Forum Discussion

SalishSeaSecurity's avatar
SalishSeaSecurity
Icon for Altostratus rankAltostratus
Dec 11, 2007

Prelogon AV check: database age

I'm trying to build a prelogon sequence that will not only look for running AV, but also check for the age of the signature database. I know this is easily done via properties in the Windows AV Checker, _if_ I specify _only_ 3 AV engines (or less). Unfortunately I've got to account for more than 3 AV engines. Naturally I'm looking at how best to use the session.av..database_age variable. Since I can't know in advance, ideally I'd like to something like

 

 

session.av.%session.detected_av.av_1.name%.database_age<=7 (like $variable expansion in shell script)

 

 

Firepass won't take it; it gives an error message. My next step would be to try something like

 

 

session.av.ClamAV.database_age<=7 OR session.av.F-SecureAV.database._age<=7 or session.av.KasperskyAV.database._age<=7...and so on for a dozen possible AV products.

 

 

I'm hoping there is some easier way. Is there?

 

BIG-IP Access Policy Manager (APM)
remote access
security
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 28, 2007
    Why not use the endpoint inspector and set the A/V software to "any supported". Set the Database to whatever you want.
  • Justinian_48178's avatar
    Justinian_48178
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2008
    I had your same problem but I couldn't use the inspector because that would have prevented access to the login page and I just wanted to use the item for a Protected Configuration.

     

     

    I ended up solving it with:

     

     

    session.detected_av.av_1.database_age <= 7

     

     

    That will cover all of the possible AVs without having to specify each one individually (although we are tempted to specify them individually so that we can state which ones we trust.)

     

     

    Hope it helps someone,

     

    Justinian
  • Jack_39703's avatar
    Jack_39703
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2009

    Posted By Justinian on 07/01/2008 2:27 PM

     

    I had your same problem but I couldn't use the inspector because that would have prevented access to the login page and I just wanted to use the item for a Protected Configuration.

     

    I ended up solving it with:

     

    session.detected_av.av_1.database_age <= 7

     

    That will cover all of the possible AVs without having to specify each one individually (although we are tempted to specify them individually so that we can state which ones we trust.)

     

    Hope it helps someone,

     

    Justinian

     

     

     

    i tried session.detected_av.av_1.database_age <= 7 at protected configuration but it still doesn't work...