Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5835
Views
10
Helpful
5
Replies

ISE posture - Anti Malware definitions and windows defender

Go to solution
Northy
Level 1
Level 1

‎03-26-2020 01:16 PM

Hi all, 

 

I have done some googling and searching of the forums and the only thing I have found that is similar is this community post from 2017

We are attempting to implement posturing for end-users personal devices so they can access the AnyConnect VPN. One of the requirements we have is to check for up to date anti-malware definitions on the end-users device

 

However in our testing, we have found that some devices have their own anti-malware such as Avast installed, this stops the windows defender definitions from being updated and causes the problem that the posture module reports it as being out of date.

 

Has anyone else had to deal with this or workaround it anyway? would automatic remediation force the update of the signatures for windows defender? 

 

For info we are using ISE version 2.4 patch 5,11

 

Thanks for any assistance you can provide.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tyoung008
Level 1
Level 1
In response to hslai

‎12-09-2020 09:40 AM

That works!  Thank you.

 

Cylance disables Windows Defender, and the definition check fails for it.  I created a new AM condition (Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition) for vendor Cylance, ANY, ANY, Yes.  I then added a second condition to my Any_AM_Definition_Win requirement (Policy > Policy Elements > Results > Posture > Requirements) with "any selected condition succeeds" and the user is now compliant.

View solution in original post

5 Replies 5

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 01:54 PM

HI,

 

   You could choose to kill the windows process or to uninstall the software completely, in which case windows defender should be able to get updated. Check this guide for more information.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-27-2020 12:54 PM

Why not use the pre-built conditions?

ANY_am_mac_def Any AM definition check on Mac
ANY_am_mac_inst Any AM installation check on Mac
ANY_am_win_def
 Any AM definition check on Windows
ANY_am_win_inst Any AM installation check on Windows
 
0 Helpful

Go to solution
Northy
Level 1
Level 1
In response to hslai

‎03-27-2020 02:15 PM

Thanks for the responses

 

@Cristian Matei, I cannot kill the windows defender processes as it is not running on my machine but it is installed and as far as i am aware there is no way to remove it without a lot of effort. The whole idea of the solution as we envisaged it would be to make sure there is an Anti-malware product installed and up to date with no care for the vendor that is being used. 

 

@hslai, we are using these pre-built conditions, the problem is that the posture assessment detects both windows defender and the users own installed anti-malware software such as avast, Symantec etc. However, when these are installed they disabled updates for windows defender somehow and this stops the updates being applied and leaves the definitions out of date. 

 

Because of this ISE receives the posture report from client to say it has 2 anti-malware products installed one is installed, enabled and up to date and the other is installed and not up to date. 

 

I guess i need a way to be able to tell ISE to be happy that there is at least one anti-malware product that is up to date. rather than failing when 1 of the products it has found is not up to date. 

 

 

0 Helpful

Go to solution
tyoung008
Level 1
Level 1
In response to hslai

‎12-09-2020 09:40 AM

That works!  Thank you.

 

Cylance disables Windows Defender, and the definition check fails for it.  I created a new AM condition (Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition) for vendor Cylance, ANY, ANY, Yes.  I then added a second condition to my Any_AM_Definition_Win requirement (Policy > Policy Elements > Results > Posture > Requirements) with "any selected condition succeeds" and the user is now compliant.

Customers Also Viewed These Support Documents