I just started a new job and the company I work for wanted to implement the devices they purchased from Cisco for the "Self Defending Network". I have several years experience with Cisco gear and started with the CSA.
The problem I am having is that CSA 4.0.3 is using the trojan detection rules to stop the execution of Antivirus updates from Trend. I ran through the rules wizard to create an exception, but the CSA agent still prompts the user what they want to do. I don't want the user to be prompted when AV updates are installed, but I would like them to be prompted the rest of the time.
Do you have a service contract with Cisco? If so, please update to a later version of software and quit trying to make a 2 year-old version of software do what your bosses want. It's simply just not worth the time and effort. I would also purchase the Cisco Press books by Chad Sulivan on the subject of CSA. They are money well spent.
Hope this helps.
I will check on the service contract with Cisco, I wasn't sure if a valid contract would allow for upgrades of CSA but if it does that would be a great help. Thanks for the reply.
Do you know if the two books by Chad Sulivan cover CSA MC 5.1?
I have now installed 5.1 and need a little help configuring the agents.
It looks like he used 4.5.X for his book "Advance Host Intrusion Prevention with CSA" based on the images in Chapter 9 found here:
We have a similar environment, Trend 7.3 and CSA 4.0.3-737.
4.5x and up already have Trend filesets so Paul is correct in suggesting a newer version (we're going to v5, just not yet...).
To address your immediate need...
You need to create a Virus scanner executables (Trend Micro) file set and adding it to the Virus Scanner app classes.
There should already be Norton and McAfee variables in there so pattern it after that.
You'll also want to allow:
**\Program Files\Trend Micro\OfficeScan Client\Temp\upgrade.exe to download and execute files.
You'll also need to create a NAC exception for the Trend server contacting the clients.
This should get you going.
Thanks for the reply I will follow up with Cisco about getting a newer version.
Thanks for the information on what needs to be done for the "here and now". I did attempt to create the new APP class for Trend, but what keeps biting me is the user gets prompted to allow of terminate the action when upgrade attempts to execute and the default action is terminate. The Rule that trips is the Trojan rule.
I'll poke around some more on this while I wait for Cisco.
Try adding C:\Program Files\Trend Micro\OfficeScan Client\Temp\upgrade.exe to the exceptions in the Trojan Detection rule of files that are allowed to download and invoke executables.
You should be able to modify the rule so the server admin get no message.
Go into the CSA-MC and find the rule blocking the update and modify the "Take the following action" from Query user to "Priority allow"
He is using 4.0.3 which does not have that ability in the Trojan Detection rule. It always queries the user.
To stop the queries you'd have to uncheck the box next to the behavior triggering the rule and that would allow all behavior of that type.
Hopefully before making changes to the original rules, you cloned them. I know many will agree that you will be better off cloning any group, policy and rule before making any changes to them.
Now you want to stop the prompt window for the AV detect/upgrade. Find the rule that is firing this and change the "Query User" to the "Deny" option. This will stop the message as well as deny this behavior. Also, make sure that this rule is still selected to "log" because you want to know if what you are going to do next will work. This may seem to impede what you want.
Go to the rule module that houses this rule. What you should do here is create a new rule. Write whatever you want in the description and put the "Take the following action" to "Allow." You'll want to log this to see if it is firing correctly. Select the application class you made for the AV.exe and select "$ALL files" for the "on any of these files" Go ahead and save and generate.
What this should do is place the rule you create above the deny rule that was prompting your users for action. With that, it should allow due to priority. Keep in mind that if this does not work take a look at your application class to make sure it is setup correctly.
If this is redundant to what everyone else was saying, sorry!
After I opened the offending rule I do not have an option for "Query User" or "Deny". I believe this may be due to the version of CSA that is installed.
If not please let me know.
Tom had corrected the fact that the query option is not available for that type of rule. We are running 4.0 and 5.1 side by side, so I was mixing up systems.
I still do believe that creating the allow rule will assist in passing the traffic. It will sit in priority above the query user rule.
Also, within that "Trojan Detection" you can exclude that application class you created for Trend by selecting it with in the "Injecting code into other applications --- Select any application classes to be excluded:"
I hope this helps
It sounds like you may need to add a file monitor rule to your policy. Basically, the file monitor looks for programs that are calling other programs. Sometimes you MUST add the calling process in addition to the target process for the exception to work. Steps to do this..
1. Create new file monitor rule
2. Wait until rule fires and check process
3. Add process to Trojan detection rule
Pls rate if this helps..
I was just informed by Cisco that I am elijiable for an upgrade to 5.1 and the interface in 5.1 looks like it's much better than 4.0.3.
Thanks for everyone's help
Good deal, glad to hear it. I'm testing 5.1 and it's a big improvement in a lot of areas.
I am waiting to see if they release 5.2 in February because it is supposed to have an upgrade path from 4.0.X where 5.1 does not.
If they don't then I'll upgrade to 5.1 in Feb or March.
I'm also aboard the 5.1 train. I've been extremely happy with the setup thus far. I'm piloting about 6-8 servers and several workstations right now. So far, things are going rather well. There are big improvements over 4.0 in many areas of 5.1. I hope you enjoy and have much success!
What does the log file look like, and the rule that is blocking it? Also, you may want to consider moving up to at least version 5.0018x