Intel® Active Management Technology Use Case #6: Software Version Compliance (Protect)

Submit New Article


Last Modified On :   September 2, 2008 10:05 AM PDT
Rate
 


Intel® Active Management Technology (Intel® AMT) helps to ensure that all platforms in an enterprise are compliant with corporate requirements related to having up-to-date software versions, virus signatures, etc. Out-of-band (OOB) polling helps to address the issue that 15% to 20% of all platforms are typically not visible on an in-band, down-the-wire basis, which traditionally complicates efforts to avoid risks associated with outdated software such as runtime errors, viruses, malware attacks, etc.

Intel AMT also helps to remove issues associated with user non-compliance (e.g., user removal of software agents). In this use case example, platforms that are powered off can be audited OOB and turned on using Intel AMT to install virus signature files and anti-virus engine updates. To address user non-compliance (e.g., missing software agents), software updates can be installed onto platforms during off-hours to eliminate user interruption and to decrease daily network traffic.

Conventional Software Version Compliance Limitations

Conventional tools that have traditionally been available for identifying and updating software work on an in-band basis only; that is, they require the target system to be operational, and they fail if the system is powered off or the operating system is non-functional. As a result, many platforms typically remain vulnerable to runtime errors, viruses, malware attacks, etc., between boot-time and when updates are installed.

Using Intel® AMT to Overcome Limitations

Third-party anti-virus applications that support Intel AMT can scan platforms down-the-wire, regardless of operating system health or power state, to discover virus signature versions and other software status and to conduct updates as needed. Third-party applications can also determine whether other updates are needed by accessing Intel AMT software logs, regardless of OS state.

Intel AMT functionality can boot a platform remotely, enabling third-party applications to deliver and install the updates. Intel AMT can then return the platform to its original state: hibernate, shut-down, standby, on, etc.

Key Functionality Enabled by Intel AMT that Underlies this Use Case

The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:

Feature Functionality
Out-of band (OOB) access Enables gathering of software version information while the OS is unavailable or the machine is turned off
Third-Party Data Store (3PDS) Allows for third-party agent on the managed platform to use dedicated flash memory space to store current anti-virus software version information

The following functionality is performed by third-party management applications:

  • The software list is updated in the NVStore by the third-party management application.
  • A tamper-resistant agent allows for access to the anti-virus software version information, with little risk of agent tampering by a user.

The Advantage of Intel AMT

Intel AMT enables support organizations to significantly improve accuracy, speed, and efficiency of software updates (e.g., anti-virus signatures) by auditing regardless of operating system health or power state. Downtime, data loss, platform instability and repair hours are reduced by updating platform software during periods of low usage, which prevents infection of otherwise-unprotected systems.

Business Value of the Intel AMT Solution

This use case enables IT organizations to save on support and productivity costs:

  • Savings from Eliminating Support Issues: By reducing the number of systems that are affected by malware, support costs are reduced.
  • Savings in End-user Productivity: By decreasing the number of end-users who are affected by malware, organizations can realize savings in terms of avoided end-user downtime.

Software Version Compliance Usage Model Implementation

The following steps are implemented in the case where a local anti-virus application determines the anti-virus signature file is out-of-date, and the host needs to be quarantined:

  1. Management Console (MC) defines a QUARANTINE System Defense policy in which the only network traffic allowed is traffic from the MC to the host using the TCP port assigned to the Anti Virus for updating the signature file. All other network traffic is blocked (dropped).
  2. The MC creates an agent watchdog for the local agent that is configured to activate the QUARANTINE System Defense policy for any agent state change to “stopped.”
  3. The MC also specifies that Agent Presence should deactivate the QUARANTINE CB policy for any agent state change to “running.”
  4. During host operation, the local anti-virus agent determines that its policy signature is out-of-date.
  5. The local agent signals Intel AMT it is going down, by calling AgentWatchdogShutdown().
  6. Intel AMT automatically applies the QUARANTINE System Defense policy to the network interface.
  7. The local agent begins remediation activities with the MC to update its signature file.
  8. When the local agent completes its remediation activities, it registers again with Intel AMT Agent Presence and starts sending heartbeats.
  9. Intel AMT Agent Presence detects that the agent state has changed to running and reopens the network by deactivating the QUARANTINE System Defense policy.

The following table provides some high level instructions on how to create/disable/remove System Defense policies.

Action System Defense API/Steps
Create a System Defense Policy
  1. Call CbQueryCapabilities() to get the HardwareID
  2. Call CbFilterCreate() for each filter and save the FilterHandle
  3. Call Cb PolicyCreate() using all the saved FilterHandles and save the PolicyCreationHandle
  4. Call CbPolicyEnable() using the HardwareID and PolicyCreationHandle
Disable a System Defense Policy that was enabled by a Management Console for a specific Hardware ID
  1. Call CbPolicyDisable() using the Hardware ID. If no HardwareID is specified, this command will disable the MC System Defense policy of all the interfaces.
Remove a System Defense Policy
  1. Call CbPolicyEnumerate(). Examine the returned CircuitBreakerPolicy structures to identify the policy desired, and save the PolicyCreationHandle.
  2. Call CbPolicyDelete() using the selected PolicyCreationHandle

Note: See the “System Defense Feature and Agent Presence Overview.pdf” [PDF 335KB] or the “Intel® AMT Network Interface Guide.pdf” [PDF 2.45MB] documents located in the Intel AMT SDK for further details.

§ The following Assumptions underlie the analysis in this use case:

  1. The IT organization is struggling to keep anti-virus software up to date on all platforms.
  2. This use case analysis does not include prevention of the loss of productivity or data.
  3. All research data gathered from global US-based IT organizations.
  4. Platforms being managed using Intel AMT are connected to a power source (electrical outlet, battery, etc.), but the platform does not have to be powered on.
  5. Platforms are physically connected through a working Ethernet connection to the corporate LAN for OOB access.
  6. This use case analysis assumes a mostly wired infrastructure.


RESOURCES:





Comments (0)



Leave a comment

Name (required)

Email (required; will not be displayed on this page)

Your URL (optional)


Comment*