Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3365
Views
0
Helpful
3
Replies

Automatic Antivirus Remediation in Posture

adityaM1234
Level 1
Level 1

‎03-25-2015 04:21 AM - edited ‎03-10-2019 10:35 PM

Hi All,

 

I have configured ISE (1.2) to check Antivirus Installation on endpoints and it is working flawlessly.

 

Now, the client wants,

 

1) If Antivirus is not updated on endpoint for more than 5 days; it should be considered as "non-compliant" and as a remediation action; updates should be downloaded automatically.

--> I configured AV Remediation action.

Now, the problem is when endpoint gets categorized as non-compliant, ideally AV updates should get downloaded on endpoint as a remediation action. But AV updates are not getting downloaded.

Please help me in solving this problem..

 

Thanks in advance,

 

Aditya

 

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

mohanak
Cisco Employee
Cisco Employee

‎03-27-2015 02:19 AM

Adding an Antivirus Remediation

You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.

The AV Remediations page displays all the antivirus remediations along with their name and description and their modes of remediation.

Step 1 Choose Policy > Policy Elements > Results > Posture.

Step 2 Click Remediation Actions.

Step 3 Click AV Remediation.

Step 4 Click Add.

Step 5 Modify the values in the New AV Remediation page.

Step 6 Click Submit.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_pos_pol.html#pgfId-1924006

Antivirus Remediation

The following table describes the fields in the AV Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_policy.html#23739

Table C-23 Antivirus Remediation

Fields
Usage Guidelines

Name

Enter a name for the antivirus remediation.

Description

Enter a description for the antivirus remediation.

Remediation Type

Choose one of the following:

  • Automatic —When selected, you should enter values for the Interval and Retry Count.
  • Manual —When selected, Retry Count and Interval fields are not editable.

Interval (in seconds)

Enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

Enter the number of attempts that clients can try to update an antivirus definition.

Operating System

Choose one of the following:

  • Windows
  • Macintosh —when selected Remediation Type, Interval, and Retry Count fields are not editable

AV Vendor Name

Choose the antivirus vendor.

0 Helpful

adityaM1234
Level 1
Level 1
In response to mohanak

‎04-01-2015 12:44 AM

Hi mohanak,

Thank you for reply.

I configured the remediation action in ISE.

When the endpoint is categorized as non-complaint; as a remediation action antivirus should be automatically updated (updates should be fetched from internet automatically)

But at present antivirus is not getting updated, and as soon as remediation timer expires, endpoint's  network access gets blocked and it remains in non-compliant state.

Do we need to open any specific ip/url (eg.http://symantic.com/update) in the ACL on wlc in order to allow updates from internet ?

 

Regards,

Aditya

 

 

0 Helpful

andre.ortega
Spotlight
Spotlight
In response to adityaM1234

‎06-23-2015 04:58 PM

Yes. You should put on your remediation ACL the IP/Port of antivirus server.

It will allow the antivirus client to access and to download the update.

Regards.

0 Helpful
Customers Also Viewed These Support Documents