Author Topic: Juniper SA2500 doesnt recognize newest Avast software  (Read 33280 times)

0 Members and 1 Guest are viewing this topic.

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #15 on: November 17, 2011, 12:07:46 AM »
thnx for the headsup

i can obtain the package if needed

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #16 on: November 21, 2011, 04:23:45 PM »
Hi wpn,

The problem is indeed caused by the fact that the Juniper Host Checker doesn't know about the Avast client.

We're in the process of talking to Juniper (or, more specifically, another company that's building this for Juniper), aiming to solve the problem on their end.

BTW similar thing will happen with Cisco NAC, for example.


Thanks for bringing up this important topic though.

Vlk
If at first you don't succeed, then skydiving's not for you.

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #17 on: November 22, 2011, 12:42:55 AM »
no problem :)
thnx for the support

Hope to get it solved faster then the projected end of December though. At this moment my clients cant make VPN connection which they need for their updates and policies and quality management control

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #18 on: December 06, 2011, 12:26:42 AM »
to update

been busy with Juniper Support for a couple days now. Today even had conference call for about an hour with them (luckily they called me ;)).

OPSWAT is a thirdparty tool that Juniper is using for their so called HOST CHECKER.
This host checker checks for different rules that I configure.
My rule is that there should be a valid AV product installed that is running realtime protection.
OPSWAT added support for detecting Avast Business Protection (Plus).  KUDOS!
So far so good.

Now, what me and the engineer concluded out of our session today is the following:

The host checker (OPSWAT basicly) DOES detect Avast is installed.
BUT
The host checker needs elevated rights to be able to detect if avast has the realtime protection turned on.

-When i logged in as a regular user on the computer, host checker FAILED the check (and thus not giving the option to make VPN connection)
-When i logged in as a domain administrator (which is part of the local administrators group), host checker FAILED the check (and thus not giving the option to make VPN connection)
-When i logged in as the local administrator of the machine, host checker PASSED the check and showed the option to make VPN connection.
-When i disabled UAC and logged in as a domain administrator, host checker PASSED the check and showed the option to make VPN connection.
-When i disabled UAC and logged in as a regular user, host checker FAILED the check (and thus not giving the option to make VPN connection)

The Juniper Engineer is in contact with Avast about this and im in the middle of all this of course.
Either OPSWAT has to change how the host checker checks, or Avast has to change the admin rights to check for realtime protection being turned on or not. Right now the shot is at the last option.

so far the update.

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #19 on: December 12, 2011, 12:48:06 AM »
UPDATE

Avast is correctly bein detected by the OPSWAT tool, so the ticket for adding it is closed.
The engineer from juniper opened another ticket tho, to get the tool to detect avast propperly now. :)

explanation:
The hostchecker tool requires admin rights to detect the real-time protection status from avast business protection.
Not only that, but it only works out of the box with a local administrator account when UAC is turned on.
When UAC is turned on and you use an domain admin account which is a member of the local admin group on the machine, then the detection still fails.
When UAC is turned completely off, using that domain admin account with local admin rights, it is possible to detect the real-time protection status.

Now this is never going to happen in a business environment:
1) Turning off UAC
2) Giving normal users local admin rights
3) Points 1 and 2 together.....

Therefor the engineer opened another ticket for this issue. And now it is waiting for the solution for this new ticket.

studio_two

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #20 on: December 12, 2011, 10:33:21 AM »
Now this is never going to happen in a business environment:
1) Turning off UAC
2) Giving normal users local admin rights
3) Points 1 and 2 together.....

It's amazing how many business packages require this (yet they state that they "work" with Windows 7). "Sage Construct" would be one that immediately comes to mind.

I'm interested to know why Juniper can't check with Windows Security Center to see if AV software is installed and up to date.

Stephen

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #21 on: December 12, 2011, 04:15:48 PM »
Juniper uses a third-party software for this and acquire this from OPSWAT. Why OPSWAT requires this for detection i do not know, maybe Lukas can explain this ?


and yes i know a lot of software still requires these privileges but where-ever i can i will kick out that kind of crap :)
(Unfortunately our payroll software runs on windows 7, but its completely not ready for it, it requires regular users to have write access in c:\program files\  to make updates to settings on the station, without the update the program doesnt run blablabla... so im not happy with that at all and im looking into the hosted package for that particular software to replace it asap :))


so actually, yes it is happening and yes i have 1 program (luckely) that does that too....
but this is because the program had a last major update before win7 was released and we was already running it.
Now there is a possibility to run it "in the cloud" which does not have my preference, but the crap the program needs (im 1 hour actively busy installing it and configuring it on 1 desktop) to get it working enlightens me to make an exception for this program. (it also takes a database load of my db server ;))
« Last Edit: December 12, 2011, 06:35:40 PM by wpn »

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #22 on: February 02, 2012, 08:41:50 PM »
at this time im still in support.

This week i received an update from Juniper, which in turn has been in contact with OPSWAT (the developer of the host checker)

This is (edited) what came out:

With the current implementation with opswat, check if RTP is enabled is through Security Center, and Security Center requires admin access for any data inquiries. Opswat were checking some other way to achieve this( get  the RTP status), however came to know that, this is working as per the design and there is no other way to query ?CheckRTP? for Avast! Business Protection apart from using Security Center.

So this is a limitation with OPSWAT. They will check for RTP status through Security Center.


Then i asked if there has been contact between Avast and OPSWAT or Juniper.
The answer to that was that OPSWAT made an enchancement (?) request to Avast about this, and basicly based on the history they dont expect an update soon...


The only temporary solution for me right now is to disable the client AV RTP check on my security device and allow people without the RTP status to enter my network. Which i find a huge security risk, but its the only way at this moment to get those users the really badly needed VPN connection.



wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #23 on: February 20, 2012, 08:18:50 PM »
@studio_two   maybe a bit late but this is what OPSWAT says:

to read the real time protection from security center the user executing the check has to have administrative rights, which my users dont have and wont get.
So at this moment i have 2 evil choices
1) gamble that administrative rights will work, and give my users a huge potential to install malicious shit or uninstall stuff and thus risk infection of my network since they hookup with VPN
2) disable the real time protection check on the SA2500 until this problem is fixed. Again risking massive infection when one of the devices is infected some how. The devices that hook up with VPN are outside the office 100% of the time unless there is some sort of special maintenance that I need to do, so i do not control what is happening to the devices that much.

Tomorrow (20-02-2012) i will HAVE to start going for option 2 since option 1 is absolutely not going to happen, but the keys that would get refreshed by the VPN connection are going to expire and then I have to recall those devices again which means at least 1 day of not working for those users.

Right now (last week) i have given the contact details from an OPSWAT person that claimed Avast was not replying and stuff, and im waiting for VLK or Lukas to inform me with some sort of information about the situation to resolve it.
 

studio_two

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #24 on: March 14, 2012, 01:11:41 PM »
No, not too late. Thanks for the update.

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #25 on: March 20, 2012, 12:45:30 AM »
@avast team

I am waiting for answers here by mail since February??
I have send the contact information in February, meanwhile Juniper asked me to temporary close the case because its stale without updates since they are also waiting for news from me from avast.

last week i asked one of the avast teammembers to get me in contact again and havent heard from it so far...


In the mean time i have a big security hole in my network now
i have been forced to stop checking for AV products on my business laptops.
They are mainly outside the office so i have no insight on what exactly is attacking them and since they need to make vpn connection (which is possible only because i had to turn of the AV check) im opening my company network to potential infestation disaster....

VLK i know that Avast became bronze partner with OPSWAT, but its not enough like you said unfortuanately

please give me an update here or in my mail



@other evangelists:  can someone report this to a mod so this can escalate into the avast team again, thnx

Offline lukas.hasik

  • Moderator
  • Advanced Poster
  • *
  • Posts: 905
  • Product manager for Secure Internet in Avast One
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #26 on: March 21, 2012, 08:18:58 PM »
Hi wpn,
we are in direct  contact with the Opswat guys. I'll let you know when the negotiations end.

best regards
Lukas.
Quality is also a feature.

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #27 on: March 24, 2012, 09:14:11 PM »
Sweet, thanks Lukas

Uxorious

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #28 on: March 31, 2012, 02:58:28 AM »
Not sure if you guys care, but ESET SmartSecurity 5.x has exactly the same problem.
So far, Juniper has been anything but helpful :-(

At any rate ... I managed to find a workaround with ESET - maybe it will work for Avast! as well.

Start Internet Explorer as administrator (Right-click, Run as administrator).
Navigate to your VPN login page and enter credentials.
Now HostChecker will succeed, and I will be logged in and have access to install NetworkConnect.
Install NetworkConnect.

Now on new VPN logins, I don't have to start anything as admin ... I can just click directly on the NetworkConnect icon, and it works!

wpn

  • Guest
Re: Juniper SA2500 doesnt recognize newest Avast software
« Reply #29 on: March 31, 2012, 09:22:47 PM »
@uxorious,  interesting way to approach
as said i already changed the check to get things to work and unfortunately i have no time at this moment to test your work around.

i hopefully receive some communication about this soon from VLK or Lucas