Feature Request: Automatic containment of compromised machines

SOLVED
PhilipDAth
Kind of a big deal
Kind of a big deal

Feature Request: Automatic containment of compromised machines

Currently when running Systems Manager on a PC you can add a column to the dashboard to display weather the machine is compromised or not.  This is retrieved from the Windows Security Centre.  This can be updated by the built in Windows Defender, or about a million different antivirus vendors (maybe even Cisco AMP for Endpoints ....).

 

Compromised_column.png

 

Currently you can create a policy to make sure antivirus is running and that antimalware is installed - but not weather a machine is compromised.  Adding this "tick box" (for information already being collected) would allow a Meraki network to automatically respond to compromised machines using group policy (such as "chop the machine off", or perhaps limit it to only talk to an antivirus server for updates, or maybe only talk to a server that contains a "cleaning" system).

 

Policy.png

 

This one extra "tick box" would simplify the handling of compromised computers automatically using really powerful security technology that already exists, which would free companies to focus on their mission instead of compromised computers (there might be some plagiarism there).

1 ACCEPTED SOLUTION
Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PhilipDAth - also, if you set a Policy that scans for "Antivirus" and call it "Antivirus", you will see the option for "Antivirus Compliant" in your main clients page! (like below)

 

Screen Shot 2018-03-16 at 12.15.54 PM.png

 

This will also be a dynamic tag you can search by/reference in your Tags management page (if you have this turned on). (like this below)

Screen Shot 2018-03-16 at 12.16.48 PM.png

 

 

View solution in original post

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal

In fact, a tick box for "Antivirus Compliant" would also be good!

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PhilipDAth - thanks for posting this!! The "Compromised" check currently available in SM Policies scans for rooted or jailbroken mobile devices. That's what we mean by "Compromised" - it's specific to those device types.

 

What were you thinking "Compromised" would entail/mean for Windows devices? 

 

I wonder if there is another way to do this.

 

 

 

 

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PhilipDAth - also, if you set a Policy that scans for "Antivirus" and call it "Antivirus", you will see the option for "Antivirus Compliant" in your main clients page! (like below)

 

Screen Shot 2018-03-16 at 12.15.54 PM.png

 

This will also be a dynamic tag you can search by/reference in your Tags management page (if you have this turned on). (like this below)

Screen Shot 2018-03-16 at 12.16.48 PM.png

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Thank you so much!  This is exactly what I want.

 

Do you know this does not appear in any Meraki documentation anywhere?

 

I am going to give this a test during the upcoming week.

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

That's a good point - I'll talk to the team about updating this! 

 

This is the current page - https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager

 

I agree it's missing some common uses and basic explanations on how to use this feature. Thanks for flagging this!!

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I thought I would start testing this out by trying to detect if Windows 10 firewall was running.


I setup three Windows 10 machines (screenshot attached). All running the latest Windows Update. All have been rebooted numerous times. I have also used the option to reset the firewall back to its default settings.  They are all running Meraki Systems Agent 1.0.95.

Two of the machines (MONITOR and ROBERT-PC) report "FW not installed, FW not enabled". The Windows Security Centre does show that the built in Windows firewall is enabled and running.
The third machine (RECEPTION02) always shows that Windows Firewall is running, even when I disable it (have tried rebooting numerous times as well).  Frequently on this machine the Meraki Systems Agent stops checking in till I enable the firewall again.

 

Any thoughts?Screenshot from 2018-03-20 10-59-19.png

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PhilipDAthThank you for sharing this!!! The team is currently looking into it - it's not expected behavior. 

 

I'll let you know when I have more info! 

 

Again - thanks for letting me/us know 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

I have opened up a case with support (#02498814) as well now to allow it to be explored more easily.

@Melissa I am making very slow progress testing this.  Perhaps you could help me with some questions.

 

When does the Windows agent test the antivirus and firewall status?

Does it communicate dynamic changes (as notified by the Windows security centre) with the dashboard, or does it simply re-check every so often?  If it re-checks, how often does it re-check?

 

How often does the dashboard update to reflect the current state?

 

 

I'm having issues like stopping antivirus on a machine, and it taking a very long time to show up in the dashboard (like it doesn't show up till the next day).  Restarting the service on Windows doesn't seem to make any difference, or rebooting the entire machine.

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@PhilipDAth - I had thought this was resolved - so sorry there are still issues! 

 

This is probably best handled directly with support though - they will have more information about the process and expected behavior. I'm sorry I can't be more helpful!! 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

No worries. Thanks anyway.

 

I have a support ticket open.  I have it on "low" priority, so it is ticking along slowly.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels