Solved: Cisco ISE 2.3 POSTURE on process *.exe files

MS-JK · ‎11-08-2018

When you setup posture element and condition is application and you select to check on specific process name using file.exe - can you actually check / validate the file itself is valid valid HASH? So that user can not just start file.exe and pass posture. What protective mechanism do you have for this type of posture IF application isn't part of the CIsco's build in options.

Thanks for feedback!

kthiruve · ‎11-11-2018

I think you are looking for a way to do a file check.

Please see what are the posture conditions available in this doc for existence of a file.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100101.html#concept_46207D0DFA4341D9981898C668C2C737

View solution in original post

Surendra · ‎11-09-2018

As of now, ISE does not check the validity of the file. It is for the administrators to take care of what applications that user can put on and run on the machine. ISE only checks the process that the administrator desires is installed/running by name. However, you can leverage the registry check option in this case where you can check a specific registry that the application would modify and set a value to. All applications may not modify registries but I’m talking about most known vendor applications.

kthiruve · ‎11-11-2018

I think you are looking for a way to do a file check.

Please see what are the posture conditions available in this doc for existence of a file.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100101.html#concept_46207D0DFA4341D9981898C668C2C737