Forum Discussion
How does BIG-IP checks if an antivirus is started ?
Hi,
We recently switched from ESET antivirus to Palo Alto Cortex XDR.
We've noticed that if a connection via the BIG-IP VPN client is launched within two minutes of computer startup (not logon), the antivirus startup compliance check on the workstation doesn't work, as the client returns no antivirus currently working.
When the connection is retried, and the computer has been running for more than two minutes (since computer startup, not logon once again), the antivirus is detected without a hitch.
So my questions are:
- how is the check carried out?
- Is a specific process observed (we've noticed that the cyserver.exe process takes about 1:30 to start)?
- Have similar cases been observed with the Palo Alto Cortex antivirus? We had no such problems with ESET.
Here some technical details about our F5 infra : BIG-IP v16.1.4.1 (Build 0.13.5), apmclients-7243.2023.718.858-6294.0.iso, OPSWAT Antimalware Integration SDK 4.3.3726.0 (for compliance check we of course added Palo Alto Cortex XDR for all the versions, and as I said, it works when we wait for more than 2 minutes after computer startup).
Thanks in advance
Regards
- zamroni777Nacreous
usually the windows's system level startup is controlled via Task Scheduler (taskschd.msc).
you might try to arrange the task order so that F5 VPN agent is started after Palo alto antivirus.
you can also try to change service startup of Palo Alto AV to "Automatic (delayed start)" in services.msc- RpM1TNkMcmNimbostratus
Thanks for your answer.
F5 VPN client is not automatically launched on Windows startup, it's a user action. So the issue appears when the user opens the VPN client very quickly after computer startup.
Do you know how the compliance check is done ? I could give the info to Palo Alto so they can figure out the issue.
- zamroni777Nacreous
usually the vpn client has dictionary of the process names.
it also checks the signature, version, etc. of of the av executables.vpn client usually has background components that runs as background services.
correction to my previous comment, you can try to set f5 vpn backgound service as "Automatic delayed start" while set Paloalto AV as "Automatic"
The F5 agent uses the OPSWAT database and you can upgrade it to try to solve the issue as it is upgaded seperatly than the F5 Edge Client agent:
- RpM1TNkMcmNimbostratus
I don't think that the OPSWAT check is the issue here it works after 1:30 to 2 minutes after computer startup. However, we've noticed that the cyserver.exe process (one of the main Cortex processes) also takes around 1 minute 30 to start up. Is it possible that this is the process being checked? Where can I find information on which process is verified by the client (and therefore OPSWAT) for Palo Alto Cortex XDR?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com