cancel
Showing results for 
Search instead for 
Did you mean: 

Host Checker False Positive

MichelleA_
Occasional Contributor

Host Checker False Positive

Are we the only company attempting to use Host Checker to check for installed Antivirus product, within 5 def updates and a complete system scan within the last 30 days? We do the Host Checking on non corporate owned devices and using the full list of "supported" AntiVirus applications from Juniper. We've been warning our users for the last 30 days that eventually we will enforce the Host Checker - if it fails, they can not access through the IVE. Since we have begun the warning message, we have had so many false reports from the Host Checker that we are starting to think that this product is not very good. I've confirmed the false positives by reviewing each non corporate device and Antivirus product to ensure the issue was not user error.

Our production boxes are SA4500 6.2R2 (build 13525) with ESAP 1.5.4

Our test (lab) box is SA4500 6.5R1 with ESAP 1.5.4

On our prod system we've had false reports on:

- Trend Micro PC-cillian 2006 (14.x)

- Norton v 360, 15.0.0.58, 15.5.0.23, 16.7.2.11, 17.0.0.1 (results vary for Vista, XP and 32 bit vs 64 bit)

- AVast 4.8 (free and purchased product)

- AVG 8.5 (free and purchased product)

- Avir

On our test system, some of the issues with Trend Micro have gone away, but the other AV products still fail.

I've got an open case with JTAC, but they have been too supportive. Definitely not taking any ownership of the issue.

Is anybody else using Host Checker to test for installed AV clients? Any luck with the solution? Is there a trick to making it work successfully?

Help!!

Thanks!

7 REPLIES 7
Rainer_
Occasional Contributor

Re: Host Checker False Positive

Hi,

We also use the Host Checker to check our installed Antivirus products.

We check for definition updates and depending on the remote device for a complete scan.

Both checks work fine. We use McAfee AntiVirus-products.

What do you mean exactly with false positive? Does your Host Checker report that the AntiVirus applications are not up to date?

DonÕt forget: It is possible that 5 definition updates are released at one day and then the remote device is maybe not up to date.

It is also possible with Host Checker to trigger the AntiVirus-update if the signatures are not up to date.

Then the user could log on after a short update period.

Best regards,

MichelleA_
Occasional Contributor

Re: Host Checker False Positive

We are checking for every AntiVirus product supported by Juniper. I think if we focused on only a few AV products, like McAfee we'd be fine. However, since these are non corporate devices we can not easily tell our users what type of AV product they should purchase and install on their personal PCs.

An example of a false positive is when the Host Checker fails with the report that the AV product has not had a complete system scan within the last 30 days. I've confirmed the scan has been completed (even ran a few myself), rebooted, waited a few minutes and then tried the scan again. The Host Checker continues to report that the scan was not completed. I've confirmed the product is on the list of applications that can be checked for system scans.

Rainer_
Occasional Contributor

Re: Host Checker False Positive

Your Host Checker rule needs a successful performed system scan.

Maybe the scan completes not successful because the scanner detects some suspicious items (Cookies, unwanted programs like network scannerÉ.)

Tessian_
Frequent Contributor

Re: Host Checker False Positive

Have you tried only detecting whether they have "Any supported AV" instead of also checking for the definitions and scan run?

Just because the Product is listed as being Supported doesn't mean that every function of Host Checker is available for it. There are many products that HC can only confirm whether it's installed, but doesn't have definition listed and even more that it can't check last scan times... but at the least if they're on the Supported Products list it'll be able to tell it's there.

It's not as good as what you want to do, but it'll work. It all depends on whether or not the company Juniper outsourced the HC definition / scanning checks integrates with each product. Very hit or miss.

jssf_
Occasional Contributor

Re: Host Checker False Positive

For a shortlist of the best supported products, you should check for products with OESIS OK certification at http://www.oesisok.com

(Application lists at http://www.oesisok.com/application-lists)

The criteria for manageability certification (http://www.oesisok.com/program-info/certification-criteria.html) were created after consultation with Juniper about the most important features that need to be enabled. From the OESIS OK homepage you can also download the Am I OESIS OK application, which will analyze the installed security applications on your system and let you know if they are OESIS OK Certified.

The goal is to have applications that interoperate as best as possible with Juniper's products and reduce everyone's need for support time.

Happy to answer any questions you might have on this subject.

aweise_
Contributor

Re: Host Checker False Positive

I'm running into the same problem....SA4500 running 6.5R, using ESAP version 1.5.8.

On a company-issued laptop with Symantec Endpoint Protection, I have no problems. On my home PC running McAfee, HC tells me it doesn't meet the requirements with the following message:

"Reason: 'McAfee VirusScan 13.15.116 does not comply with policy. Compliance requires successful complete system scan.'

That McAfee version is definitely supported, yet I still get rejected. I had it kick off the scan this morning, so I'll check it tonight. I'm the second user that this has happened with, as well. The first user got the "rejection", ran a scan, then was rejected again. Does the scan need to find absolutely nothing? I'm wondering if there is an issue where HC will reject you, even if the scan remediated the potential virus/cookie/etc.

What's even more strange is that the logs in the IVE say that the HC policy passed on my host about 10 minutes later.

cbarcellos_
Regular Contributor

Re: Host Checker False Positive

What does the debuglog.log show on the client side? What does the access log on the IVE show for the rejection reason? This would help troubleshoot the issue.

Once you're sure that the full system scan has been completed you should test HC and then look at those logs. If the AV shows that the system scan was completed, and HC still fails, you should open a JTAC case.