6 Replies Latest reply on Jul 27, 2009 11:11 AM by rmoffitt

    Using System Defense

    Apprentice

      Hello,

       

      Over the past few weeks I've been setting up vPro here at my company. Thus far, I have a test group of machines that have been Provisioned using the Enterprise Mode. I can power up machines, power them off, reboot, etc. What I'm looking at getting into now are both the System Defense and Wireless Profiles. The more important of the two is System Defense. What I would like to do is kill all communication on a device so I right click one of my test subjects and select the Intel vPro System Defense Policies. Once the SD Policies box pops up I choose LDCBKillNics and click Set Policy. A Setting Policy task bar comes up and completes. From there, I thought I could check to see if this machine had properly received the policy by selecting Configure -> Intel vPro options - SD Remediation to see if it was located in there. When I checked nothing appeared and I was able to access websites and things from the test device. Does anyone have any suggestions of what to do to troubleshoot this?

        • 1. Re: Using System Defense
          Expert

          WIth the LDCBKillNics in place you can still talk to the vPro part of the computer even if it is the web site.  You can look at the inventroy of the machine under the AMT Information there is a current policy name would list what System Defence you in place.  You can also try and ping the IP address of the machine that you are working on.

          • 2. Re: Using System Defense
            Apprentice

            This is great information. I have checked and on the machine Current Policy Name is LDCBKillNics. It now looks like communication has been killed. However, the device still isn't showing up in the System Defense Remediation.

             

            Also, I've set the default Policy to be LDCBSYNFlood. I've checked other machines that have been provisioned and there are no entries for Current Policy Name. I set this yesterday from a remote console and checked to see if the core had held the settings and it did. I'm not sure why the other machines aren't seeing the policy.

             

            Any suggestions into these problems?

            • 3. Re: Using System Defense
              Expert

              The LDCBKillNics is not a system defense that can be remediated (it is on or off) so it would not move a machine into that.  The items that can be remediated are items that have to be triggered by an event.  The LDCBKillNics is a way that as an admin that if you can lock down a machines nics manually.

               

              As far as setting the default it should only apply to new machines that get provisioned after applying the change.  The changes that get made here do not get pushed out to a machine that has already been provisioned.  You can multi-select machines in the inventory try and right mouse click and apply a system defense policy to multiple machines at the same time.

               

              I have set a default defense profile and in my lab it does not look to apply this on a newly provisioned machine like I think it should.  Let me address engineering about this and I will get back to you on it.

              • 4. Re: Using System Defense
                Apprentice

                Rex,

                 

                Thank you for looking into this. I really appreciate your guys' efforts. In the regards to the KillNic process I was using. I think pulled that information from an Intel document that was for vPro using LANDesk. I will try to locate the article and confirm what it said. Also, I've sent a list of 7 items to Kevin. I'm not sure if he passed it on to you. The list is more of issues I've come across that I would like to see if you have answers to or have simply come across. Again, thank you for everything.

                • 5. Re: Using System Defense
                  Apprentice

                  About the LDCBKillNics I read that it apart of the four pre-defined SD policies. The article stated:

                  Once SD triggers an alert, the alert is displayed in the LSM log. LANDesk and Intel AMT limit network

                  access by replacing the current client policy with the Kill All NICs policy when SD is triggered. The client

                  machine is also placed in the Remediation queue, which can be found in

                   

                  Configure | Intel vPro

                  Options | System Defense | Remediation

                   

                  . Once the machine is remediated, the Kill All NICs policy

                  is removed and the previous policy is re-applied. The administrator must manually perform the actual

                  remediation of removing the virus or spyware, or fixing whatever caused the SD to be triggered.

                   

                  I suppose becasue I thought this snippet was referring to all four of the the pre-defined SD policies UDP flood, SYN flood, FTP access, and Kill All NICs that no matter which one it was they would go to remediation.

                   

                  What is the suggested method to remove the KillAllNic Policy? Simply to just send another policy such as UDP, SYN, or FTP to the machine?

                  • 6. Re: Using System Defense
                    Expert

                    Yes the way to remove the KillNics is to put a different one on the machine or the remove all