Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4428
Views
10
Helpful
6
Replies

Posture Condtion for CrowdStrike AV

Go to solution
Matthew Martin
Level 5
Level 5

‎06-03-2020 01:08 PM

Hello All,

 

ISE: v2.3.0.298  Patch 3

We are going to be moving from Symantec AV to CrowdStrike AV. I believe the product is called Falcon and it's currently on Version 5.

Looking through the Posture Conditions in ISE, I only see options for:

- ANY

- Falcon v2.x

- Falcon v3.x

 

Does my ISE version have anything to do with me not seeing Falcon v5.x ?

Thanks in Advance,

Matt

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-04-2020 05:32 AM

I just checked on version 2.4p9 and the AV Conditions for the CrowdStrike, Inc. vendor only have support for the products listed above. Would the ANY not suffice? What about adding additional checks such as a specific file condition or to ensure that a certain CrowdStrike service is running?
0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎06-05-2020 07:15 AM

Hi @Matthew Martin ,

AV is legacy (used in Compliance Module 3.x or earlier). Instead, use Anti-Malware. Your version (and others) is available.

Screenshot 2020-06-05 at 7.42.44 PM.png

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Go to solution
Matthew Martin
Level 5
Level 5
In response to Anurag Sharma

‎06-05-2020 08:24 AM

Thanks for the reply.

Yup, that's right, found it yesterday. Sorry forgot to post that I found it.

Thanks Again,
Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Anurag Sharma

‎06-05-2020 10:40 AM

So I created a new Posture Policy that checks for the CrowdStrike Anti-malware. I deleted my device from Context Visibility > Endpoints to force it to Reposture since it posture checks every 1 Day. When I reconnected to VPN I'm getting the System Scan Remediation window that's telling me that I don't have CrowdStrike installed.

Any ideas? It's definitely installed.

CrowdStrike.png

I created the Posture Requirement so that the device can have either Symantec OR CrowdStrike. It worked while I still had Symantec installed. Then after I uninstalled Symantec and installed CrowdStrike, Posture check now fails.

 

Thanks,

Matt

0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to Matthew Martin

‎06-05-2020 11:09 PM

There is no reason to not use 4.x Compliance Module anyway. In fact, in my previous post, it shows in the screenshot the Compliance Module has to be 4.x or later.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful
Customers Also Viewed These Support Documents