We have been using Bigfix Antivirus for sometime now with several exclusions entered locally via the Realtime Monitor Options with some success. However we were trying to use the Policy Wizard to apply a more global policy for AV. In doing so the Policy appears to have disabled the OK button of the Realtime Monitor Options and I cannot find a way to turn it back on. As a result I can no longer save local realtime option changes. I have deleted the policy tasks/fixlets, uninstalled the AV and then reinstalled, cleared the Program Files folders, and cleared some registry entries all to no avail. The effect is that once you apply a global policy you cannot go back and do a local policy. It would be nice to apply global policies that are truly global and still be able to apply local changes in addition. I was able to create a new policy to overwirte the test policy regarding 2 process exclusions and 1 directory exclusion, but they do not seem to function as well as the same exclusions when done locally.
Its not really functional the way it is now. I tried Tech support but they referred me here. Any thoughts or ideas would be appreciated.
We refer to the local realtime monitor settings as ‘Client Controls’. Within the BigFix AntiVirus site there are tasks that allow you to modify the local realtime settings:
29 BigFix AntiVirus - Enable Client Controls
36 BigFix AntiVirus - Disable Client Controls
The two tasks are complements of each other and you can use the first or third actions of each to modify the client controls - to enable/disable local realtime monitor settings.
By default, using the deploy task to install BigFix AV, the client controls are disabled. That is why re-installing AV would not affect this behavior.
As for creating global realtime scan policies via the AV policy wizard, the resulting fixlets generated should not have any affect on the the enabling/disabling of the client controls. If you look at any of the actions of the policies created, there should not be any setting of “RPCThreadContext”. If you do notice such behavior, please copy an example action script from the policy created from the wizard. We can try to examine it.
Additionally, make sure there is not a policy action created for task 36: Disable client controls, that might be disabling the local realtime settings automatically.
… I was able to create a new policy to overwirte the test policy regarding 2 process exclusions and 1 directory exclusion, but they do not seem to function as well as the same exclusions when done locally. …
Additionally, can you please elaborate on the difference in behavior between global and local exclusions? Specifically, in what quantitative way does the local exclusion function better?
The realtime settings created by the AV policy wizard should mirror the local settings on the client. If you notice inconsistencies, we would like to investigate and fix any issues.
Thanks everyone, that worked great ! I was just looking in the wrong places, I guess.
I am still trying to understand what is happening with the policy issue. I will hopefully let you know more before too long.
Is there a Best Practice document for: How to handle infections for both Bigfix AV and AP products ? I have had quite a time finding all of the detailed log information like ongoing log files with infected file/path machine names, virus names , and complete remediation results in a historical log file. I think I have found ways now with AV, but it would be nice if it was spelled out and maybe easier. And so far not much for the AP stuff. After that 98kill.exe issue it would be nice to have all that info for AP as well.
And is it possible to do a boot sector scan with the memory, file scans ? When I turn boot sector on it turn off the other two.
I am stil trying to get thru the etrust av admin manual.