Using WMI to diagnose UAG Endpoint Detection

Sometimes, UAG refuses to admit a client machine, saying that the endpoint doesn’t meet the access policy set for the trunk (or for an application). If the trunk/application policy does indeed enforce certain compliance, and other computers seem to work just fine, then this detection problem may stem from a local problem on the affected client.

The first step in troubleshooting this situation is checking which part of the security check fails. The check would depend on the requirements set in the policy, of course, and it could be either that a certain product is missing (as in, hasn’t been installed), but also that it’s simply not running, or hasn’t been updated recently. To check this, use UAG’s web monitor, and find the user’s session in the Session Monitor/Active Sessions. For example, to observe the details for the user Marc, click on session no.1, as shown below:

clip_image002

On the session window, switch to the Parameters tab, which shows the information detected by the endpoint detection components. In the resulting table, you can see info about the 3 possible security products AV (Anti Virus), AS (Anti Spyware) and PFW (Personal Firewall). For example, in the 2 screenshots below, you can see that the computer is running an AVAST Anti Virus and an eTrust Personal Firewall:

clip_image003clip_image005

When looking at the detection results, don’t forget to confirm that all parameters are satisfied. For example, for an AV product, it has to have the parameters Installed, Running and UpTodate all set to TRUE to have the client pass the check. It is enough that one of them is False to fail the detection. If the check appears to show the required products, and the appropriate parameters are detected and set correctly, then the problem is probably with the policy itself. For example, perhaps the version check in the policy is failing, or the Boolean logic in the policy isn’t set correctly (this is not unusual for custom policies, where the administrator has to build his string using a lot of conditions and nested parenthesis).

If the detection is showing the expected product or one of its parameters as false, even though the computer has it installed, then one possibility is that the product version is different than the one that’s supported. Makers of security software, just like any software house, come up with new versions and features regularly, and a minor change to the design of the software may make it undetectable to UAG’s endpoint detection mechanism. One way around this is to use the Any WMI option. With this, instead of trying to detect the products directly, UAG queries WMI (Windows Management Infrastructure) to see which products are there. Starting from Windows XP SP2, the operating system includes a security center (also known as Action Center in Windows 7 and later), which tracks the status of security products to keep the system safer, and UAG can query it to see what’s available. This is good, because security software manufacturers want to make it compatible with Windows, and UAG can rely on that rather than require an update to UAG any time some new AV version or product comes out. To configure a policy to rely on WMI for the detection, simply enable it in the policy:

clip_image007

Sometimes, even the WMI based detection might appear to not work, which would show a False in the Any WMI parameters:

clip_image009

This could happen if the security software is old and incompliant with the way the WMI Security Center works. This should be pretty rare, as any security product has been compliant with it for nearly a decade. Another option is that the security center itself is not working correctly. For example, it might be having a problem or turned off:

clip_image011

In such a situation, perhaps starting the service is all it would take to get you going. However, If the service appears to be started, but still not working right, you can try to query it directly with a script. For example, here’s a script that queries the security center for various products. Note that it scans both “SecurityCenter” and “SecurityCenter2”. The former was part of the older operating systems (XP and Vista), while the latter is part of Windows 7. If the script returns errors instead of lists of products, then it means something is wrong with WMI, and it might require some deeper client-specific troubleshooting.

Set oWMI = getObject ("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter")

Set colAntiVirus = oWMI.ExecQuery("Select * from AntiVirusProduct")

if colAntiVirus.count > 0 then

wscript.echo "Secrity Center Anti Virus products:"

For Each objAntiVirus In colAntiVirus

CountAV = CountAV + 1

wscript.echo "AV" & CountAV & ") " & objAntiVirus.displayName & " Company: " & objAntiVirus.companyName

Next

else

wscript.echo "No AV products found in Security Center"

end if

wscript.echo "----------------------------------------------"

Set AScolItems = oWMI.ExecQuery("Select * from AntiSpywareProduct")

if AScolItems.count > 0 then

wscript.echo "Secrity Center Anti Spyware products:"

For Each objAntiSW In AScolItems

CountASW = CountASW + 1

Wscript.echo "AS" & CountASW & ") " & objAntiSW.displayName & " productState: " & objAntiSW.productState

Next

else

wscript.echo "No Anti Spyware products found in Security Center"

end if

wscript.echo "----------------------------------------------"

Set colFirewall = oWMI.ExecQuery("Select * from FirewallProduct")

if colFirewall.count > 0 then

wscript.echo "Secrity Center Personal Firewall products:"

For Each objFirewall In colFirewall

CountFw = CountFw + 1

Wscript.echo "FW" & CountFw & ") " & objFirewall.displayName

Next

else

wscript.echo "No Personal Firewall products found in Security Center"

end if

wscript.echo "----------------------------------------------"

Set oWMI = getObject ("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")

wscript.echo "Secrity Center 2 Anti Virus products:"

Set colAntiVirus = oWMI.ExecQuery("Select * from AntiVirusProduct")

if colAntiVirus.count > 0 then

For Each objAntiVirus In colAntiVirus

CountAV = CountAV + 1

wscript.echo "AV" & CountAV & ") " & objAntiVirus.displayName

Next

else

wscript.echo "No AV products found in Security Center 2"

end if

wscript.echo "----------------------------------------------"

Set AScolItems = oWMI.ExecQuery("Select * from AntiSpywareProduct")

wscript.echo "Secrity Center 2 Anti Spyware products:"

if AScolItems.count > 0 then

For Each objAntiSW In AScolItems

CountASW = CountASW + 1

Wscript.echo "AS" & CountASW & ") " & objAntiSW.displayName

Next

else

wscript.echo "No Anti Spyware products found in Security Center 2"

end if

wscript.echo "----------------------------------------------"

Set colFirewall = oWMI.ExecQuery("Select * from FirewallProduct")

if colFirewall.count > 0 then

wscript.echo "Secrity Center 2 Personal Firewall products:"

For Each objFirewall In colFirewall

CountFw = CountFw + 1

Wscript.echo "FW" & CountFw & ") " & objFirewall.displayName

Next

else

wscript.echo "No Personal Firewall products found in Security Center 2"

end if