Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3412
Views
15
Helpful
5
Replies

Antivirus Antimalware ISE posture check status enable/disable with anyconnect agent 4.X

Juan Marilaf Millahual
Level 1
Level 1

‎06-28-2020 03:33 AM

Hi

 

I need to know how I can deploy check status "enable/active" of Antivirus/Antimalware

 

the current posture ISE version (2.6, 2.7) and anyconnect agent 4.X only check installation and definition but no check estatus enable or disable of software Antivirus/Antimalware

 

please help me

 

 

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2020 05:02 AM

When a given AV/AM product is running it will have an associated process on the host computer. We typically check for that process to be running and use that as the AV/AM check for active state.

Juan Marilaf Millahual
Level 1
Level 1
In response to Marvin Rhoads

‎06-28-2020 05:08 AM

Hi

But the process is not sense for the status of AM/AV. process can be UP while AV/AM is down
0 Helpful

tyoung008
Level 1
Level 1
In response to Marvin Rhoads

‎11-27-2020 10:25 AM

Hi Marvin!

 

Thanks for your response.  Yes, we can check if a specific process is running, but the fact that ISE only checks for installation and not running is a huge oversight IMHO.  I am doing an install now where the customer wants to verify the AM is running for 3rd party VPN connections where the AM is not dictated.

 

We can create an application condition (Policy > Policy Elements > Conditions > Application Condition > Add > ... Running > Provision by Category > Anti-Malware) that checks to see if the AM is running, but the screen says "It does not return a posture status."  This condition only provides information.  If you go to Context Visibility > Endpoints you can actually see if the process is running.  So, ISE Posture is able to identify if AM is running, it just cannot use the info for posture.

 

The workaround I have found is that if you also enable the definition check, it fails if the process is not running.  The auto-remediation fails also, but I have changed that to a text message.  So now, ISE Posture can check to see if any generic AM is running.  I haven't completed my testing yet, but it looks positive.

 

fedor.solovev
Spotlight
Spotlight
In response to tyoung008

‎01-07-2021 05:15 PM

Hello,
did you manage to finish the task with Antivirus verification ?
I am dealing with the same question - to check if ANY Antivirus exists and the signatures are updated.
It looks like ISE Posture module cannot determine if the AV is disabled (for example, you can temporary stop shields to check posturing).
Service verification will not help, because we don't know which AV will be used by external users.

0 Helpful

tyoung008
Level 1
Level 1
In response to fedor.solovev

‎01-07-2021 06:37 PM

I did complete my testing.  Thanks for asking.

 

The AM installation check will find every AM software that is installed, regardless if it is active or not.  The AM definition check will verify the AM is running the latest (as you define) updates.  The nice thing about the AM definition check is that it fails if the AM is disabled.  So, it verifies that the AM is running.

 

The last issue I ran into is that some AM programs disable Windows defender.  The solution to that problem was a compound condition described here -> https://community.cisco.com/t5/network-access-control/ise-posture-anti-malware-definitions-and-windows-defender/td-p/4053170.

 

0 Helpful
Customers Also Viewed These Support Documents