I'm having a problem where a user is being denied access to the ASA because the host scan does not see his antivirus running. The user just upgraded his AVG antivirus to the latest version and this version is not in the endpoint assessment attributes list. I scan all AV listed on the ASA in the attributes table using a DAP expression. My question is how often does Cisco update the Antivirus vendor and version list and how can I update my ASA with this new list?
Basic support for the AVG 9 Free product was added in the October release of the support framework that is used by Cisco (OPSWAT's OESIS Framework). We try to get the software vendors to make sure that we are able to enagage all of the management functions that administrators using Cisco products are looking for, but it sometimes takes their cooperation. Because a lot of AV products are included by us automatically, a lot of vendors never feel the sting of when they break support. It's important that they are made aware.
AVG is a member of our endpoint software certification program, OESIS OK, however they have not submitted their recent products. Your reminder to them is certainly appreciated, as nothing gets a vendor’s attention as quickly as a customer concern. Sometimes vendors roll out products not realizing that some of the changes they made will break compatibility with a whole host of related solutions. Which is why it’s important that they always get OPSWAT the updates prior to release.
As a diagnostic tool, I would like to draw your attention to our Am I OESIS OK? utility, posted on our website http://www.oesisok.com/
It will analyze a user’s system and let them know how well their installed security applications will interoperate with your Cisco product. (Applications are either, Identified, Certified or Gold Certified). If you have endpoint users having some trouble with compatibility, you could point them to the utility and have them analyze their systems for what might be causing the issue.
Out certified applications are always listed in our product browser here: http://www.oesisok.com/application-lists
If AVG is not working with a user's system, I would recommend switching to an OESIS OK approved product.
Please feel free to let me know if you have any additional questions. I’m happy to help.
Since I posted this, I opened a TAC case and was told the endpoint attributes are updated in the Cisco Secure Desktop software package that runs on the ASA. The last CSD release from Cisco was Jun 8th, 2009. There is a beta of the next version available, but I've had issues in the past with beta versions. The general release is scheduled to be available within the next month or so. Having to wait 6 months for endpoint attribute updates is unacceptable.
I understand where you are coming from in regards to having software vendors cooperate by notifying Cisco regarding software upgrades, etc. For now, I've created an additional endpoint attribute to be satisfied that only checks the Vendor name and not the version, along with sig files being updated in the last X amount of days. This seems to be working. I guess I'll have to make exceptions for newer software that cannot be scanned using the DAP expression that checks the entire list...
DJ Did you write a LUA expression? I am working on a deploy right now and ran into the same problem you did. The only thing is that my DAP expressions ARE only on vendor and last def update. AVG 9 just comes up in the debug log as generic WMI same with Microsofts new Security Essentials the products don't actually detect with the actual vendor values.
If we have to wait over 6 months between Secure Desktop releases DAP really isn't practical when our VPN users are home users.
At the moment I am giving the beta a try since I am not in production yet, however I agree with you that running BETA is a risk.