Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

Posture remediation script : integrity failed

Kalipso
Level 1
Level 1

‎07-30-2024 07:21 AM

Hello, 

I'm trying to implement Posture using Secure Client module in latest version. As there is no automatic remediation to force the update of our anti-malware solution, I wanted to test a power shell script. 

So I created a .ps1, signed with a code-signing certificate issued by our internal PKI. 

I pushed the code signing certificate to trusted publisher store on my client.

I added SHA256 fingerprint on AnyconnectLocalPolicy.xml and rebooted my client. (I included fingerprint of our internal root CA and intermediate, along witht the fingerprint of the admin certificate of the PSN, at the end I even added the code-signing certficate fingerprint...)

I can see in the packets that the client is connecting to PSN on port 8905, the TLS handshake is ok.

But I got an error in the remediation, that it didn't work. Exploring the ISEPosture.txt from DART, I can find errors relative to integrity : 

" Public key in configuration is empty. Cannot verify data integrity" 

" Data Integrity check failed" 

"public key not found"

My .ps1 file looks like :

C:\.....\antimalware.exe -task 2

# SIG # Begin signature block

# signature data

# SIG # End signature block

What am I missing, why the script check is not working ? I event changed the Windows PowerShell execution policy to "bypass" in the remediation script configuration.

 

 

0 Helpful
2 Replies 2

sidshas03
Spotlight
Spotlight

‎07-30-2024 12:30 PM

It seems the issue is with the public key setup for verifying your script. Kindly ensure the public key from your code-signing certificate is correctly added to AnyconnectLocalPolicy.xml and that all relevant certificates are installed in the Trusted Publisher store. Also, check that your script's signature block is properly formatted and that the Secure Client module has the right permissions. This should help resolve the integrity check errors.

0 Helpful

Kalipso
Level 1
Level 1
In response to sidshas03

‎07-31-2024 05:36 AM

So the fingerprint of the PSN admin certificate + code-signing certificate are present in the AnyconnectLocalPolicy.xml.

I've no reason to doubt the signature block: my laptop policy is set to AllSigned and I'm able to execute the script from the laptop.

How to check that Secure Client has the right permissions ?

0 Helpful
Customers Also Viewed These Support Documents