cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
6
Replies

Application Condition - Anti-Malware

ryanbess
Level 1
Level 1

I'm trying to understand the purpose of the "Application Condition" as part of the posture process.  In this case i want to ensure that Anti-Malware is installed and running before passing posture and releasing the endpoint into the network.  To mock this up in a lab, i downloaded Avast and setup ISE to do a check to see if Avast is installed and running (see attached avast1).  When i do that I get the attached (avast2).  Can someone help me understand what i'm doing wrong? 

6 Replies 6

Application condition is to check if a application is running or not.

One thing to keep in mind when using the application condition is that the application condition works the way around compared to the processes. For example, if you create a condition of a process that is installed/running and that condition is met, the posture status will be considered as compliant. However, if you do the same with an application condition the posture status will be considered as non-compliant, it's logic is basically inverted, and if the application is not installed/running the status will be considered as compliant.

I would use anti-malware check and not application check for this use case.. as for anti-malware you want to be sure its running + do they have the latest updates etc..

https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273

 

That makes me wonder about the following hypothetical scenario: I want machines to be running an antivirus, so in my posture policy, I put in an application check for Avast.  A machine with Avast installed and running connects to the network, and because it is installed and running, that check is non-compliant and therefore posture is non-compliant, so the machine doesn't get network access, or gets whatever quarantined/restricted access I've associated with a posture non-compliant machine (even though I do want machines to be running Avast).  

Alternatively: I don't want people connecting laptops running CheatEngine to my network, so I put in an application check for CheatEngine.  A machine with CheatEngine installed and running connects to the network, and that check returns non-compliant, so that machine doesn't get network access or gets quarantined/restricted access as it should, because I don't want machines with CheatEngine installed connecting to my network.

Based on what you described, it sounds like the Application condition can only be used for the second scenario, verifying that an undesired piece of software is not present, and it cannot be used for the first scenario, verifying that a desired piece of software is present.  Is that accurate?

Thanks much!

so the use case for the Application condition is to prevent an endpoint from getting on the network if some not wanted piece of software is installed in running?  Still trying to wrap my head around how to use this part of the posture flow.  

How would using an anti-malware check validate said AM product is running?  When i have avast installed it disabled Microsoft Defender's service.  However if i use the AM check, it just sees its installed and what the dat version is EVEN THOUGH the service is stopped.  

Tac confirmed.  The intended purpose of the Application check is to only check for unwanted software and to have ISE take action on endpoints with unwanted software.  It is also used to get software inventory.  To check if AM is installed, use the AM module.  To check if AM is running, use process.  Downside of using process is if the exe changes, you will fail posture.    

you are right for the most part is inline with what I though and saying. 

https://community.cisco.com/t5/network-access-control/antivirus-antimalware-ise-posture-check-status-enable-disable/td-p/4110448

look at the last para:

I did complete my testing.  Thanks for asking.

 

The AM installation check will find every AM software that is installed, regardless if it is active or not.  The AM definition check will verify the AM is running the latest (as you define) updates.  The nice thing about the AM definition check is that it fails if the AM is disabled.  So, it verifies that the AM is running.

==============

process is running may not mean much as sometimes process is running but am could be disabled to protect... try the definition check and see if that works for you ?