DJ Did you write a LUA expression? I am working on a deploy right now and ran into the same problem you did. The only thing is that my DAP expressions ARE only on vendor and last def update. AVG 9 just comes up in the debug log as generic WMI same with Microsofts new Security Essentials the products don't actually detect with the actual vendor values.

If we have to wait over 6 months between Secure Desktop releases DAP really isn't practical when our VPN users are home users.

At the moment I am giving the beta a try since I am not in production yet, however I agree with you that running BETA is a risk.

I have one LUA expression to check all AV and the AVG 9.0 is an additional endpoint attribute to check. Seems to be working for me...

Mind sharing your LUA script? LUA syntax is rather unususal to me, even after checking the guides.

assert(function()

     local block_connection = true

     local update_threshold = "604800"

     for k,v in pairs(endpoint.av) do

          if CheckAndMsg(EVAL(v.exists, "EQ", "true", "string"), nil, k.." is not enabled") then

               if CheckAndMsg((type(v.lastupdate) == "string" and

tonumber(v.lastupdate) ~= nil), nil, "No virus definition file information was received for "..k) then

                    if CheckAndMsg(EVAL(v.lastupdate, "LT", update_threshold, "integer"), nil,

                                   k.." is enabled.  The virus definition file was updated "..string.sub((tonumber(v.lastupdate)/86400), 1, 3).." days ago. Please update to current signatures.") then

                         block_connection = false

                    end

               end

          end

     end

     return block_connection

end)()

Is this close to what you are running? This was originally given to me by TAC, but I "tweaked" it a bit as the original wasn't working the way I wanted it to.

Hmm that is better than the ANY antivirus example they give in the manual however I really want to enforce a short list of vendors I trust. There are too many legitimate but ineffective antivirus packages out there.

At the moment I am using the ASDM gui and was limiting by Vendor, however the vendor value only exists if Cisco has updated their detection for the product.

I have noticed that the product / vendor name is returned by WMI in the debug log, maybe I can parse that....

P.S. Your example allows for virus definitions to be 7 days old!

Update: I did some testing on this script and it appears to be doing more than first meets the eye, .... still doesn't seem to work with microsoft security essentials.

Yes, 7 days reflects our current security policy as some machines go long periods of time before connecting to the Internet. Will probably drop this to 2...

Not surprised WRT the MS Security Essentials

Thanks for your script, I have modified it so that if the vendor returend is wmiAV (IE something new but registered in windows) I check the description for Vendor / product names. It isn't as secure but since Cisco does not have a rapid cycle to update Secure Desktop it will have to do.

7 days is way tool long for definitions to be out of date, do your av clients not update when off your network? Also if you are using Advanced Endpoint assessment and your primary av is supported then it will foce the update during the assesment.

dbgreekas : do you mind sharing your script now?  As has been commented before, waiting

for a full release of Cisco Secure Desktop in order to get an updated list of AV vendors is ridiculous.  Cisco, if

you're reading this, you really should get the list from an XML file that we can download from either Cisco or OESIS in order to keep ourselves

up to date with the latest vendor products.