Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
4
Replies

Anti-Malware Remediation

ryanbess
Level 1
Level 1

‎03-14-2024 08:57 AM

Starting to learn about some of the automatic remediation capabilities that comes with ISE and the modules.  In my Posture policy i have it configured to automatically remediate Any AM product that it finds should the Definition files be 5 days or older (using the default remediation called "AnyAMDefRemediationWin".

On my test computer the AM product "Windows Defender" had a definition that was 7 days old.  When the system scan ran, it looks like it attempted to remediate the out of date definitions but failed.  My question is what is the AnyConnect client with the system scan module actually doing to attempt to automatically remediate the Windows Defender out of date definitions?

Labels:
0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎03-14-2024 02:23 PM

Good question.  I've always wondered the same and assumed it is handled via some system level command/API call from the OPSWAT APIs.  That being said, when I have seen the auto remediations not work it was typically due to a permissions issue.

0 Helpful

ryanbess
Level 1
Level 1
In response to ahollifield

‎03-14-2024 03:29 PM

In this instance, how would the posture client preform definitions updates?  Might it get them from ISE via the Posture update service, might it run some powershell command that informs defender to go update..... we need to know this stuff so we can ensure the access is there to actually get updates.  Example, if it runs some PowerShell command that tells the defender client to update, then that means the DACL that we push out as part of posture permits access to the internet / some on prem update services.  Hopefully someone from Cisco will chime in and help out.  I've enabled debugging and got DART logs but having difficulty sorting through the noise.  

0 Helpful

Pulkit Mittal
Spotlight
Spotlight
In response to ryanbess

‎03-14-2024 04:37 PM

It has been explained here Solved: ISE automatic posture remediation of anti-malware - Cisco Community

Note that: Some of the Anti-Malware endpoint security solutions (such as FireEye, Cisco AMP, Sophos, and so on) require network access to their respective centralized service for functioning. For such products, AnyConnect ISE posture module (or OESIS library) expects the endpoints to have internet connectivity. It is recommended that internet access is allowed for such endpoints during pre-posture for these online agents (if offline detection is not enabled). Signature Definition condition might not be applicable in such cases.

Cisco Identity Services Engine Administrator Guide, Release 3.1 - Compliance [Cisco Identity Services Engine] - Cisco

If you find this useful, please mark it helpful and accept the solution.

0 Helpful

ryanbess
Level 1
Level 1
In response to Pulkit Mittal

‎03-15-2024 04:26 AM

Thanks for the link.  It's still unclear to me if the compliance module is telling defender (in this case) to go update or if the automatic remediation is simply to let defender phone back to some update server by itself.  In my case the posture settings allow for 5 minutes before marking an endpoint as uncompliant.  

0 Helpful
Customers Also Viewed These Support Documents