Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA: how to detect Security level changes?

Hello!

Does anybody know how to detect security level changes made in Agent UI by the end user? I need some kind of the 'flag' which would indicate that security level was changed form High to Medium manually.

All that I'm tring to do is to add some kind of intelligence to CSA. When roaming user is connected to guest network security level must be automatically set to High. That was a pretty trivial task to do.

But CSA Agent must allow user to set less restrictive setting (Medium or Low, let's say for 12 hours). And this part is a real catch. I didn't find any ways to "explain" to CSA that user has changed settings.

11 REPLIES
Blue

Re: CSA: how to detect Security level changes?

It depends on which version you are using. Version 5.2 lists what security level agents currently are and you can change them back manually from the MC.

You can also set up an alert to notify you when someone changes the security level with the UI.

Tom

Re: CSA: how to detect Security level changes?

Hi,

Can you tell me what's the method to create

1) Rule to make the security level to high by default

2) An alert for the security level change on the end user machines.

Blue

Re: CSA: how to detect Security level changes?

1. You would need to have the security level set by a triggering rule.

Use a system state that is sure to fire like "Ethernet Active" and create a set rule to change the security level to high.

2. Create an event set with the severity of "Notice" for the rule module with your agent service control rule.

Create an alert that sends an email when the event set gets a new event.

If you don't want users to change the security level, create an Agent Control rule that denies it.

Tom

Re: CSA: how to detect Security level changes?

Thank you Tom,Also I would like to know, where and how I can set the proxy on the CSA MC for the CLAM AV.

I could not find any setting on the CSA MC, so that CSA MC can download updates from CLAM AV website.

Blue

Re: CSA: how to detect Security level changes?

You are quite welcome.

You can either exempt the MC from the proxy server or allow http connections to db.local.clamav.net.

HTH, Tom

Re: CSA: how to detect Security level changes?

Hi Tom,

Is there any rule to do that or where should be say on the MC that it has go thru proxy server?

Sam

Blue

Re: CSA: how to detect Security level changes?

Hi Sam,

CSA is not blocking signature updates, your proxy server is. My MC is able to obtain sigatures with no trouble.

From the online help:

In order for the CSA MC to obtain signature updates from ClamAV server (db.local.clamav.net) should be reachable over HTTP either directly or through proxy server.

This means you need to configure your proxy server to allow connections to that address or you need to exempt the MC from the proxy server.

Tom

New Member

Re: CSA: how to detect Security level changes?

hi tom

I was reading this topic, and I have a doubt, do you need configure to CSA MC to going to the db.local.clamav.net for the update, in this case where I can do this?

Blue

Re: CSA: how to detect Security level changes?

Hi David, it is already configured to go there for updates. Your MC just needs to be able to reach it via HTTP.

Sam's MC was not able to reach it because of a proxy server issue.

Hopefully he will post back when he solves the problem.

Tom

Re: CSA: how to detect Security level changes?

Hey Tom,

I did not have any issue as such with the proxy. There was a query for me, whether it can go thru the proxy. Now we are not going through the proxy. It's direct connection.

Thanks for your suggesstion.

Sam

Blue

Re: CSA: how to detect Security level changes?

If I'm not mistaken, the proxy was the issue.

No one was there to click 'yes' when it tried to get updates and when you took the proxy out of the mix it worked, correct?

216
Views
0
Helpful
11
Replies