Posture - Application condition and remediation

llomjaria · ‎01-31-2024

Hi,

I would like to check if application (for example: Teamviewer) is running on client and if it is running would like to kill the process before allowing access to the network.

Is it possible to do this in ISE 3.2 ?

I tried configuring application condition, remediation and requirement - but it does not work, AnyConnect does not kill Teamviewer process.

ahollifield · ‎01-31-2024

https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273

Aref Alsouqi · ‎01-31-2024

One thing to keep in mind when using the application condition is that the application condition works the way around compared to the processes. For example, if you create a condition of a process that is installed/running and that condition is met, the posture status will be considered as compliant. However, if you do the same with an application condition the posture status will be considered as non-compliant, it's logic is basically inverted, and if the application is not installed/running the status will be considered as compliant.

llomjaria · ‎01-31-2024

In my case, condition is matching but I am not able to kill or uninstall the application automatically using remediation action.
I have tested Text Message in remediation action and it works. If Teamviewer running I am getting a message. Now I want to kill the process automatically.

My question is: is it possible to automatically uninstall application or kill a process ?

Aref Alsouqi · ‎02-01-2024

I didn't personally test that with Teamviewer, but the option to Uninstall or kill the process is there. Do you get any error during that process? if so, please share a screenshot of it.