab SA-2000 IVE 6.3.4

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Regular Contributor

Re: HC Changes upgrading 6.0 to 6.3

"Do I need to check #3?" --- No this setting is optional and should not influence Auto-Remediation

is unchecking #5 OK? --- Yes this should be ok.

For 'auto-remediation of downloading latest virus definition' to function correctly one caveat is that the "Perform Check Every - XX minutes" should be a non-zero value.

Also make sure:

1. The AV you are testing with is supported for Auto-Remediation functionality.

2. Under Remediation you have checked the option "Download latest Virus definition Files"

View solution in original post

4 REPLIES 4
Highlighted
Contributor

Re: HC Changes upgrading 6.0 to 6.3

Biggest HostCheck AV issue is that the new Opswat checker wants a newer McAfee virus scan engine. Users with an older engine are failing, and the upgrade requires a SuperDat engine upgraded instead of a regular dat install.

I think I'll need a "custom" remediation mechanism for this.

-

Highlighted
Regular Contributor

Re: HC Changes upgrading 6.0 to 6.3

"Do I need to check #3?" --- No this setting is optional and should not influence Auto-Remediation

is unchecking #5 OK? --- Yes this should be ok.

For 'auto-remediation of downloading latest virus definition' to function correctly one caveat is that the "Perform Check Every - XX minutes" should be a non-zero value.

Also make sure:

1. The AV you are testing with is supported for Auto-Remediation functionality.

2. Under Remediation you have checked the option "Download latest Virus definition Files"

View solution in original post

Highlighted
Contributor

Re: HC Changes upgrading 6.0 to 6.3

Ooh, I missed the perform check every xx minutes. I had this at zero. What's a reasonable value for this (assuming that I had it set to zero before). How does this influence the remediation process.

Also, this updates the signature files only... No engine updates? McAfee has something they call a SuperDAT that does both.

-=Dan=-

Highlighted
Regular Contributor

Re: HC Changes upgrading 6.0 to 6.3

"I missed the perform check every xx minutes. I had this at zero. What's a reasonable value for this (assuming that I had it set to zero before). How does this influence the remediation process."

---- When this value is set to zero it means HC will do its checks only once (pre or post auth as configured) and then exit. Though this setting should not influence remediation activities, unfortunately there is a limitation currently and it does. When this value is set to zero HC exits after the checks are done and this causes any unfinished remediation activity to terminate. So an acitivity like downloading virus defn files which may take longer than displaying a remediation message will also terminate abruptly.

"What's a reasonable value for this (assuming that I had it set to zero before)."

---- Ok if you had it set to zero before I assume you don't want the checks to be repeated frequently during the same user session (which makes sense when checking for stuff like Virus Definition, etc). In that case set this value to a value comparable to your max session timeout (configured under roles). This will ensure that the HC checks don't get repeated frequently.

"this updates the signature files only... No engine updates?"

----- I think it applies to signature files only. What it does is it just invokes the update mechanism of the AV solution. So what gets updated will depend on the AV solution I guess.

Hope it helps!

-