Intel AMT Features > Agent Presence > Detailed Description > Examples of Using Agent Presence with System Defense

Examples of Using Agent Presence with System Defense

The following examples demonstrate the capabilities of the Agent Presence and System Defense features when used together.

Example 1

In this example, an anti virus application running on the local host determines that its signature file is out of date and the host needs to be quarantined.

1.  The management console defines a QUARANTINE System Defense policy in which the only network traffic allowed is traffic from the management console to the host using the TCP port assigned to the Anti Virus for updating the signature file. All other network traffic is blocked (dropped).

2.  The management console creates an agent watchdog for the local agent that is configured to activate the QUARANTINE System Defense policy for any agent state change to "stopped".

3.  The management console also specifies that Agent Presence should deactivate the QUARANTINE System Defense policy for any agent state change to "running".

4.  During host operation, the local Anti-Virus agent determines that its policy signature is out-of-date.

5.  The local agent signals to Intel AMT that it is going to shut down.

6.  Intel AMT automatically applies the QUARANTINE System Defense policy to the network interface.

7.  The local agent begins remediation activities with the management console to update its signature file.

8.  When the local agent completes its remediation activities, it registers again with the Intel AMT device and starts sending heartbeat signals.

9.  Intel AMT Agent Presence detects that the agent state has changed to running and reopens the network by deactivating the QUARANTINE System Defense policy.

Example 2

This example demonstrates how to prepare for and detect that the local Anti-Virus application has stopped running (because it crashed or was disabled by the local user).

10.          The management console creates a BLOCKING System Defense policy, with a precedence set to 9, using one of the following default System Defense filters:       

   A filter blocking all Receive traffic to the host

   A filter blocking all Transmit traffic from the host

11.       The management console creates an agent watchdog for the Anti-Virus agent with the following defined actions:

a.  If the agent’s state changes to Running:

   Write an event to the event log

   Send a PET to the management console

   Disable the BLOCKING System Defense policy

b.  If the agent’s state changes to NotStarted, Expired, or Stopped:

   Write an event to the event log

   Send a PET to the management console

   Enable the BLOCKING System Defense policy

12.       The host Anti-Virus agent starts and registers to the Intel AMT device. This causes the agent’s state to change from NotStarted to Running and the actions described in step 2a are performed.

13.       The host Anti-Virus agent crashes or is disabled (stops sending heartbeat signals). This causes the agent’s state to change from Running to Expired (because the TimeoutInterval timer reaches 0) and the actions described in step 2b are performed.

14.       The Blocking System Defense policy isolates the host from the network.

15.       The management console detects the PET alert indicating that the Agent Presence watchdog timer expired. The management console does the following

   If the Anti-Virus crashed:

a.   Reboots the host using Intel AMT Remote Control and Storage Redirection.

b.  Runs Virus “Clean” Tools Remotely.

c.  Re-Boots the host using Intel AMT Remote Control from local disk.

    If the Anti-Virus was disabled:

a.   Establishes a Terminal Emulation session to the host.

b.   Enables the Anti-Virus agent.

c.   Sends an E-mail to user saying: Do not disable the Anti-Virus agent application.

16.       The Anti-Virus agent on the host starts and registers to the Intel AMT device. This causes the agent’s state to change to Running and the actions described in step 2a are performed.

17.       The management console detects the PET alert indicating that the agent is running.

See Also:

   Set an Agent Watchdog’s System Defense Policy

   Remove an Agent Watchdog’s System Defense Policy

   System Defense Feature

Copyright © 2006-2022, Intel Corporation. All rights reserved.