cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
2
Helpful
2
Replies

Posture "File Condition" for File Existence in System32 does not work

rezaalikhani
Spotlight
Spotlight

Hi;

Consider the following scenario:

rezaalikhani_0-1727196270964.png

rezaalikhani_1-1727196356467.png

Now, if I change the above configuration and create the same file (Watermark.txt) in "C:\Windows" or elsewhere like "Desktop", everything works as expected!!!

rezaalikhani_2-1727196551716.png

 
rezaalikhani_0-1727196797191.png

My current environment:

  • Windows 10 22H2
  • ISE 3.2 patch 6
  • Latest version of Cisco Secure Client and ISE Compliance Module

Any ideas?

Thanks

 

1 Accepted Solution

Accepted Solutions

Thanks for your reply;

  • The "Watermark.txt" is just an example. I actually want to check the existence of some files for the client's installed antivirus which is not supported by ISE Compliance Module yet.
  • I have tested this situation with two distinct Windows 10 22H2 with exactly same result.
 
After some through testing, I found out when you choose absolute path for the desired file in a location, everything works Ok unless in the System32. As @ahollifield suggestion for possible permission issues, I used the Process Monitor utility from Microsoft to find any "Access Denied" events when checking the file existence in System32, without any considerable event:
 
rezaalikhani_0-1727334367992.png

Then, I selected the "SYSTEM_32" from File Path section as follows:

rezaalikhani_1-1727334539631.png

Violla! With this configuration change, everything worked as expected but anyway, seems a nasty bug in Cisco Secure Client...

 

rezaalikhani_2-1727334685106.png

 

 

View solution in original post

2 Replies 2

Permissions issue?  Also watermark files are a "security by obscurity" strategy that is not really effective.  You should match on something else.  What is the use-case for the watermark file?

Thanks for your reply;

  • The "Watermark.txt" is just an example. I actually want to check the existence of some files for the client's installed antivirus which is not supported by ISE Compliance Module yet.
  • I have tested this situation with two distinct Windows 10 22H2 with exactly same result.
 
After some through testing, I found out when you choose absolute path for the desired file in a location, everything works Ok unless in the System32. As @ahollifield suggestion for possible permission issues, I used the Process Monitor utility from Microsoft to find any "Access Denied" events when checking the file existence in System32, without any considerable event:
 
rezaalikhani_0-1727334367992.png

Then, I selected the "SYSTEM_32" from File Path section as follows:

rezaalikhani_1-1727334539631.png

Violla! With this configuration change, everything worked as expected but anyway, seems a nasty bug in Cisco Secure Client...

 

rezaalikhani_2-1727334685106.png