03-26-2020 01:16 PM
Hi all,
I have done some googling and searching of the forums and the only thing I have found that is similar is this community post from 2017
We are attempting to implement posturing for end-users personal devices so they can access the AnyConnect VPN. One of the requirements we have is to check for up to date anti-malware definitions on the end-users device
However in our testing, we have found that some devices have their own anti-malware such as Avast installed, this stops the windows defender definitions from being updated and causes the problem that the posture module reports it as being out of date.
Has anyone else had to deal with this or workaround it anyway? would automatic remediation force the update of the signatures for windows defender?
For info we are using ISE version 2.4 patch 5,11
Thanks for any assistance you can provide.
Solved! Go to Solution.
12-09-2020 09:40 AM
That works! Thank you.
Cylance disables Windows Defender, and the definition check fails for it. I created a new AM condition (Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition) for vendor Cylance, ANY, ANY, Yes. I then added a second condition to my Any_AM_Definition_Win requirement (Policy > Policy Elements > Results > Posture > Requirements) with "any selected condition succeeds" and the user is now compliant.
03-26-2020 01:54 PM
HI,
You could choose to kill the windows process or to uninstall the software completely, in which case windows defender should be able to get updated. Check this guide for more information.
Regards,
Cristian Matei.
03-27-2020 12:54 PM
Why not use the pre-built conditions?
ANY_am_mac_def | Any AM definition check on Mac |
ANY_am_mac_inst | Any AM installation check on Mac |
Any AM definition check on Windows | |
ANY_am_win_inst | Any AM installation check on Windows |
03-27-2020 02:15 PM
Thanks for the responses
@Cristian Matei, I cannot kill the windows defender processes as it is not running on my machine but it is installed and as far as i am aware there is no way to remove it without a lot of effort. The whole idea of the solution as we envisaged it would be to make sure there is an Anti-malware product installed and up to date with no care for the vendor that is being used.
@hslai, we are using these pre-built conditions, the problem is that the posture assessment detects both windows defender and the users own installed anti-malware software such as avast, Symantec etc. However, when these are installed they disabled updates for windows defender somehow and this stops the updates being applied and leaves the definitions out of date.
Because of this ISE receives the posture report from client to say it has 2 anti-malware products installed one is installed, enabled and up to date and the other is installed and not up to date.
I guess i need a way to be able to tell ISE to be happy that there is at least one anti-malware product that is up to date. rather than failing when 1 of the products it has found is not up to date.
03-28-2020 07:04 PM
Try Posture Compound Posture Conditions, then.
12-09-2020 09:40 AM
That works! Thank you.
Cylance disables Windows Defender, and the definition check fails for it. I created a new AM condition (Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition) for vendor Cylance, ANY, ANY, Yes. I then added a second condition to my Any_AM_Definition_Win requirement (Policy > Policy Elements > Results > Posture > Requirements) with "any selected condition succeeds" and the user is now compliant.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide