CSA: how to detect Security level changes?

Unanswered Question
Jul 6th, 2008

Hello!

Does anybody know how to detect security level changes made in Agent UI by the end user? I need some kind of the 'flag' which would indicate that security level was changed form High to Medium manually.

All that I'm tring to do is to add some kind of intelligence to CSA. When roaming user is connected to guest network security level must be automatically set to High. That was a pretty trivial task to do.

But CSA Agent must allow user to set less restrictive setting (Medium or Low, let's say for 12 hours). And this part is a real catch. I didn't find any ways to "explain" to CSA that user has changed settings.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tsteger1 Mon, 07/07/2008 - 17:00

It depends on which version you are using. Version 5.2 lists what security level agents currently are and you can change them back manually from the MC.

You can also set up an alert to notify you when someone changes the security level with the UI.

Tom

sampathsundararajan Wed, 12/17/2008 - 10:24

Hi,

Can you tell me what's the method to create

1) Rule to make the security level to high by default

2) An alert for the security level change on the end user machines.

tsteger1 Thu, 12/18/2008 - 11:13

1. You would need to have the security level set by a triggering rule.

Use a system state that is sure to fire like "Ethernet Active" and create a set rule to change the security level to high.

2. Create an event set with the severity of "Notice" for the rule module with your agent service control rule.

Create an alert that sends an email when the event set gets a new event.

If you don't want users to change the security level, create an Agent Control rule that denies it.

Tom

sampathsundararajan Thu, 12/18/2008 - 11:26

Thank you Tom,Also I would like to know, where and how I can set the proxy on the CSA MC for the CLAM AV.

I could not find any setting on the CSA MC, so that CSA MC can download updates from CLAM AV website.

tsteger1 Fri, 12/19/2008 - 23:42

You are quite welcome.

You can either exempt the MC from the proxy server or allow http connections to db.local.clamav.net.

HTH, Tom

sampathsundararajan Sat, 12/20/2008 - 06:14

Hi Tom,

Is there any rule to do that or where should be say on the MC that it has go thru proxy server?

Sam

tsteger1 Mon, 12/22/2008 - 10:35

Hi Sam,

CSA is not blocking signature updates, your proxy server is. My MC is able to obtain sigatures with no trouble.

From the online help:

In order for the CSA MC to obtain signature updates from ClamAV server (db.local.clamav.net) should be reachable over HTTP either directly or through proxy server.

This means you need to configure your proxy server to allow connections to that address or you need to exempt the MC from the proxy server.

Tom

dflores83 Mon, 01/05/2009 - 14:55

hi tom

I was reading this topic, and I have a doubt, do you need configure to CSA MC to going to the db.local.clamav.net for the update, in this case where I can do this?

tsteger1 Mon, 01/05/2009 - 22:37

Hi David, it is already configured to go there for updates. Your MC just needs to be able to reach it via HTTP.

Sam's MC was not able to reach it because of a proxy server issue.

Hopefully he will post back when he solves the problem.

Tom

sampathsundararajan Tue, 01/06/2009 - 07:24

Hey Tom,

I did not have any issue as such with the proxy. There was a query for me, whether it can go thru the proxy. Now we are not going through the proxy. It's direct connection.

Thanks for your suggesstion.

Sam

tsteger1 Tue, 01/06/2009 - 21:45

If I'm not mistaken, the proxy was the issue.

No one was there to click 'yes' when it tried to get updates and when you took the proxy out of the mix it worked, correct?

Actions

This Discussion