cancel
Showing results for 
Search instead for 
Did you mean: 

Host Checker and AV sigs

pbh.mpc_
Not applicable

Host Checker and AV sigs

We're in the process of moving from a legacy VPN client to Netconnect. As use increases, I'm seeing an influx of Host Checker denies based on virus definitions detects. I've been considering this an artifact of increased usage from a platform that didn't do posture assessment and issues with the client system's AV update process. However, we recently experienced a short period where the support team's laptops were failing this very test. This has shaken my confidense in the environment.

There doesn't seem to be any way to see what exactly the current OESIS file loaded on the device says. And consequently, I can't quantify what Host Checker is looking for on the client system. Am I missing something? Is there a better information source / tool out there that lets me better quantify the environment / check being performed? Does anyone have hints and tips on troubleshooting these situations?

On a related note - I found this on one client log:

00185,09 xx/xx/xx xx:xx:xx.954 1 xx dsHostChecker.exe EPCheck.dll p2104 t158 DSUpdateVerify.cpp:173 - 'DSUpdateVerify::IsAvUpdateLatest' No XML received; unable to determine if AV is latest

Anyone ever see that before?

2 REPLIES 2
jayLaiz_
Super Contributor

Re: Host Checker and AV sigs

Hi,

Host checker is checking if the virus definition files on the client PC are not older than the number of updates configured below Virus Definition files should not be older than ------ Updates.You can set this value to a higher value ie maximum 10 so that even if clients are a few updates behind, they are allowed

The SA downloads an xml file from https://download.juniper.net/software/av/uac/epupdate_hist.xml to update the virus signatures and updates the xml file very 30 minutes by default

Please make sure that the xml file on the SA is updated, check if you notice any error in the event logs about not being able to download the xml file, make sure download.juniper.net is resolvable by DNS and reachable from the internal port of the SA

Under the remediation, there is a checkbox for Download latest virus definition files , you can check that so that SA will force the users to download the latest virus defintion files in case they are behind on the updates

Regards,

jay

zanyterp_
Respected Contributor

Re: Host Checker and AV sigs

that specific message means the data for OPSWAT to do its magic was not available to the client as it was not sent from the server. i have seen this for the same reason as jai called out, av updates are not being done, which would mean no xml file to deliver; i have also seen it due to a corrupt xml file stored on the IVE system.

 

what esap are you using?

what ive os?