Intel vPro/AMT or hardware antivirus
Around two years ago on our site we released an article describing Adder IPEPS application as a hardware solution helping system administrators make antivirus checks and even reinstall the operating system. We’d like to specifically point out that we talked about antivirus checks and BIOS configuration when the operating system is partially unresponsive and the use of standard means of remote access like RDP, RAdmin and RealVNC is impossible. Today we’re presenting to our readers one more external device-free means of managing workstations.
The Intel AMT technology of remote workstation management has existed for quite a while; however, hardware support of this technology is implemented in far from all modern motherboards and CPUs. Before using the method of connecting to a remote node we’re about to describe in this article, make sure that the CPU supports the vPro technology and the motherboard is built on a Q series chipset, for instance, Q67 or Q77. We’re not going to scrutinize the implementation of vPro and AMT and system requirements, but will rather give examples of perhaps not quite standard use of the remote access methods at hand.
So, we had a PC based on an ASUS P8Q77-M motherboard (BIOS version 0303) and an Intel i7 3770 CPU which we consider an ordinary PC for home or office use by a man in the street. The problem of remote server access has a whole range of successful solutions among which are IPMI, iLO and other technologies; however, such methods can’t be applied to standard PCs. Implementing solutions based on Adder IPEPS can’t be called hitch-free as connecting such a device to each node requires buying a big amount of additional devices and also occupies one extra port on network equipment. Temporary connection of IP KVM to the malfunctioning PC demands presence of technical staff on the remote computer; moreover, Adder IPEPS doesn’t allow dealing with the situation when the remote PC is hung up or has displayed BSOD. We once mentioned remote power control; however, it can turn out to be rather costly. The use of the Intel AMT technology doesn’t result in extra expenses for buying equipment as its support is implemented in several widely spread hardware components.
When the article was being written, there were two utilities supporting connection to remote nodes with the help of Intel AMT: RAdmin and VNC. Unfortunately, we were unable to connect to the test PC with the help of the RAdmin utility; moreover, this utility supports only connection to nodes working in the text video-mode. We readily turned the computer on and off, rebooted it, but weren’t able to access BIOS or the operating system due to a number of various errors.This certainly solves the problem of remote PC switching on for home users in the case when their router doesn’t support the WOL (Wake on LAN) function – it only requires port redirection – however, in our case it’s far from sufficient. When using VNC Viewer Plus, the administrator has to specify the IP-address of the managing AMT-module which is certainly different from the node’s own address, specify the encryption type and choose the connection mode. Here we’re leaving out the settings of the workstation itself necessary for permitting remote connections.
After successful connection the administrator has to enter the login and password specified in the AMT settings on the remote PC.
We’d like to specifically point out that it’s impossible to change the parameters of access via the Intel AMT technology on the remote PC with the help of VNC Viewer Plus.
As we claimed in the title, we’re going to use the Intel AMT technology for antivirus checks of remote nodes. Certainly such check makes sense only in the case when the operating system and the antivirus software can’t cope themselves. Just like with local checks, we’ll need a boot disc image containing its own operating system and antivirus. Such images are offered by different antivirus software vendors like Kaspersky Lab and Dr. Web. The latter suggests downloading a full image from the site, whereas a disc for Kaspersky can be created with the help of a program installed on the administrator’s computer.
The downloaded or previously prepared image has to be mounted on the VNC Viewer Plus program.
After the disc has been mounted, one can turn the remote PC on and choose boot from disc.
Further management runs exactly as if the administrator were right in front of the problematic computer and booted from this disc.
However, we have to mention that we weren’t able to run a remote antivirus check with the help of Dr. Web because of “the lack” of the boot device. The Kaspersky Lab antivirus check went without a hitch.
If the operating system on the remote PC is completely damaged and cannot be recovered, the administrator can reinstall it using the connection with the same Intel AMT technology. Although the time needed for this operation is really bewildering because in this mode our network connection ran only at 10 Mbps whereas modern operating systems packages hardly fit on DVD-discs. After reinstalling the system the administrator can come across another problem – lack of several drivers necessary for establishing a network connection. Luckily, this problem can be easily solved by adding necessary files to the image. We mean simple adding files to the ISO file, not integrating drivers into the package itself. For example, this addition can be performed with the help of such utility as UltraISO.
Here we’re finishing our short insight into the issue of remote nodes antivirus checks.
Summing up, we’d like to note that the Intel Company offers administrators an extremely powerful tool for remotely solving problems with an operating system, removing viruses and configuring BIOS without having to buy expensive equipment as all functionality is within the chipset and the CPU. The node can be accessed when it is on or off. It’s also worth noting that to perform a number of simple functions (switching on and off, monitoring status and getting information about the device) no specialized software is required – it’s enough to have a modern browser that can connect the administered node via HTTP to the port 16992.
Although Intel AMT is an unusually useful technology for administrators, for an ordinary user it may become another back door to the system that developers left for convenient administration.