Re: CSA 4.0.3 Blocking Trend AV from updating

kcherry · ‎01-03-2007

I just started a new job and the company I work for wanted to implement the devices they purchased from Cisco for the "Self Defending Network". I have several years experience with Cisco gear and started with the CSA.

The problem I am having is that CSA 4.0.3 is using the trojan detection rules to stop the execution of Antivirus updates from Trend. I ran through the rules wizard to create an exception, but the CSA agent still prompts the user what they want to do. I don't want the user to be prompted when AV updates are installed, but I would like them to be prompted the rest of the time.

Any ideas?

Thanks

pmccubbin · ‎01-03-2007

Do you have a service contract with Cisco? If so, please update to a later version of software and quit trying to make a 2 year-old version of software do what your bosses want. It's simply just not worth the time and effort. I would also purchase the Cisco Press books by Chad Sulivan on the subject of CSA. They are money well spent.

Hope this helps.

kcherry · ‎01-04-2007

I will check on the service contract with Cisco, I wasn't sure if a valid contract would allow for upgrades of CSA but if it does that would be a great help. Thanks for the reply.

kcherry · ‎01-19-2007

Do you know if the two books by Chad Sulivan cover CSA MC 5.1?

I have now installed 5.1 and need a little help configuring the agents.

Thanks

Kevin

tsteger1 · ‎01-19-2007

It looks like he used 4.5.X for his book "Advance Host Intrusion Prevention with CSA" based on the images in Chapter 9 found here:

http://searchsecurity.techtarget.com/searchSecurity/downloads/1587052520content9.pdf

Tom

tsteger1 · ‎01-03-2007

We have a similar environment, Trend 7.3 and CSA 4.0.3-737.

4.5x and up already have Trend filesets so Paul is correct in suggesting a newer version (we're going to v5, just not yet...).

To address your immediate need...

You need to create a Virus scanner executables (Trend Micro) file set and adding it to the Virus Scanner app classes.

There should already be Norton and McAfee variables in there so pattern it after that.

You'll also want to allow:

**\Program Files\Trend Micro\OfficeScan Client\Temp\upgrade.exe to download and execute files.

You'll also need to create a NAC exception for the Trend server contacting the clients.

This should get you going.

Tom

kcherry · ‎01-04-2007

Thanks for the reply I will follow up with Cisco about getting a newer version.

Thanks for the information on what needs to be done for the "here and now". I did attempt to create the new APP class for Trend, but what keeps biting me is the user gets prompted to allow of terminate the action when upgrade attempts to execute and the default action is terminate. The Rule that trips is the Trojan rule.

I'll poke around some more on this while I wait for Cisco.

Thanks

Kevin

tsteger1 · ‎01-04-2007

Try adding C:\Program Files\Trend Micro\OfficeScan Client\Temp\upgrade.exe to the exceptions in the Trojan Detection rule of files that are allowed to download and invoke executables.

Tom

TradeSecrets · ‎01-04-2007

You should be able to modify the rule so the server admin get no message.

Go into the CSA-MC and find the rule blocking the update and modify the "Take the following action" from Query user to "Priority allow"

tsteger1 · ‎01-05-2007

He is using 4.0.3 which does not have that ability in the Trojan Detection rule. It always queries the user.

To stop the queries you'd have to uncheck the box next to the behavior triggering the rule and that would allow all behavior of that type.

Tom

chickman · ‎01-08-2007

KCherry,

Hopefully before making changes to the original rules, you cloned them. I know many will agree that you will be better off cloning any group, policy and rule before making any changes to them.

Now you want to stop the prompt window for the AV detect/upgrade. Find the rule that is firing this and change the "Query User" to the "Deny" option. This will stop the message as well as deny this behavior. Also, make sure that this rule is still selected to "log" because you want to know if what you are going to do next will work. This may seem to impede what you want.

Go to the rule module that houses this rule. What you should do here is create a new rule. Write whatever you want in the description and put the "Take the following action" to "Allow." You'll want to log this to see if it is firing correctly. Select the application class you made for the AV.exe and select "$ALL files" for the "on any of these files" Go ahead and save and generate.

What this should do is place the rule you create above the deny rule that was prompting your users for action. With that, it should allow due to priority. Keep in mind that if this does not work take a look at your application class to make sure it is setup correctly.

If this is redundant to what everyone else was saying, sorry!

kcherry · ‎01-09-2007

Thanks for the information. I'll try what you recommended today or this week and let you know what happens.

Thanks

Kevin

kcherry · ‎01-09-2007

After I opened the offending rule I do not have an option for "Query User" or "Deny". I believe this may be due to the version of CSA that is installed.

If not please let me know.

Thanks

Kevin

chickman · ‎01-09-2007

KCherry,

Tom had corrected the fact that the query option is not available for that type of rule. We are running 4.0 and 5.1 side by side, so I was mixing up systems.

I still do believe that creating the allow rule will assist in passing the traffic. It will sit in priority above the query user rule.

Also, within that "Trojan Detection" you can exclude that application class you created for Trend by selecting it with in the "Injecting code into other applications --- Select any application classes to be excluded:"

I hope this helps

jwalker · ‎01-10-2007

It sounds like you may need to add a file monitor rule to your policy. Basically, the file monitor looks for programs that are calling other programs. Sometimes you MUST add the calling process in addition to the target process for the exception to work. Steps to do this..

1. Create new file monitor rule

2. Wait until rule fires and check process

3. Add process to Trojan detection rule

Pls rate if this helps..

Cheers,

Jay