Forum Discussion

RpM1TNkMcm's avatar
RpM1TNkMcm
Icon for Nimbostratus rankNimbostratus
Dec 12, 2023

How does BIG-IP checks if an antivirus is started ?

Hi,

We recently switched from ESET antivirus to Palo Alto Cortex XDR.

We've noticed that if a connection via the BIG-IP VPN client is launched within two minutes of computer startup (not logon), the antivirus startup compliance check on the workstation doesn't work, as the client returns no antivirus currently working.
When the connection is retried, and the computer has been running for more than two minutes (since computer startup, not logon once again), the antivirus is detected without a hitch.


So my questions are:

- how is the check carried out?

- Is a specific process observed (we've noticed that the cyserver.exe process takes about 1:30 to start)?

- Have similar cases been observed with the Palo Alto Cortex antivirus? We had no such problems with ESET.

Here some technical details about our F5 infra : BIG-IP v16.1.4.1 (Build 0.13.5), apmclients-7243.2023.718.858-6294.0.iso, OPSWAT Antimalware Integration SDK 4.3.3726.0 (for compliance check we of course added Palo Alto Cortex XDR for all the versions, and as I said, it works when we wait for more than 2 minutes after computer startup).

Thanks in advance

Regards

  • usually the windows's system level startup is controlled via Task Scheduler (taskschd.msc).
    you might try to arrange the task order so that F5 VPN agent is started after Palo alto antivirus.
    you can also try to change service startup of Palo Alto AV to "Automatic (delayed start)" in services.msc

    • RpM1TNkMcm's avatar
      RpM1TNkMcm
      Icon for Nimbostratus rankNimbostratus

      Thanks for your answer.

      F5 VPN client is not automatically launched on Windows startup, it's a user action. So the issue appears when the user opens the VPN client very quickly after computer startup.

      Do you know how the compliance check is done ? I could give the info to Palo Alto so they can figure out the issue.

       

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous

        usually the vpn client has dictionary of the process names.
        it also checks the signature, version, etc. of  of the av executables.

        vpn client usually has background components that runs as background services.
        correction to my previous comment, you can try to set f5 vpn backgound service as "Automatic delayed start" while set Paloalto AV as "Automatic"

    • RpM1TNkMcm's avatar
      RpM1TNkMcm
      Icon for Nimbostratus rankNimbostratus

      I don't think that the OPSWAT check is the issue here it works after 1:30 to 2 minutes after computer startup. However, we've noticed that the cyserver.exe process (one of the main Cortex processes) also takes around 1 minute 30 to start up. Is it possible that this is the process being checked? Where can I find information on which process is verified by the client (and therefore OPSWAT) for Palo Alto Cortex XDR?