Avatar of HoneyFarms
HoneyFarms
Flag for United States of America asked on

AVG Updates on DMZ

Screen shot of identified network objects inside updates groupThe environment:  Retail locations (PCI-DSS applicable) Point of Sale registers running Windows XP OS segmented onto a DMZ.  Each register runs a Kaseya agent with End Point Security  (AVG antivirus).  Each location has a SonicWall TZ 215 appliance.

I am having issues updating the AVG installs on the registers.  My DMZ rules allow HTTP access to predestinated websites only (2 commerce processing sites and AVG).  I quickly discovered the initial AVG update site was inadequate, so I created an AVGUpdateSites network address object and then grouped various update sites (other network address objects) that the log files were showing AVG was trying to access.

I'm up to 15 different update sites now and have some fourth level domain transport companies (e.g. akamaitechnogies.com, nlayer.net, etc...) that seem to change daily.  I need to allow access for all of these AVG update sites and block everything else.

I'm looking for ideas of how to better skin this cat.  Still haven't spoken to anyone at AVG that even knew they were using these dynamic sites.  Attached is a pic of the sites I've currently identified.  It shows a few different attempts at the 3rd and 4th level domain attempts - none work.
Anti-Virus AppsHardware FirewallsSecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
Carl Dula

Take a look at these two links. They pertain to the free version, but may help.

http://free.avg.com/faq.num-2416#faq_2416

http://free.avg.com/faq.num-2419#faq_2419
HoneyFarms

ASKER
Thanks, but no.  I guess I'm really looking for how I can allow for akamai's and nlayer's dyamic third and fourth level domain name changes.  SonicWall doesn't support wildcards at that level - won't resolve.
Carl Dula

This link contains a list of what is supposed to be "all" the sites you need to permit a connection to. Have you permitted all of these?

http://free.avg.com/us-en/faq.num-2446#faq_2446
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
btan

Just to add on, looks like different AVG version (below are the commercial versions) may have different list to be put into exception for Sonicwall to allow

2013 - http://www.avg.com/ww-en/faq.num-5229
2011 - http://www.avg.com/ww-en/faq.num-3487
Aaron Tomosky

For the Akamai you have do do each level with a star.
*.akamai.com
*.something.akamai.com
*.5.something.akamai.com

The * will do anything except a subdomain.
HoneyFarms

ASKER
Thanks for the responses, but the objects have to be IP host addresses, IP range, IP network or a resolvable FQDN, which rules out the wildcards.  When you ping the URL's listed on the referenced pages, you end up with a list of IP addresses that represent less than 30% of the total addresses and ranges I've discovered through firewall logs today.  Everything I force an update to the AVG agents I get new sites being blocked.  I account fo rthose sites, update again, and get new blocks.  There has to be a inclusive list somewhere.

Any other ideas?  Thanks!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

See this https://www.experts-exchange.com/questions/23957383/Website-addresses-of-AVG-update-servers.html

just curious as I saw some sonicwall config guide on address object accepting wildcard, maybe I am missing out something

http://help.sonicwall.com/help/sw/eng/6800/25/8/1/Network_netObjView.html

...If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field.

....FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall.
HoneyFarms

ASKER
Yeah, I thought the same thing.  I opened a ticket with SonicWall and they confirmed that wildcards used in network address objectives won't resolve.  For poops and giggles I added it back to a store and forced an update.  Attached is a pic from the log showing it won't resolve.  Wish I could.  I already added the reefernced sites to the matrix and still got the same results.
fqdn.jpg
btan

Looks like if the firewall cannot perform the DNS lookup the ip cannot be resolved. Suspecting that browsing to that dynamic DNS site is not possible at all as well...most AV uses such so that update server is always available. Minimally the nslookup or dig should return the ip address though it changes subsequently...try robtex or domain dossier on the host to see the possible ip address.

Sigh - http://serverfault.com/questions/376794/i-need-to-create-a-special-rule-on-my-firewall-with-all-the-ip-addresses-from-fa

I did saw some innovative ways but tough
http://michigantelephone.wordpress.com/2011/06/28/using-dyndns-to-solve-the-problem-of-keeping-a-firewall-open-to-remote-users-at-changeable-ip-addresses/
Your help has saved me hundreds of hours of internet surfing.
fblack61
Aaron Tomosky

I personally use * in fqdn fields and. It works just fine. However I do have DNA setup so it can resolve them.
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.