CSA 6.0 (Audit or Learn Modes turn off Clam AV)

erik.edwards · ‎01-28-2009

Hi All:

I was told that when a host is in Audit or Learn Mode, ClamAV is turned off as well. I was also told that I could not have a 3rd-party AV product installed on the same host as CSA (Cisco would not support it). This seems to make Audit/Learn Mode useless, as I need virus protection - yet I need to tune the host. Are there any workarounds that I can use just so I can tune hosts using Audit/Learn Mode and sleep @ night knowing a virus won't kill the host? Any feedback is greatly appreciated.

tsteger1 · ‎01-28-2009

Who told you that? CSA 6 has application classes built in for Trend, Norton and McAfee so it stands to reason at those are supported.

Use Policy Audit or Rule Module Audit Mode to keep some rules in protect mode while testing others in audit\learn mode.

If you use group audit\learn mode then all rules will be in audit\learn mode.

All new hosts are in learn mode for 72 hours by default then switch to protect mode.

Tom

erik.edwards · ‎02-05-2009

Thanks for the reply. Cisco TAC actually told me that. I even waited an extra day for them to consult some of the CSA developers about it. I was shocked to say the least.

tsteger1 · ‎02-05-2009

That's very interesting since I have CSA 6 and Trend Micro Officescan 8 running on the same machine.

It also has this rule module applied:

Security - 3rd Party AV Event Detection [W, V6.0 r220] Module to forward 3rd Party Anti-Virus Events to MC.

I would say based these observations that 3rd party AV is supported (for now).

You could still use policy or rule module audit mode for testiing and leave the AV in protect mode.

Tom