- Cisco Community
- Technology and Support
- Security
- Network Access Control
- Re: ASA Host scan faills due to inactive Windows AV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA Host scan faills due to inactive Windows AV
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2016 05:06 AM - edited 03-11-2019 12:06 AM
Hi
I have enabled the host scan in the ASA and created a dynamic access policy to check if the host machine has valid AV and it is active not more than 15 days old . Script in the DAP policy is
(assert(function()
local update_days = "15" --days
local av_lastupdate = update_days*86400
for k,v in pairs(endpoint.av) do
if (EVAL(v.activescan, "NE", "ok", "string") or EVAL(v.lastupdate, "GT", av_lastupdate, "integer")) then
return true
end
end
return false
end)())
Action : termiate
One of the host which has AV active and running fails for the check . I have the DAP debug as below
DAP_TRACE: endpoint["application"]["clienttype"] = "AnyConnect"
DAP_TRACE: endpoint.os.version = "Windows 10"
DAP_TRACE: endpoint.os.architecture = "x64"
DAP_TRACE: endpoint.os.processor_level = "unknown"
DAP_TRACE: endpoint.device.protection = "none"
DAP_TRACE: endpoint.device.protection_version = "4.3.02039"
DAP_TRACE: endpoint.device.hostname = "LP-EC8EB5449591"
DAP_TRACE: endpoint.device.port["21"] = "true"
DAP_TRACE: endpoint.device.port["135"] = "true"
DAP_TRACE: endpoint.device.port["445"] = "true"
DAP_TRACE: endpoint.device.port["2701"] = "true"
DAP_TRACE: endpoint.device.port["3389"] = "true"
DAP_TRACE: endpoint.device.port["5357"] = "true"
DAP_TRACE: endpoint.device.port["7680"] = "true"
DAP_TRACE: endpoint.device.port["49664"] = "true"
DAP_TRACE: endpoint.device.port["49665"] = "true"
DAP_TRACE: endpoint.device.port["49666"] = "true"
DAP_TRACE: endpoint.device.port["49667"] = "true"
DAP_TRACE: endpoint.device.port["49668"] = "true"
DAP_TRACE: endpoint.device.port["49669"] = "true"
DAP_TRACE: endpoint.device.port["49671"] = "true"
DAP_TRACE: endpoint.device.port["49672"] = "true"
DAP_TRACE: endpoint.device.port["49678"] = "true"
DAP_TRACE: endpoint.device.port["49679"] = "true"
DAP_TRACE: endpoint.device.port["14147"] = "true"
DAP_TRACE: endpoint.device.port["49152"] = "true"
DAP_TRACE: endpoint.device.port["50532"] = "true"
DAP_TRACE: endpoint.device.port["60808"] = "true"
DAP_TRACE: endpoint.device.port["61309"] = "true"
DAP_TRACE: endpoint.device.port["62522"] = "true"
DAP_TRACE: endpoint.device.port["139"] = "true"
DAP_TRACE: endpoint.device.port["123"] = "true"
DAP_TRACE: endpoint.device.port["500"] = "true"
DAP_TRACE: endpoint.device.port["3389"] = "true"
DAP_TRACE: endpoint.device.port["3544"] = "true"
DAP_TRACE: endpoint.device.port["3702"] = "true"
DAP_TRACE: endpoint.device.port["3702"] = "true"
DAP_TRACE: endpoint.device.port["4500"] = "true"
DAP_TRACE: endpoint.device.port["5353"] = "true"
DAP_TRACE: endpoint.device.port["5353"] = "true"
DAP_TRACE: endpoint.device.port["5353"] = "true"
DAP_TRACE: endpoint.device.port["5353"] = "true"
DAP_TRACE: endpoint.device.port["5353"] = "true"
DAP_TRACE: endpoint.device.port["5355"] = "true"
DAP_TRACE: endpoint.device.port["49372"] = "true"
DAP_TRACE: endpoint.device.port["51534"] = "true"
DAP_TRACE: endpoint.device.port["51535"] = "true"
DAP_TRACE: endpoint.device.port["51536"] = "true"
DAP_TRACE: endpoint.device.port["51537"] = "true"
DAP_TRACE: endpoint.device.port["51771"] = "true"
DAP_TRACE: endpoint.device.port["51772"] = "true"
DAP_TRACE: endpoint.device.port["54364"] = "true"
DAP_TRACE: endpoint.device.port["1900"] = "true"
DAP_TRACE: endpoint.device.port["50825"] = "true"
DAP_TRACE: endpoint.device.port["50970"] = "true"
DAP_TRACE: endpoint.device.port["53140"] = "true"
DAP_TRACE: endpoint.device.port["55743"] = "true"
DAP_TRACE: endpoint.device.port["59306"] = "true"
DAP_TRACE: endpoint.device.port["137"] = "true"
DAP_TRACE: endpoint.device.port["138"] = "true"
DAP_TRACE: endpoint.device.port["1900"] = "true"
DAP_TRACE: endpoint.device.port["2177"] = "true"
DAP_TRACE: endpoint.device.port["55742"] = "true"
DAP_TRACE: endpoint.device.port["57856"] = "true"
DAP_TRACE: endpoint.device.tcp4port["21"] = "true"
DAP_TRACE: endpoint.device.tcp4port["135"] = "true"
DAP_TRACE: endpoint.device.tcp4port["445"] = "true"
DAP_TRACE: endpoint.device.tcp4port["2701"] = "true"
DAP_TRACE: endpoint.device.tcp4port["3389"] = "true"
DAP_TRACE: endpoint.device.tcp4port["5357"] = "true"
DAP_TRACE: endpoint.device.tcp4port["7680"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49664"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49665"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49666"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49667"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49668"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49669"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49671"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49672"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49678"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49679"] = "true"
DAP_TRACE: endpoint.device.tcp4port["14147"] = "true"
DAP_TRACE: endpoint.device.tcp4port["49152"] = "true"
DAP_TRACE: endpoint.device.tcp4port["50532"] = "true"
DAP_TRACE: endpoint.device.tcp4port["60808"] = "true"
DAP_TRACE: endpoint.device.tcp4port["61309"] = "true"
DAP_TRACE: endpoint.device.tcp4port["62522"] = "true"
DAP_TRACE: endpoint.device.tcp4port["139"] = "true"
DAP_TRACE: endpoint.device.udp4port["123"] = "true"
DAP_TRACE: endpoint.device.udp4port["500"] = "true"
DAP_TRACE: endpoint.device.udp4port["3389"] = "true"
DAP_TRACE: endpoint.device.udp4port["3544"] = "true"
DAP_TRACE: endpoint.device.udp4port["3702"] = "true"
DAP_TRACE: endpoint.device.udp4port["3702"] = "true"
DAP_TRACE: endpoint.device.udp4port["4500"] = "true"
DAP_TRACE: endpoint.device.udp4port["5353"] = "true"
DAP_TRACE: endpoint.device.udp4port["5353"] = "true"
DAP_TRACE: endpoint.device.udp4port["5353"] = "true"
DAP_TRACE: endpoint.device.udp4port["5353"] = "true"
DAP_TRACE: endpoint.device.udp4port["5353"] = "true"
DAP_TRACE: endpoint.device.udp4port["5355"] = "true"
DAP_TRACE: endpoint.device.udp4port["49372"] = "true"
DAP_TRACE: endpoint.device.udp4port["51534"] = "true"
DAP_TRACE: endpoint.device.udp4port["51535"] = "true"
DAP_TRACE: endpoint.device.udp4port["51536"] = "true"
DAP_TRACE: endpoint.device.udp4port["51537"] = "true"
DAP_TRACE: endpoint.device.udp4port["51771"] = "true"
DAP_TRACE: endpoint.device.udp4port["51772"] = "true"
DAP_TRACE: endpoint.device.udp4port["54364"] = "true"
DAP_TRACE: endpoint.device.udp4port["1900"] = "true"
DAP_TRACE: endpoint.device.udp4port["50825"] = "true"
DAP_TRACE: endpoint.device.udp4port["50970"] = "true"
DAP_TRACE: endpoint.device.udp4port["53140"] = "true"
DAP_TRACE: endpoint.device.udp4port["55743"] = "true"
DAP_TRACE: endpoint.device.udp4port["59306"] = "true"
DAP_TRACE: endpoint.device.udp4port["137"] = "true"
DAP_TRACE: endpoint.device.udp4port["138"] = "true"
DAP_TRACE: endpoint.device.udp4port["1900"] = "true"
DAP_TRACE: endpoint.device.udp4port["2177"] = "true"
DAP_TRACE: endpoint.device.udp4port["55742"] = "true"
DAP_TRACE: endpoint.device.udp4port["57856"] = "true"
DAP_TRACE: endpoint.device.tcp6port["21"] = "true"
DAP_TRACE: endpoint.device.tcp6port["135"] = "true"
DAP_TRACE: endpoint.device.tcp6port["445"] = "true"
DAP_TRACE: endpoint.device.tcp6port["2701"] = "true"
DAP_TRACE: endpoint.device.tcp6port["3389"] = "true"
DAP_TRACE: endpoint.device.tcp6port["5357"] = "true"
DAP_TRACE: endpoint.device.tcp6port["7680"] = "true"
DAP_TRACE: endpoint.device.tcp6port["14147"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49664"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49665"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49666"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49667"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49668"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49669"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49671"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49672"] = "true"
DAP_TRACE: endpoint.device.tcp6port["49679"] = "true"
DAP_TRACE: endpoint.device.udp6port["123"] = "true"
DAP_TRACE: endpoint.device.udp6port["500"] = "true"
DAP_TRACE: endpoint.device.udp6port["3389"] = "true"
DAP_TRACE: endpoint.device.udp6port["3702"] = "true"
DAP_TRACE: endpoint.device.udp6port["3702"] = "true"
DAP_TRACE: endpoint.device.udp6port["4500"] = "true"
DAP_TRACE: endpoint.device.udp6port["5353"] = "true"
DAP_TRACE: endpoint.device.udp6port["5353"] = "true"
DAP_TRACE: endpoint.device.udp6port["5353"] = "true"
DAP_TRACE: endpoint.device.udp6port["5353"] = "true"
DAP_TRACE: endpoint.device.udp6port["5355"] = "true"
DAP_TRACE: endpoint.device.udp6port["51535"] = "true"
DAP_TRACE: endpoint.device.udp6port["51537"] = "true"
DAP_TRACE: endpoint.device.udp6port["54365"] = "true"
DAP_TRACE: endpoint.device.udp6port["1900"] = "true"
DAP_TRACE: endpoint.device.udp6port["55741"] = "true"
DAP_TRACE: endpoint.device.udp6port["546"] = "true"
DAP_TRACE: endpoint.device.udp6port["1900"] = "true"
DAP_TRACE: endpoint.device.udp6port["2177"] = "true"
DAP_TRACE: endpoint.device.udp6port["55740"] = "true"
DAP_TRACE: endpoint.device.MAC["568c.a007.1b34"] = "true"
DAP_TRACE: endpoint.device.MAC["548c.a007.1b34"] = "true"
DAP_TRACE: endpoint.device.MAC["ec8e.b544.9591"] = "true"
DAP_TRACE: endpoint.fw["MSWindowsFW"].exists = "false"
DAP_TRACE: endpoint.fw["MSWindowsFW"].description = "Microsoft Windows Firewall"
DAP_TRACE: endpoint.fw["MSWindowsFW"].version = "10.0"
DAP_TRACE: endpoint.fw["MSWindowsFW"].enabled = "failed"
DAP_TRACE: endpoint.fw["NortonFW"] = {}
DAP_TRACE: endpoint.fw["NortonFW"].exists = "true"
DAP_TRACE: endpoint.fw["NortonFW"].description = "Symantec Endpoint Protection [Firewall]"
DAP_TRACE: endpoint.fw["NortonFW"].version = "12.1.7004.6500"
DAP_TRACE: endpoint.fw["NortonFW"].enabled = "ok"
DAP_TRACE: endpoint.av["MicrosoftAV"] = {}
DAP_TRACE: endpoint.av["MicrosoftAV"].exists = "true"
DAP_TRACE: endpoint.av["MicrosoftAV"].description = "Windows Defender"
DAP_TRACE: endpoint.av["MicrosoftAV"].version = "4.9.10586.589"
DAP_TRACE: endpoint.av["MicrosoftAV"].activescan = "failed"
DAP_TRACE: endpoint.av["MicrosoftAV"].lastupdate = "25513378"
DAP_TRACE: endpoint.av["MicrosoftAV"].timestamp = "1449439469"
DAP_TRACE: endpoint.as["MicrosoftAS"] = {}
DAP_TRACE: endpoint.as["MicrosoftAS"].exists = "true"
DAP_TRACE: endpoint.as["MicrosoftAS"].description = "Windows Defender"
DAP_TRACE: endpoint.as["MicrosoftAS"].version = "4.9.10586.589"
DAP_TRACE: endpoint.as["MicrosoftAS"].activescan = "failed"
DAP_TRACE: endpoint.as["MicrosoftAS"].lastupdate = "25513378"
DAP_TRACE: endpoint.as["MicrosoftAS"].timestamp = "1449439469"
DAP_TRACE: endpoint.as["MicrosoftAS"] = {}
DAP_TRACE: endpoint.as["MicrosoftAS"].exists = "true"
DAP_TRACE: endpoint.as["MicrosoftAS"].description = "Windows Defender"
DAP_TRACE: endpoint.as["MicrosoftAS"].activescan = "failed"
DAP_TRACE: endpoint.as["MicrosoftAS"].lastupdate = "25513378"
DAP_TRACE: endpoint.as["MicrosoftAS"].timestamp = "1449439469"
DAP_TRACE: endpoint.av["NortonAV"] = {}
DAP_TRACE: endpoint.av["NortonAV"].exists = "true"
DAP_TRACE: endpoint.av["NortonAV"].description = "Symantec Endpoint Protection"
DAP_TRACE: endpoint.av["NortonAV"].version = "12.1.7004.6500"
DAP_TRACE: endpoint.av["NortonAV"].activescan = "ok"
DAP_TRACE: endpoint.av["NortonAV"].lastupdate = "124647"
DAP_TRACE: endpoint.av["NortonAV"].timestamp = "1474828200"
DAP_TRACE: endpoint.as["NortonAV"] = {}
DAP_TRACE: endpoint.as["NortonAV"].exists = "true"
DAP_TRACE: endpoint.as["NortonAV"].description = "Symantec Endpoint Protection"
DAP_TRACE: endpoint.as["NortonAV"].version = "12.1.7004.6500"
DAP_TRACE: endpoint.as["NortonAV"].activescan = "ok"
DAP_TRACE: endpoint.as["NortonAV"].lastupdate = "124647"
DAP_TRACE: endpoint.as["NortonAV"].timestamp = "1474828200"
It detects both Windows and Symantec AV and considers only Windows AV . How can I make this host pass the AV check ?
Thanks in advance for your input
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2018 01:55 PM
Has anyone found a solution to this? Can I modify DAP profile to ignore Microsoft AV??? If so, how would that look?????
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2018 10:42 PM
Hi,
Why don't you just check for Symantec? (I don't remember if you can specifcy directly an AV product)
The thing is that Cisco develops ISE posture, not ASA posture and probably few people still use the old AC posture.
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide