While tuning APM Access Policy I faced with some misunderstanding in how OPSWAT OESIS framework is used by F5 endpoint inspector. A client running 10.15.7 OSX was denied to access web app due to Patch Management OS check failure. Could somebody clearify a little how to understand what exactly F5 Endpoint inspector checks at the stage of checking the OS for patch management and antivirus. Does it inquire the embedded OS subsystem responsible for updates and receives responce from this subsystem if everything is ok or not, or does F5 endpoint inspector checks specific system files on the client machine to determine current version number of OS/AV running? It is also interesting where does F5 endpoint inspector gets the latest MacOS version from - are some OPSWAT servers engaged, etc., from which host the request is issued in this case - F5 or the node itself that is being checked? What if there is no access to the Internet from any of the devices. Really appreciate your help.
i have always understood it as that the F5 endpoint inspector contains the OPSWAT code to check for such things. so it doesnt look at file or such for this. it is the OPSWAT inspection code that does this on the client.
you can update the OPSWAT information on the BIG-IP, do that here: System > Software Management > Antivirus Check Updates.
see also: https://support.f5.com/csp/article/K48955220