- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Feature Request: Automatic containment of compromised machines
Currently when running Systems Manager on a PC you can add a column to the dashboard to display weather the machine is compromised or not. This is retrieved from the Windows Security Centre. This can be updated by the built in Windows Defender, or about a million different antivirus vendors (maybe even Cisco AMP for Endpoints ....).
Currently you can create a policy to make sure antivirus is running and that antimalware is installed - but not weather a machine is compromised. Adding this "tick box" (for information already being collected) would allow a Meraki network to automatically respond to compromised machines using group policy (such as "chop the machine off", or perhaps limit it to only talk to an antivirus server for updates, or maybe only talk to a server that contains a "cleaning" system).
This one extra "tick box" would simplify the handling of compromised computers automatically using really powerful security technology that already exists, which would free companies to focus on their mission instead of compromised computers (there might be some plagiarism there).
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth - also, if you set a Policy that scans for "Antivirus" and call it "Antivirus", you will see the option for "Antivirus Compliant" in your main clients page! (like below)
This will also be a dynamic tag you can search by/reference in your Tags management page (if you have this turned on). (like this below)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact, a tick box for "Antivirus Compliant" would also be good!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth - thanks for posting this!! The "Compromised" check currently available in SM Policies scans for rooted or jailbroken mobile devices. That's what we mean by "Compromised" - it's specific to those device types.
What were you thinking "Compromised" would entail/mean for Windows devices?
I wonder if there is another way to do this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth - also, if you set a Policy that scans for "Antivirus" and call it "Antivirus", you will see the option for "Antivirus Compliant" in your main clients page! (like below)
This will also be a dynamic tag you can search by/reference in your Tags management page (if you have this turned on). (like this below)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! This is exactly what I want.
Do you know this does not appear in any Meraki documentation anywhere?
I am going to give this a test during the upcoming week.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a good point - I'll talk to the team about updating this!
This is the current page - https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager
I agree it's missing some common uses and basic explanations on how to use this feature. Thanks for flagging this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought I would start testing this out by trying to detect if Windows 10 firewall was running.
I setup three Windows 10 machines (screenshot attached). All running the latest Windows Update. All have been rebooted numerous times. I have also used the option to reset the firewall back to its default settings. They are all running Meraki Systems Agent 1.0.95.
Two of the machines (MONITOR and ROBERT-PC) report "FW not installed, FW not enabled". The Windows Security Centre does show that the built in Windows firewall is enabled and running.
The third machine (RECEPTION02) always shows that Windows Firewall is running, even when I disable it (have tried rebooting numerous times as well). Frequently on this machine the Meraki Systems Agent stops checking in till I enable the firewall again.
Any thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAthThank you for sharing this!!! The team is currently looking into it - it's not expected behavior.
I'll let you know when I have more info!
Again - thanks for letting me/us know 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have opened up a case with support (#02498814) as well now to allow it to be explored more easily.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Melissa I am making very slow progress testing this. Perhaps you could help me with some questions.
When does the Windows agent test the antivirus and firewall status?
Does it communicate dynamic changes (as notified by the Windows security centre) with the dashboard, or does it simply re-check every so often? If it re-checks, how often does it re-check?
How often does the dashboard update to reflect the current state?
I'm having issues like stopping antivirus on a machine, and it taking a very long time to show up in the dashboard (like it doesn't show up till the next day). Restarting the service on Windows doesn't seem to make any difference, or rebooting the entire machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth - I had thought this was resolved - so sorry there are still issues!
This is probably best handled directly with support though - they will have more information about the process and expected behavior. I'm sorry I can't be more helpful!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No worries. Thanks anyway.
I have a support ticket open. I have it on "low" priority, so it is ticking along slowly.