SSL VPN
Reply
Contributor
NatashaW
Posts: 40
Registered: ‎06-13-2012
0

Question about AV and ESAP

Hi Guys,

 

I'm hoping someone can explain the difference/ mechanism surrounding the Juniper download for AV from download.juniper.net and the ESAP update we do every month or so. My understanding was that the ESAP was cumulative and once applied to the device, it will be the list the host checker refers too. The ESAP is then updated by the hourly downloads from download.juniper.net under the AV monitoring section.

 

However, I have just noticed the my pre-prod Juniper has had 'SSL failed-unable to download from download.juniper.net' for the past 3 months, but this has not affected any clients who are connecting to the pre-prod box... Any ideas as to how the two talk to each other, if in fact they do at all?

 

Thanks

 

Natasha

Contributor
braker
Posts: 63
Registered: ‎03-07-2013
0

Re: Question about AV and ESAP

ESAP provide the functionality to assess the client system, including detecting the presence and status of anti-virus software.

 

The epupdate.xml file is a list of the virus definitions versions and release dates for the various AV products. It is used by Host Checker to determine if a client's definitions are up-to-date.

 

 

Moderator
zanyterp
Posts: 2,274
Registered: ‎11-19-2007
0

Re: Question about AV and ESAP

ESAP: the plugin component to check the endpoint integrity. This utilizes the OPSWAT library.

 

download.juniper.net: the list of definitions for the virus signatures

Contributor
NatashaW
Posts: 40
Registered: ‎06-13-2012
0

Re: Question about AV and ESAP

Thank you Braker and Zanyterp,

 

Another question then. If download.juniper.net keeps the virus definitions up to date, and it has not successfully connected for the last 3 months, then how are my users able to pass hostchecker and login to the VPN to work as normal? Is the error from my virus definition update just a red herring?

 

Thanks

 

Natasha

Contributor
braker
Posts: 63
Registered: ‎03-07-2013
0

Re: Question about AV and ESAP

The epupdate file only comes into play if you have virus signature monitoring enabled. It is possible have Host Checker validate the presence of anti-virus software but not validate the version of virus definition running on that software.

 

If you do have version monitoring enabled but your epupdate file is not updating, my understanding is that virus definitions newer than those listed in the last successful download of epupdate (by date or version number, depending on your settings) will qualify.

Contributor
braker
Posts: 63
Registered: ‎03-07-2013
0

Re: Question about AV and ESAP

More correctly said, the setting "Check for the Virus Definition files" determines if the client's virus definitions are evaluated against those listed in the epupdate file. Again, anything newer than what is listed in epupdate automatically qualify.

Moderator
zanyterp
Posts: 2,274
Registered: ‎11-19-2007
0

Re: Question about AV and ESAP

What braker said.
It is not required to use the AV definition files; there are plenty of sites that do not. Not downloading the file is not a red herring as a problem by itself as it should download; but it is a red herring for concern associated with the context of this discussion on what the definition files do and ESAP
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.