Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA 6.0 (Audit or Learn Modes turn off Clam AV)

Hi All:

I was told that when a host is in Audit or Learn Mode, ClamAV is turned off as well. I was also told that I could not have a 3rd-party AV product installed on the same host as CSA (Cisco would not support it). This seems to make Audit/Learn Mode useless, as I need virus protection - yet I need to tune the host. Are there any workarounds that I can use just so I can tune hosts using Audit/Learn Mode and sleep @ night knowing a virus won't kill the host? Any feedback is greatly appreciated.


Re: CSA 6.0 (Audit or Learn Modes turn off Clam AV)

Who told you that? CSA 6 has application classes built in for Trend, Norton and McAfee so it stands to reason at those are supported.

Use Policy Audit or Rule Module Audit Mode to keep some rules in protect mode while testing others in audit\learn mode.

If you use group audit\learn mode then all rules will be in audit\learn mode.

All new hosts are in learn mode for 72 hours by default then switch to protect mode.


New Member

Re: CSA 6.0 (Audit or Learn Modes turn off Clam AV)

Thanks for the reply. Cisco TAC actually told me that. I even waited an extra day for them to consult some of the CSA developers about it. I was shocked to say the least.


Re: CSA 6.0 (Audit or Learn Modes turn off Clam AV)

That's very interesting since I have CSA 6 and Trend Micro Officescan 8 running on the same machine.

It also has this rule module applied:

Security - 3rd Party AV Event Detection [W, V6.0 r220] Module to forward 3rd Party Anti-Virus Events to MC.

I would say based these observations that 3rd party AV is supported (for now).

You could still use policy or rule module audit mode for testiing and leave the AV in protect mode.


CreatePlease to create content