Ben Ari's UAG and IAG Blog

Plenty of useful and fun info on UAG, Microsoft's remote access and reverse-proxy product.

Hunt a virus

Hunt a virus

  • Comments 1
  • Likes

One of the best features of IAG is its ability to detect a connecting clients Anti-virus software, and block access to clients who do not conform to the policy defined by the server administrator. This is an effective way to prevent a virus infection from connecting clients. This detection is performed by the IAG Client components that are installed on the client machine when the user connects to the IAG portal externally for the 1st time. The Anti Virus detection is based on a system policy that is pre-set in the IAG server. IAG Server ships with a pre-defined policy that contains definitions for many AV products, but like any other software products, AV software changes and evolves alongside the operating systems that host them, and so the IAG policy requires updates from time to time. With some of IAG Service Packs and minor updates, the AV detection policy has been enhanced, but as some customers have discovered, installing the latest service pack and update doesn't necessarily update the policy. This is done to protect the customer, as the policy is editable by the administrator. The update engine cannot analyze the existing policy and apply an incremental or differential update, and so the policy does not get updated.

A recent AV update that might raise a problem for servers with outdated policies is the Symantec latest AV product Symantec Endpoint Protection 11 (a.k.a SEP11). Another product that is known to stir up some problems is AVG 8.5 is. The symptom of such an issue would be client computers running one of these products don't see any applications upon entering the IAG portal, or seeing grayed-out applications. If this is the case, an administrator can diagnose this easily by opening the Web Monitor application on the IAG server. On the Web monitor, open the Session tab and click on the session of the user who is experiencing the issue. On the session page, click on the "Parameters" tab and look for a parameter named ANY_ANTI_VIRUS. If it is set to FALSE, then it means that the policy has failed to detect the AV and might require updating. Before you make changes to the policy, the administrator should verify that the IAG server is fully updated to the latest version. Currently (April 2009), IAG 3.7 SP2 Update 1 is that version, and it includes several fixes for the detection components that are required. For the latest update, contact Microsoft Technical support.

To view or edit the current policy, follow these steps:

1) Open the policy editor on your IAG machine by opening "Advanced Trunk Configuration", switching to Session and clicking "Manage Policies"

2) Expand EXPRESSIONS (at the bottom of the list)

3) Double Click "any Antivirus"

4) Click Manage Windows Expressions

5) Expand EXPRESSIONS again (at the bottom of the list)

6) Double Click "any Antivirus(Windows)"

You should see a screen like this:

clip_image002

7) For safety's sake, copy and paste the current content on the right into some text file and save it somewhere.

8) REPLACE this with the contents of the attached file.

9) Click OK back through all the screens, and activate the configuration.

It's important to be careful when editing the policy, as it uses sensitive Boolean syntax. Even a simple line-break could wreak havoc. In the policy editor, the view is wrapped, but it's actually just one long line, with a lot of Boolean operators that are the key for it to work.

Here is the current latest policy (April 2009) :

(AV_Norton_Installed And AV_Norton_Running And (DateDiff("d",AV_Norton_LastUpdate,Now)<8 OR AV_Norton_UptoDate)) or (AV_McAfee_Installed And AV_McAfee_Running And (DateDiff("d",AV_McAfee_LastUpdate,Now)<8 OR AV_McAfee_UptoDate))  or (AV_McAfeeVirusScanASAP_Installed And AV_McAfeeVirusScanASAP_Running And (DateDiff("d",AV_McAfeeVirusScanASAP_LastUpdate,Now)<8 OR AV_McAfeeVirusScanASAP_UptoDate)) or (AV_OfficeScan_Installed And AV_OfficeScan_Running And (DateDiff("d",AV_OfficeScan_LastUpdate,Now)<8 OR AV_OfficeScan_UptoDate)) or (AV_PCCillin_Installed And AV_PCCillin_Running And (DateDiff("d",AV_PCCillin_LastUpdate,Now)<8 OR AV_PCCillin_UptoDate)) or (AV_Sophos_Installed And AV_Sophos_Running And (DateDiff("d",AV_Sophos_LastUpdate,Now)<8 OR AV_Sophos_UptoDate)) or (AV_eTrust_Installed And AV_eTrust_Running And (DateDiff("d",AV_eTrust_LastUpdate,Now)<8 OR AV_eTrust_UptoDate)) or (AV_CA_SCM_Installed And AV_CA_SCM_Running ) or (AV_TMServerProtect_Installed And AV_TMServerProtect_Running) or (AV_CommandAuthentium_Installed And AV_CommandAuthentium_Running And (DateDiff("d",AV_CommandAuthentium_LastUpdate,Now)<8 OR AV_CommandAuthentium_UptoDate)) or (AV_CoxAuthentium_Installed And AV_CoxAuthentium_Running And (DateDiff("d",AV_CoxAuthentium_LastUpdate,Now)<8 OR AV_CoxAuthentium_UptoDate)) or (AV_ZoneAlarm_Installed And AV_ZoneAlarm_Running And (DateDiff("d",AV_ZoneAlarm_LastUpdate,Now)<8 OR AV_ZoneAlarm_UptoDate)) or (AV_VComSS_Installed  And (DateDiff("d",AV_VComSS_LastUpdate,Now)<8 OR AV_VComSS_UptoDate)) or (AV_FProt_Installed And AV_FProt_Running And (DateDiff("d",AV_FProt_LastUpdate,Now)<8 OR AV_VComSS_UptoDate)) or (AV_HBEDVAntiVir_Installed And AV_HBEDVAntiVir_Running And (DateDiff("d",AV_HBEDVAntiVir_LastUpdate,Now)<8 OR AV_HBEDVAntiVir_UptoDate)) or (AV_NOD32_Installed And AV_NOD32_Running And (DateDiff("d",AV_NOD32_LastUpdate,Now)<8 OR AV_NOD32_UptoDate)) or (AV_AVG_Installed And AV_AVG_Running And (DateDiff("d",AV_AVG_LastUpdate,Now)<8 OR AV_AVG_UptoDate)) or (AV_FSecure_Installed And AV_FSecure_Running And (DateDiff("d",AV_FSecure_LastUpdate,Now)<8 OR AV_FSecure_UptoDate)) or ((AV_MSOneCare_Installed And AV_MSOneCare_Running And (DateDiff("d",AV_MSOneCare_LastUpdate,Now)<8 OR AV_MSOneCare_UptoDate) And ( not (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_MSOneCare_Installed And AV_MSOneCare_Running And (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_McAfeeTotalProtection_Installed And AV_McAfeeTotalProtection_Running And (DateDiff("d",AV_McAfeeTotalProtection_LastUpdate,Now)<8 OR AV_McAfeeTotalProtection_UptoDate)) or (AV_PandaCS_Installed And AV_PandaCS_Running And (DateDiff("d",AV_PandaCS_LastUpdate,Now)<8 OR AV_PandaCS_UptoDate)) or ((AV_MSForefront_Installed And AV_MSForefront_Running And (DateDiff("d",AV_MSForefront_LastUpdate,Now)<8 OR AV_MSForefront_UptoDate) And (not (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_MSForefront_Installed And AV_MSForefront_Running And (System_OS_WinVistaPro or System_OS_WinVistaHome))) or (AV_Norton360_Installed And AV_Norton360_Running And DateDiff("d",AV_Norton360_LastUpdate,Now)<8 OR AV_Norton360_UptoDate) or (AV_eTrustITM_Installed And AV_eTrustITM_Running And (DateDiff("d",AV_eTrustITM_LastUpdate,Now)<8 OR AV_eTrustITM_UptoDate)) or (AV_Kaspersky_Installed And AV_Kaspersky_Running And (DateDiff("d",AV_Kaspersky_LastUpdate,Now)<8 OR AV_Kaspersky_UptoDate)) or (AV_BitDefender_Installed And AV_BitDefender_Running And (DateDiff("d",AV_BitDefender_LastUpdate,Now)<8 OR AV_BitDefender_UptoDate)) or (AV_SymantecEndpointProtection_Installed And AV_SymantecEndpointProtection_Running And (DateDiff("d",AV_SymantecEndpointProtection_LastUpdate,Now)<8 OR AV_SymantecEndpointProtection_UptoDate)) or (AV_TrendMicroInternetSecurity_Installed And AV_TrendMicroInternetSecurity_Running And (DateDiff("d",AV_TrendMicroInternetSecurity_LastUpdate,Now)<8 OR AV_TrendMicroInternetSecurity_UptoDate))

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment