Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2223
Views
0
Helpful
5
Replies

AnyConnect 4 ISE Posture unable to update Symantec Endpoint Protection AV Definitions

Ben.Levin
Level 1
Level 1

‎05-04-2016 08:51 AM - edited ‎03-10-2019 11:44 PM

Before I open a TAC case on this issue, I figured I'd ask here in case anyone has seen this before.  I'm running ISE 2.0 patch 2 with AnyConnect 4.1/ISE Posture on our Windows clients.  If a client has out of date antivirus definitions (SEP 12.1.6), ISE posture reports this but if I click the start button to update the definitions, AnyConnect/ISE Posture comes back with an error saying that the AV/AS update has failed.  I'm thinking it's a Windows permissions issue but I'm not sure how I would solve this.

Has anyone seen this before?

Thanks.

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎05-04-2016 10:41 AM

Are you logged in as a regular user or an administrator ? Also is SEP running in a GUP config, or are you using liveupdate to update the AV client ?

0 Helpful

Ben.Levin
Level 1
Level 1
In response to jan.nielsen

‎05-06-2016 07:14 AM

I'm logged in as a regular user and I believe we're using LiveUpdate.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎05-04-2016 02:53 PM

Yes, as you have already mentioned, if admin rights are required for the update then the remediation would fail. This is why I usually don't recommend posture assessment on internal/domain joined endpoints. And if you do want to posture those, I usually recommend that you allow access to the network wether the posture assessment fails or passes. Then administrators can use ISE to generate reports and see which workstations are not up to date on patches, AV, etc. 

Thank you for rating helpful posts!

0 Helpful

jan.nielsen
Level 7
Level 7
In response to nspasov

‎05-04-2016 03:13 PM

I somewhat agree, however in this specific case, i have practical experience with SEP >12.1.5, where the option to force the av client to update using a cli command is configurable (liveupdate), and the posture agent will trigger a fail dialog because it is trying to run a cli command to remediate, that actually does not exist anymore. Also my experience is that when you login as a regular non-admin user in windows, ise posture will execute remediation commands as SYSTEM, which actually makes it work most of the time, only if you login as an administrator will it run commands as the logged-in user.

0 Helpful

Ben.Levin
Level 1
Level 1
In response to jan.nielsen

‎05-06-2016 07:17 AM

Any idea how ISE posture is trying to initiate the AV update process?  We are logging in as a regular admin user.  However, I am going to try logging in as an admin user to see if it makes any difference.  Thanks!

0 Helpful
Customers Also Viewed These Support Documents