cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2291
Views
0
Helpful
5
Replies

AnyConnect 4 ISE Posture unable to update Symantec Endpoint Protection AV Definitions

Ben.Levin
Level 1
Level 1

Before I open a TAC case on this issue, I figured I'd ask here in case anyone has seen this before.  I'm running ISE 2.0 patch 2 with AnyConnect 4.1/ISE Posture on our Windows clients.  If a client has out of date antivirus definitions (SEP 12.1.6), ISE posture reports this but if I click the start button to update the definitions, AnyConnect/ISE Posture comes back with an error saying that the AV/AS update has failed.  I'm thinking it's a Windows permissions issue but I'm not sure how I would solve this.

Has anyone seen this before?

Thanks.

5 Replies 5

jan.nielsen
Level 7
Level 7

Are you logged in as a regular user or an administrator ? Also is SEP running in a GUP config, or are you using liveupdate to update the AV client ?

I'm logged in as a regular user and I believe we're using LiveUpdate.

nspasov
Cisco Employee
Cisco Employee

Yes, as you have already mentioned, if admin rights are required for the update then the remediation would fail. This is why I usually don't recommend posture assessment on internal/domain joined endpoints. And if you do want to posture those, I usually recommend that you allow access to the network wether the posture assessment fails or passes. Then administrators can use ISE to generate reports and see which workstations are not up to date on patches, AV, etc. 

Thank you for rating helpful posts!

I somewhat agree, however in this specific case, i have practical experience with SEP >12.1.5, where the option to force the av client to update using a cli command is configurable (liveupdate), and the posture agent will trigger a fail dialog because it is trying to run a cli command to remediate, that actually does not exist anymore. Also my experience is that when you login as a regular non-admin user in windows, ise posture will execute remediation commands as SYSTEM, which actually makes it work most of the time, only if you login as an administrator will it run commands as the logged-in user.

Any idea how ISE posture is trying to initiate the AV update process?  We are logging in as a regular admin user.  However, I am going to try logging in as an admin user to see if it makes any difference.  Thanks!