https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007586#M79573 <HTML><HEAD></HEAD><BODY><P>If I'm not mistaken, the proxy <U>was</U> the issue. </P><P></P><P>No one was there to click 'yes' when it tried to get updates and when you took the proxy out of the mix it worked, correct? </P></BODY></HTML> Wed, 07 Jan 2009 05:45:49 GMT tsteger1 2009-01-07T05:45:49Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007575#M79557 <P>Hello!</P><P>Does anybody know how to detect security level changes made in Agent UI by the end user? I need some kind of the 'flag' which would indicate that security level was changed form High to Medium manually.</P><P>All that I'm tring to do is to add some kind of intelligence to CSA. When roaming user is connected to guest network security level must be automatically set to High. That was a pretty trivial task to do.</P><P>But CSA Agent must allow user to set less restrictive setting (Medium or Low, let's say for 12 hours). And this part is a real catch. I didn't find any ways to "explain" to CSA that user has changed settings.</P> Sun, 10 Mar 2019 11:10:55 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007575#M79557 asp13 2019-03-10T11:10:55Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007576#M79561 <HTML><HEAD></HEAD><BODY><P>It depends on which version you are using. Version 5.2 lists what security level agents currently are and you can change them back manually from the MC.</P><P></P><P>You can also set up an alert to notify you when someone changes the security level with the UI.</P><P></P><P>Tom</P></BODY></HTML> Tue, 08 Jul 2008 00:00:38 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007576#M79561 tsteger1 2008-07-08T00:00:38Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007577#M79562 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Can you tell me what's the method to create</P><P></P><P>1) Rule to make the security level to high by default </P><P>2) An alert for the security level change on the end user machines.</P></BODY></HTML> Wed, 17 Dec 2008 18:24:11 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007577#M79562 sampathsundararajan 2008-12-17T18:24:11Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007578#M79563 <HTML><HEAD></HEAD><BODY><P>1. You would need to have the security level set by a triggering rule. </P><P></P><P>Use a system state that is sure to fire like "Ethernet Active" and create a set rule to change the security level to high.</P><P></P><P>2. Create an event set with the severity of "Notice" for the rule module with your agent service control rule.</P><P></P><P>Create an alert that sends an email when the event set gets a new event.</P><P></P><P>If you don't want users to change the security level, create an Agent Control rule that denies it.</P><P></P><P>Tom</P></BODY></HTML> Thu, 18 Dec 2008 19:13:55 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007578#M79563 tsteger1 2008-12-18T19:13:55Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007579#M79564 <HTML><HEAD></HEAD><BODY><P>Thank you Tom,Also I would like to know, where and how I can set the proxy on the CSA MC for the CLAM AV.</P><P></P><P>I could not find any setting on the CSA MC, so that CSA MC can download updates from CLAM AV website.</P></BODY></HTML> Thu, 18 Dec 2008 19:26:33 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007579#M79564 sampathsundararajan 2008-12-18T19:26:33Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007580#M79566 <HTML><HEAD></HEAD><BODY><P>You are quite welcome.</P><P></P><P>You can either exempt the MC from the proxy server or allow http connections to db.local.clamav.net.</P><P></P><P>HTH, Tom</P></BODY></HTML> Sat, 20 Dec 2008 07:42:47 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007580#M79566 tsteger1 2008-12-20T07:42:47Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007581#M79567 <HTML><HEAD></HEAD><BODY><P>Hi Tom, </P><P></P><P>Is there any rule to do that or where should be say on the MC that it has go thru proxy server?</P><P></P><P>Sam</P></BODY></HTML> Sat, 20 Dec 2008 14:14:03 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007581#M79567 sampathsundararajan 2008-12-20T14:14:03Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007582#M79568 <HTML><HEAD></HEAD><BODY><P>Hi Sam,</P><P></P><P>CSA is not blocking signature updates, your proxy server is. My MC is able to obtain sigatures with no trouble.</P><P></P><P>From the online help:</P><P></P><P><B>In order for the CSA MC to obtain signature updates from ClamAV server (db.local.clamav.net) should be reachable over HTTP either directly or through proxy server.</B></P><P></P><P>This means you need to configure your proxy server to allow connections to that address or you need to exempt the MC from the proxy server.</P><P></P><P>Tom</P></BODY></HTML> Mon, 22 Dec 2008 18:35:34 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007582#M79568 tsteger1 2008-12-22T18:35:34Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007583#M79569 <HTML><HEAD></HEAD><BODY><P>hi tom</P><P></P><P> I was reading this topic, and I have a doubt, do you need configure to CSA MC to going to the db.local.clamav.net for the update, in this case where I can do this?</P></BODY></HTML> Mon, 05 Jan 2009 22:55:14 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007583#M79569 dflores83 2009-01-05T22:55:14Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007584#M79571 <HTML><HEAD></HEAD><BODY><P>Hi David, it is already configured to go there for updates. Your MC just needs to be able to reach it via HTTP.</P><P></P><P>Sam's MC was not able to reach it because of a proxy server issue. </P><P></P><P>Hopefully he will post back when he solves the problem.</P><P></P><P>Tom</P></BODY></HTML> Tue, 06 Jan 2009 06:37:42 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007584#M79571 tsteger1 2009-01-06T06:37:42Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007585#M79572 <HTML><HEAD></HEAD><BODY><P>Hey Tom, </P><P>I did not have any issue as such with the proxy. There was a query for me, whether it can go thru the proxy. Now we are not going through the proxy. It's direct connection. </P><P></P><P>Thanks for your suggesstion. </P><P></P><P>Sam</P></BODY></HTML> Tue, 06 Jan 2009 15:24:56 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007585#M79572 sampathsundararajan 2009-01-06T15:24:56Z https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007586#M79573 <HTML><HEAD></HEAD><BODY><P>If I'm not mistaken, the proxy <U>was</U> the issue. </P><P></P><P>No one was there to click 'yes' when it tried to get updates and when you took the proxy out of the mix it worked, correct? </P></BODY></HTML> Wed, 07 Jan 2009 05:45:49 GMT https://community.cisco.com/t5/network-security/csa-how-to-detect-security-level-changes/m-p/1007586#M79573 tsteger1 2009-01-07T05:45:49Z