common AV setup issues/vulnerabilities

are there any particular issues or weaknesses you find when auditing companies anti-virus defence deployment/maintenance installed on servers/desktops etc. Please give some background on common errors/mis-configurations/issues to look out for in a review.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
I would go for a software dedicated for antivirus audit.
I am talking about Nessus for example. It's suitable for many antivirus solutions.
https://www.tenable.com/blog/auditing-anti-virus-configurations-and-installations

Manual check: http://searchitchannel.techtarget.com/tip/Checklist-Five-steps-to-assessing-a-customers-antivirus-protection
0
pma111Author Commented:
do you know what nessus audit policies are based on, is it publicly accessible documents, e.g. vendor supplied checklists, or devised by the providers themselves? Seems a bit funny if only a company has access to the audit configuration best practices and not the customers of the product themselves.
0
btanExec ConsultantCommented:
Some generic requirement expected to be compliant.

Client
- software version and the status of the AV signatures (latest vs actual install)
- state of agent policy syncing regular update (latest vs actual reporting, offline vs online)
- pointing to the nearest or central AV server (locality based for geolocation)
- signs of failure or policy changes (any report or log on this when such attempt happen)
- scheduled scan status (any misses and if they are reported or alerted)
- positive and negative reporting of machine (any reporting and escalation of alerts)

Central management console
- track which systems have AV installed, AV  not updated, AV not installed successfully
- track which system went missing (offline state reported, become non-existence for a long period)
- reported to administrators about the systems scheduled job status, summary of stats (dashboard reporting)
- no of credential scan and non-credential scan conducted
- surface out liners regularly for review - those without AV installed at all
- user account review report (admin, operator, etc - role based not only one superadmin)
- maintain all log setting to send over to syslog server or equivalent
- maintain records of updated signature and version (with internet connection or out of band manual download)

For Nessus, I will say its check is more of on the client state of health. Not NAC but AV state. For example, Nessus local check can be used to determine if the system is running with the latest available updates, or if the solution is installed but disabled or not running. Also it is able to check presence of AV specific type using the below plugin.
#24232 BitDefender Check
#20284 Kaspersky Anti-Virus Check
#12107 McAfee Anti Virus Check
#21608 NOD32 Antivirus System Check
#12106 Norton Anti Virus Check
#12215 Sophos Anti Virus Check
#20283 Panda Antivirus Check
#21725 Symantec Anti Virus Corporate Edition Check
#16192 Trend Micro Anti Virus Check
#24344 Windows Live OneCare AntiVirus Check
#16193 which aggregates the results from the above plugins checks
https://www.tenable.com/blog/auditing-anti-virus-products-with-nessus
And also check if able to do sort of threat hunting for affected machine (or non-compliance ones that has not patch ..)
https://www.tenable.com/plugins/nessus/11329

Ultimately for compliance, I see the main checks on
a) meeting the SLA e.g. not older than 7 days for AV signature
b) meeting the latest working version e.g. the AV patch version & signature will be correlated with its availability or announcement from the AV vendor
c) meeting with AV agent running live e.g. not uninstall, agent failure errors, etc
d) meeting the inventory count of machine (server and client) to the  AV agent deployed
e) visibility of shadow machine introduced e.g. using agentless scanning to surface unknown machine discovered..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.