CSA: how to detect Security level changes?

Unanswered Question
Jul 6th, 2008
User Badges:


Does anybody know how to detect security level changes made in Agent UI by the end user? I need some kind of the 'flag' which would indicate that security level was changed form High to Medium manually.

All that I'm tring to do is to add some kind of intelligence to CSA. When roaming user is connected to guest network security level must be automatically set to High. That was a pretty trivial task to do.

But CSA Agent must allow user to set less restrictive setting (Medium or Low, let's say for 12 hours). And this part is a real catch. I didn't find any ways to "explain" to CSA that user has changed settings.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Mon, 07/07/2008 - 17:00
User Badges:
  • Red, 2250 points or more

It depends on which version you are using. Version 5.2 lists what security level agents currently are and you can change them back manually from the MC.

You can also set up an alert to notify you when someone changes the security level with the UI.


sampathsundararajan Wed, 12/17/2008 - 10:24
User Badges:


Can you tell me what's the method to create

1) Rule to make the security level to high by default

2) An alert for the security level change on the end user machines.

tsteger1 Thu, 12/18/2008 - 11:13
User Badges:
  • Red, 2250 points or more

1. You would need to have the security level set by a triggering rule.

Use a system state that is sure to fire like "Ethernet Active" and create a set rule to change the security level to high.

2. Create an event set with the severity of "Notice" for the rule module with your agent service control rule.

Create an alert that sends an email when the event set gets a new event.

If you don't want users to change the security level, create an Agent Control rule that denies it.


sampathsundararajan Thu, 12/18/2008 - 11:26
User Badges:

Thank you Tom,Also I would like to know, where and how I can set the proxy on the CSA MC for the CLAM AV.

I could not find any setting on the CSA MC, so that CSA MC can download updates from CLAM AV website.

tsteger1 Fri, 12/19/2008 - 23:42
User Badges:
  • Red, 2250 points or more

You are quite welcome.

You can either exempt the MC from the proxy server or allow http connections to db.local.clamav.net.

HTH, Tom

sampathsundararajan Sat, 12/20/2008 - 06:14
User Badges:

Hi Tom,

Is there any rule to do that or where should be say on the MC that it has go thru proxy server?


tsteger1 Mon, 12/22/2008 - 10:35
User Badges:
  • Red, 2250 points or more

Hi Sam,

CSA is not blocking signature updates, your proxy server is. My MC is able to obtain sigatures with no trouble.

From the online help:

In order for the CSA MC to obtain signature updates from ClamAV server (db.local.clamav.net) should be reachable over HTTP either directly or through proxy server.

This means you need to configure your proxy server to allow connections to that address or you need to exempt the MC from the proxy server.


dflores83 Mon, 01/05/2009 - 14:55
User Badges:

hi tom

I was reading this topic, and I have a doubt, do you need configure to CSA MC to going to the db.local.clamav.net for the update, in this case where I can do this?

tsteger1 Mon, 01/05/2009 - 22:37
User Badges:
  • Red, 2250 points or more

Hi David, it is already configured to go there for updates. Your MC just needs to be able to reach it via HTTP.

Sam's MC was not able to reach it because of a proxy server issue.

Hopefully he will post back when he solves the problem.


sampathsundararajan Tue, 01/06/2009 - 07:24
User Badges:

Hey Tom,

I did not have any issue as such with the proxy. There was a query for me, whether it can go thru the proxy. Now we are not going through the proxy. It's direct connection.

Thanks for your suggesstion.


tsteger1 Tue, 01/06/2009 - 21:45
User Badges:
  • Red, 2250 points or more

If I'm not mistaken, the proxy was the issue.

No one was there to click 'yes' when it tried to get updates and when you took the proxy out of the mix it worked, correct?


This Discussion