cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3739
Views
15
Helpful
5
Replies

Antivirus Antimalware ISE posture check status enable/disable with anyconnect agent 4.X

Hi

 

I need to know how I can deploy check status "enable/active" of Antivirus/Antimalware

 

the current posture ISE version (2.6, 2.7) and anyconnect agent 4.X only check installation and definition but no check estatus enable or disable of software Antivirus/Antimalware

 

please help me

 

 

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

When a given AV/AM product is running it will have an associated process on the host computer. We typically check for that process to be running and use that as the AV/AM check for active state.

Hi

But the process is not sense for the status of AM/AV. process can be UP while AV/AM is down

Hi Marvin!

 

Thanks for your response.  Yes, we can check if a specific process is running, but the fact that ISE only checks for installation and not running is a huge oversight IMHO.  I am doing an install now where the customer wants to verify the AM is running for 3rd party VPN connections where the AM is not dictated.

 

We can create an application condition (Policy > Policy Elements > Conditions > Application Condition > Add > ... Running > Provision by Category > Anti-Malware) that checks to see if the AM is running, but the screen says "It does not return a posture status."  This condition only provides information.  If you go to Context Visibility > Endpoints you can actually see if the process is running.  So, ISE Posture is able to identify if AM is running, it just cannot use the info for posture.

 

The workaround I have found is that if you also enable the definition check, it fails if the process is not running.  The auto-remediation fails also, but I have changed that to a text message.  So now, ISE Posture can check to see if any generic AM is running.  I haven't completed my testing yet, but it looks positive.

 

Hello,
did you manage to finish the task with Antivirus verification ?
I am dealing with the same question - to check if ANY Antivirus exists and the signatures are updated.
It looks like ISE Posture module cannot determine if the AV is disabled (for example, you can temporary stop shields to check posturing).
Service verification will not help, because we don't know which AV will be used by external users.

I did complete my testing.  Thanks for asking.

 

The AM installation check will find every AM software that is installed, regardless if it is active or not.  The AM definition check will verify the AM is running the latest (as you define) updates.  The nice thing about the AM definition check is that it fails if the AM is disabled.  So, it verifies that the AM is running.

 

The last issue I ran into is that some AM programs disable Windows defender.  The solution to that problem was a compound condition described here -> https://community.cisco.com/t5/network-access-control/ise-posture-anti-malware-definitions-and-windows-defender/td-p/4053170.