• Introduction
• Related Information

Introduction

This document provides information on the most frequently asked questions (FAQ) related to the Cisco Secure Desktop (CSD).

Cisco Secure Desktop seeks to minimize the risks posed by the use of remote devices in order to establish a Cisco Clientless SSL VPN or AnyConnect Client session.

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Q. What components comprise Cisco Secure Desktop?

A. CSD comprises several components:

• Prelogin Assessment/Policies      - defines endpoint Location policy (ie. Corporate asset, Non-corporate      asset)
• Host Scan - Basic and  Advanced Endpoint Accessment (AEA) with some remediation capabilities for AntiVirus
• Cache Cleaner
• Secure Desktop (Vault)
• Keystroke Logger
• Host emulation detection

Refer toCSD Configuration Guide for more information.

Q. Where can I find a compability matrix of OSes, Browsers, ASA versions, SSL VPN components supported by CSD?

A. Refer to Cisco ASA 5500 Series VPN Compatibility Reference for more information.

Support for Windows 7 and MAC OSX 10.6.x Beta is expected in the latter part of 2009 with CSD 3.5. Please stay tuned for upcoming Beta updates/announcements.

Note: CSD installation via weblaunch is not supported on 64-bit IE browsers.

Q. When is support for Windows 7 and MAC OSX 10.6 being added for CSD?

A. Support for Windows 7 and MAC OSX 10.6.x Beta is expected in the latter part of 2009 with CSD 3.5. Please stay tuned for upcoming Beta updates/announcements.

Update: CSD 3.5 beta is available from cisco.com  .

Q. Where is the CSD configuration stored on the ASA security applicance?

A. The CSD configuration is stored on the flash under sdesktop/data.xml file.

Q. Does CSD interoperate with the IPsec VPN Client?

A. No. CSD 3.2 and above only interoperates with Clientless SSL VPN and Anyconnect 2.x and above.

Q. Are there any plans to make the Cisco IPSec client interoperate with CSD?

A. Any future Host Scan support for IPsec (with IKEv2) will be done leveraging the IPsec version of the AnyConnect client framework. No specific dates on this support are available at this time.

Q. How do we perform IPSec VPN client posture assessment and remediation today?

A. Cisco NAC applicance solution is the recommended way for this deployment.

Q. Are the CSD Prelogin certificates checks applicable to both machine and user certificates?

A. Yes. Prelogin checks for Machine Certificates was implemented in CSD 3.2.1 (CSCsj35249).

Q. What are the minimum rights for Secure Desktop (Vault), Cache Cleaner, Host Scan, and KeyStroke Logger Scanning?

A. Non-privileged, guest user accounts are sufficient to download and install Secure Desktop (Vault), host emulation detection, Cache Cleaner, and Host Scan. Keystroke Logger detection requires administrator privileges.

Note: On Vista the user needs to be able to pass the UAC (User Account Control) check in order to install CSD (either they need to have the admin password or UAC needs to be disabled).

Q. What CSD operations require Administrative privileges?

A. The CSD installation with Java already installed and most basic host scanning operations do not require administrative privileges.

Operations such as enabling a FW process, do not work without administrative privileges, of course. Do not expect it to be scanned for files that it does not have privilege for which to scan; for example, if you are limited user, you cannot detect /users/administrator/mydocuments/file.txt.

Key stroke logger requires administrative privileges.

In summary:CSD operates within the constraints of a GPO security policy and will not pre-empt or go around that policy. If GPO says you cannot enable the FW process, then with or without admin privileges, CSD AEA policy will not be able to enable that FW.

Q. If Keystroke Logger detection is enabled, what happens if the user has no administrative privileges?

A. If Keystroke Logger detection is enabled in the policy applied to the session and the user lacks administrator privileges, Keystroke Logger detection does not run and the connection proceeds to the login page. The user can then log in.

Q. Can Keystroke Logger detection detect all keystroke loggers?

A. Keystroke Logger detection works diligently to detect keystroke loggers. There may be instances where Cisco Secure Desktop is unable to detect a particular keystroke logger, including but not limited to hardware keystroke logging devices.

Q. How does Keystroke work?

A. Software based keystroke loggers work by registering themselves with the OS to insert themselves in the processing path of any key events.CSD’s keystroke logger detection examines what modules, whether it is kernel mode or user mode, are involved in processing keystrokes. It does this by going through each step and each layer of the operating system and determine if any non-based OS modules have been injected along the way, and their identity.

Q. Does Secure Desktop (Vault) or Cache Cleaner detect a second network card for prelogin policy determination?

A. No, it detects only the IP address of the first network card.

Q. How does an end user use Secure Desktop (Vault) after downloading it the first time?

A. Once you have downloaded and installed Secure Desktop, it appears as an entry in the Start menu. Users who want to reuse Secure Desktop can click Start > Programs > Cisco Secure Desktop and enter the password with which they protected the Secure Desktop.

Q. How long can the password be for Secure Desktop reuse?

A. The password can be up to 127 characters, and can include any combination of upper and lower case letters, plus numbers and punctuation symbols, including spaces.

Q. Are there known interoperability issues with CSD and Java/JRE versions?

A. Beginning with JRE6 Update 10, Java starts differently from standard practice. See http://java.sun.com/developer/technicalArticles/javase/java6u10/ for details.

Consequently, the Secure Desktop Vault user's browser freezes if they open a website containing a Java applet, and JRE Update 10 or later is installed on the user's computer. This problem occurs only if you checked Secure Desktop Manager > <policy_name> > Secure Desktop Settings > "Restrict application usage to the web browser only." The default setting is unchecked. You can do one of the following to make Java applets functional on Secure Desktop:

Workaround:

1)Add the following lines to      the text box under the checked attribute "Restrict application usage      to the web browser only:"

c:\program
java.exe
jp2launcher.exe

2)Uncheck "Restrict      application usage to the web browser only:"

Q. What does transparent handling of e-mail applications mean?

A. The use of the term transparent means that Secure Desktop handles e-mail the same way that the local desktop handles it.

Q. Which applications does Secure Desktop handle transparently?

A. Secure Desktop supports transparent handling of Microsoft Outlook, Outlook Express, Eudora, and Lotus Notes.

Q. Can one run multiple instances of Secure Desktop at the same time?

A. No, the current release does not support multiple instances of Secure Desktop on the same PC.

Q. Can I use fast user switching on Windows XP?

A. Secure Desktop does not support fast user switching because only one instance of Secure Desktop can run on the same computer.

Q. How do Secure Desktop and the real desktop interact? For example, can files be moved between the two?

A. The file system is virtualized. Inside Secure Desktop, you can see essential local files such as program files and windows, but files inside Secure Desktop cannot be moved outside.

Q. Does Secure Desktop support Japanese character encodings?

A. Secure Desktop Manager supports encoding such as the Shift_JIS, provided that you configure support for it using ASDM (Configuration > Remote Access > Clientless SSL VPN Access > Advanced > Encoding) or the remote user configures encoding using the browser (View > Encoding or View > Character Encoding).

Q. When do modified Secure Desktop Manager settings apply to Cache Cleaner and Secure Desktop sessions?

A. When you modify the settings in Secure Desktop Manager, you must deploy those settings by clicking the Apply All button. The settings take effect the next time that a user loads Secure Desktop or Cache Cleaner.

Q. Is there a limit to the number of CSD locations that can be defined?

A. No limit.

Q. Can files that are created within Secure Desktop be saved onto the guest PC?

A. No.

Note: One exception to this is the use of certain email applications such as Outlook, Outlook Express, Eudora and Lotus Notes that operate as they do on the client PC. These applications are not generally found in the public domain.

Q. Can files be read from and saved to an external removable media (such as a USB flash drive, a CD, or external disk) from within CSD Vault?

A. Yes , files can be read from or saved to removable drives, if  the setting  Disable access to network drives and network folders is  unchecked in ASDM panel Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy-<Policy name>Secure Desktop (Vault) Settings .

By default, the data is encrypted and is not visible if the USB drive is removed. The saved files on the external media are removed once Secure Desktop Vault is terminated/uninstalled, if the Do not encrypt files on removable drives option is unchecked.

To be able to view the data in the files,  you need to check the option Do not encrypt files on removable drives in the ASDM panel Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy-<Policy name>Secure Desktop (Vault) Settings .

Q. Can files be saved on shared network folders?

A. Yes. If the shared network folders exist as part of the Network Neighborhood on the client PC, then they also appear on the Secure Desktop Network Neighborhood.

Q. Can one print from RDP session in the Vault over Clientless SSL VPN?

A. Yes, as long as the Disable printing setting is not checked in ASDM Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy-<policy name>-Secure Desktop (Vault) Settings panel.

You can print using the native RDP client over Smart Tunnels, or using the Cisco supplied RDP plugin with ActiveX over core Clientless, with  Internet Explorer.

Q. If the CSD vault reuse is enabled, is there limit of the size of the vault?

A. Vault size is limited to 2GB.

Q. When a file is created or amended within the Secure Desktop space, can it be saved to a Network Neighborhood if a network connection through SSL VPN or IPsec exists ?

A. Yes.

Q. How are the locations matched to the client?

A. As outlined in the documentation, locations are identified when the criteria of the different locations are checked with the use of the priority of top to bottom as displayed in the windows location pane. The first location that meets the criteria is used as the connection location. Cisco suggests the use of a location with no criteria as the last location so that it becomes the default if no other locations with criteria are matched.

Q. Even if ActiveX and Java are disabled, can I execute the CSD installation through the browser?

A. Yes, You can still install CSD even if both Active X and Java are not detected on the client PC.

Q. Is the CSD installation method/order with Internet Explorer (IE) changeable to ignore ActiveX and just use Java instead?

A.  There's no configuration knob to explicitly change the install method for CSD . When using IE to install CSD it will first attempt to use ActiveX, and failing that it will attempt to use Java. The administrator of the PC or someone with rights could disable ActiveX to force this condition, but this usually may not be allowed by the IT security policy. On all other browsers ( FireFox, Safari)  CSD installation Java will be always use Java.

Q. Are there restrictions of Sun JVM ?

A. No, there are not any restrictions for Cisco Secure Desktop or the SSL VPN Client.

Q. Does the Cisco Security Agent (CSA) V4.5 inter-operate with CSD and SVC?

A. Yes. CSA V4.5 now supports and is fully compatible with both CSD and SVC.

Q. How big of a partition on the hard drive does CSD create?

A. When a Secure Desktop environment is created, an encrypted file space is generated. The file space starts small and grows to a maximum of 2GB, depending on the applications loaded from their default locations whilst operating within Secure Desktop.

Q. How does CSD decide what applications to support? Is it just all the applications that are available on the normal desktop? Can this be controlled ?

A. This is detailed in the release notes and cannot be controlled. It does not allow applications to be installed whilst in the Secure Desktop, but uses the default applications under Program Files that are already installed on the client PC. Secure Desktop only supports applications installed in the default location. For increased security only applications installed under the Windows and Program Files directories are accessible under the Secure Desktop. Secure Desktop does not support or allow access to applications not found in these default installation locations.

Q. Can the use of print screen be prevented in CSD?

A. This is a configuration option within the Secure desktop management configuration. The copy/paste buffer (clipboard) is cleared once you switch back to the client PC, if enabled in the configuration.

Restrict Printing on Secure Desktop—Check to prevent the user from printing while the Secure Desktop space is used. For maximum security of sensitive data, check this option.

Q. Does the Secure Desktop run on DEP (MS KB 875352) enabled PCs and Tablet PCs ?

A. This was not supported in earlier versions (earlier than 3.1.0.29) and detailed in CSCsc12461. The workaround at that time was to disable DEP in the BIOS as mentioned in the DDTS. As of version 3.1.0.29, this has now been resolved.

Q. Is there any way to pre-install CSD on a PC?

A. Not as of CSD 3.4.x release. This capability is being considered for a future release.

Update:CSD 3.5  (in Beta late fall 2009) supports the ability to pre-install CSD.

Q. What browsers does CSD components support? Are 64-bit browsers (IE) supported?

A. Please refer to Browser-based SSL VPN Support for Computer Platforms for details .

Note: CSD installation via weblaunch is not supported on 64-bit IE browsers.

Q. What happens if a remote client is connected to secure desktop over SSL VPN (Cientless or AnyConnect) and they terminate the session like unplugging the network cable from the computer? Will the secure desktop (Vault) still remove traces of the file? I believe a similar scenario would be if the machine is powered off in the middle of the session, is the file accessible then?

A. The data remains encrypted/inaccessible and then is erased the next time Cisco Secure Desktop (Vault) is launched. If you use CSD Cache Cleaner, the data is wiped out the next time you logon.

Q. Are the new versions of CSD 3.2.x , which shipped with ASA version 8.0.x, backwards-compatible with ASA version 7.1.x/7.2.x?

A. The new version of Cisco Secure Desktop 3.2.x is not backwards compatible with older ASA 7.1.x/7.2.x.

Q. Does CSD v3.2 support Secure Desktop/Vault and Cache Cleaner?

A. CSD v3.3 supports Secure Desktop on 32-bit Vista platforms. CSD 3.2 for ASA 8.0.2.x supports ONLY Cache Cleaner on Vista , 32-bit machines.

Q. Can CSD 3.2.x Advanced Endpoint Assessment remediate multiple versions of AV, AS, FW?

A. CSD 3.2 Advanced Endpoint Assessment does not allow the checking of multiple versions of an Antivirus, Personal Firewall or AntiSpyware program. CSD 3.2.1 does have the ability to check for multiple Antivirus, Personal Firewall or AntiSpyware programs with the use of the Dynamic Access Policy with the Endpoint Assessment feature.

Note: CSD 3.2.1, ASDM6.0.3/ASA 8.0.3, which FCSed in November 2007 , includes this capability (CSCsk71239) .

Q. Is CSD 3.2 able to control control CD-R media?

A. The current design does not allow for CSD to control CD drives.

Q. How susceptible is Secure Desktop to threats from the host operating system while running CSD? Is it a case of Secure Desktop in effect that keeps all bad things at bay, or is the use of the normal desktop on the host just as vulnerable?

A. The posture check is relied upon in order to mitigate against some of these issues. The concept of CSD is to not leave anything behind. Secure Desktop is for storage of session data such as cached web pages created during the VPN session. Secure Desktop is encrypted for protection. It is not supposed to be a type of virus protection device.

Q. How do I position CCA NAC appliance versus CSD + Adv Endpoint Assessment in ASA 8.0? It seems like the posture check functionality is similar. Does CCA offer any significant advantages over 8.0 for VPN users?

A. CSD provides posture check and limited remediation, while CCA can actually support a more sophisticated and complete remediation process. This is key if the VPN user is a full-time telecommuter, for instance, that is not that tech savy and requires instruction on the next steps that are necessary without bogging down the internal support department. That can also lead to a reduction in support costs and increased productivity if you want to extrapolate the possibilities.

Q. Can CSD be enabled on a per-group-policy, post authentication?

A. Not currently as of ASA version 8.0.4/8.1.2. CSD is globably enabled on the ASA for all group-policies before Authentication/Authorization takes place. The main reason why Cisco Secure Desktop was loaded pre-login is to offer protection over the login process itself, especially when static credentials are in use. A future version of ASA/CSD will allow for enabling CSD per tunnel-group (ASDM connection profile).

Update: ASA version 8.2.1 added the capability to disable CSD per Tunnel-Group (aka. ASDM Connection Profile) that uses group-url method of access for SSL VPN (Clientless and AnyConnect only). The current CSD framework requires that CSD still be enabled globally (system-wide) and then disable it for those tunnel-groups (and therefore their associated group-policy) that don't require CSD. Again, you must use group-url format of access for this function to work. If you use group-alias (group drop-down list) access method , CSD will have already been launched and can't be disabled at that point.

Q. How is CSD uninstalled from the client PC?

A. When Secure Desktop is installed, it can be uninstalled manually or automatically when a session is closed. There are two options available in the CSD Manager > Secure Desktop GeneralASDM panel:

1. Suggest application      uninstall upon Secure Desktop closing
2. Force application      uninstall upon Secure Desktop closing

Q. How do I find a list of what products are supported by Cisco Secure Desktop (CSD) Host Scan?

A. Open "Antivirus, Antispyware, and Personal Firewall Applications Supported by Host Scan," then zoom in.

Q. How do I find the subset of products that are supported with Advanced Endpoint Assessment?

A. Search for Allow_port and Block_port attribute value for each product.

v= implemented

x= not implemented

Q. Are any of the CSD features such as Host Scan, Cache Cleaner, and Secure Desktop (Vault) supported on 64-bit platforms?

A. As of CSD 3.4 HostScan and Cache Clear operate on 64-bit platforms,  but not the Vaul (sandbox) component.

Refer to the CSD 3.4 Rlease Notes for details.

,

Q. Can CSD Prelogin Checks (Location policy) be configured if CSD in not enabled?

A. No. Prelogin policy checks rely on CSD being enabled.

Q. What are the supported CSD Prelogin checks?

A. The checks are IP Address (Source IP range), Certificate, Registry, File and OS.

Q. Can you delete all the Prelogin Policies in one shot instead of individually?

A. In ASDM there is currently no button/knob to delete all Prelogin policies. You can only delete them indidually. There is an enhancement request CSCsq91629 in order to be able to do this.

On the ASA CLI, you can complete these steps in order to clear all Prelogin policies and set CSD configuration to default.

1. #delete sdesktop/data.xml
2. Then you must Exit and      restart ASDM for the change to take affect.

Q. Are the CSD Prelogin certificate checks PKI-validated or does it only check for the presence of the certificates on the endpoint host?

A. The prelogin certificate checks verifies only that the certificate is present on the endpoint host, and not whether the certificate is PKI-validated.

Q. Registry and Certificate Prelogin checks apply to which OSes?

A. Only Windows.

Q. Can CSD settings be pushed from Radius/LDAP?

A. No. CSD specific policies cannot be set through Radius/LDAP . The parameters are set locally on the ASA.

Q. Can CSD detect TCP listening ports on the endpoint PC?

A. CSD 3.2.1 now supports Port Scanning on the endpoint PC (Windows, MAC, Linux) and was implemented in CSCsj44999. Dynamic Access Policies (DAP) can enforce the endpoint.device.port attribute in policy.

Q. What are the the CSD and DAP endpoint attributes that can be enforced on an SSL VPN policy?

A. Here is a list of Dynamic Access Policy (DAP) Endpoint Selection attribute categories as of 8.0.3.x:

• Anti-Spyware
• Anti-Virus
• Application
• File
• NAC
• Operating System
• Personal Firewall
• Policy (Location)
• Process
• Registry
• Device such as Hostname, Mac      Address, Port Number, and Privacy Protection

Q. How do I configure DAPs to use Host Scan results?

A. After you add scans for Pre-login  policies that scan for registry keys, files, and processes to the Basic Host Scan table in the Host Scan pane, choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit. Choose Registry, File, or Process from the drop-down list next to the Endpoint Type attribute and enter the ID of the registry key, file, or process. Do this once for each entry in the Basic Host Scan table. After you check Endpoint Assessment or Advanced Endpoint Assessment, choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit. Choose Antispyware, Antivirus, or Personal Firewall from the drop-down list next to the Endpoint Type attribute and select the application you want to associate with a DAP. Do this once for each protective application you want to require as a condition for assigning a DAP.

Please refer to the Dynamic Access Policy (DAP) Deployment guide for indepth procucedures .

Q. Does the Host Scan check whether antivirus, antispyware, and firewall applications are present or running on the endpoint?

A. The Endpoint Assessment function of Host Scan, if enabled, returns for DAP evaluation the answer to whether the antivirus, antispyware, and firewall application selected as an endpoint attribute is running.

Q. What is this CSD token seen within the DAP debugs (DAP_TRACE: DAP_add_CSD: csd_token = [71F16BEE51C8B569360F9BF0]) ?

A. ASA creates unique random numbers and assigns them to Host Scans so it can distinguish one Host Scan from another. Host Scan runs before the login when no SSL VPN session exists. Host Scan does not send a CSD token in the scan file. The token is used to attach the scan data to the ASA SSL VPN session.

Q. What CSD capability is available with AnyConnect in Start Before Login (SBL) mode?

A. When Anyconnect is launched in SBL mode, only Host Scan runs, regardless of what the prelogin policy dictates, unless there is no location match, in which case CSD launch fails. There's no support for Cache Cleaner or Secure Desktop with AnyConnect in SBL mode.

Q. What is the recommended way to update the CSD file without the deletion of the Prelogin policy (Locations) configuration?

A. Upgrate a new CSD image, which keeps all settings intact, except upgrades from CSD 3.1.1 to 3.2 or later.

Q. Launch hidden URL after installation seems to have no effect if I enable this option. Where in the web login sequence should URL launch? What is meant by hidden?

A. This is not meant to launch a URL. It is used for administrative purposes to detect a cookie on the user's PC.

Launch hidden URL after installation — Check to use a URL for administrative purposes, hidden from the remote client, so that you know that the user has the Cache Cleaner installed. For example, you could place a cookie file on the user's computer, and later check for the presence of that cookie.

Hidden URL—Type the URL to use for administrative purposes, if you checked "Launch hidden URL after installation."

Q. Can CSD Advanced Endpointment Accessment trigger an update for OS service packs or patches?

A. CSD does not trigger an update for OS Service Packs or patches. DAP is used to enforce a specific policy regarding some of these attributes, such as:

• endpoint.os.version =      "Windows XP";
• endpoint.os.servicepack =      "2";
• endpoint.os.hotfix["KB873339"]      = "true";

CSD only checks for OS patches, and not application patches/SP. CSD can't force an OS/application patch update, however.

Q. Can CSD launch applications after an SSL VPN session is established.

A. Yes. Secure Desktop can be configured to launch a single application (ie. Outlook) or multiple applications via a batch script. The application must be accessable from the Programs Files folder on the endpoint.

The "Launch the following application after installation" option is configured in ASDM panel Configuration-Remote Access VPN-Secure Desktop Manager-<prelogin-policy-name>-Secure Desktop General

Q. If we have the CSD timeout and the group timeout configured which one takes precedence over the other?

A. These two timers are independent and which ever has the least timeout is occurring first.

For example:

a. CSD inactivity timeout is 2 minutes, Group Policy VPN idle timeout is 5 minutes:

Once the secure desktop loaded, I logged into the WebVPN session, but left the PC idle. Within 2 minutes, I got the popup that CSD has been inactive and it closed the secure desktop and withit I lost the VPN session.

b. CSD inactivity timeout is 5 minutes, Group Policy VPN idle timeout is 2 minutes:

Once the secure desktop loaded, I logged into the WebVPN session, but left the PC idle. Within 2 minutes, the webvpn session is timed out. And, after that, within 10seconds another popup showed up and this time closed the Secure Desktop.

Q. Why are multiple CSD secure icons in the taskbar?

A. CSD's hostscan.exe process and icons linger if you log out too quickly from an SSL VPN session.

Conditions in which it will occur: If a user logs into the Clientless SSL VPN portal and then immediately logs out (without waiting ~15 seconds or so), hostscan.exe process may linger. Also you'll see multiple CSD icons in the taskbar as a result. This is detailed in CSCsj78392.

Q. Did the CSD 3.5 Cache Cleaner (CC) behavior change? I no longer see the yellow icons in the task bar when CC is running and the Installation Success dialogue?

A. Yes.

Cisco Secure Desktop's Cache Cleaner has a configurable option called, "Show success message at the end of successful installation. (Windows only)". When this is selected, a message should appear informing the user that Cache Cleaner has installed properly.  With CSD 3.5 , this message is not currently being displayed. Also the yellow lock icons don't display in the system tray.(SeeCSCtc25793 for details).

To verify CSD Cache Cleaner is running open the Task Manager (Windows) and verify the Cleaner.exe process is running. Processes CSDWeblaunch.exe and csd.exe will also be running if installing CSD via Weblaunch or standalone mode respectively.

When Cache Cleaner exits (such is the case for Clientless SSL VPN session termination), the closing of the browser may take up to a minute to complete depending on the amount of cached data being cleaned up.

By the way, you can obtain the Cache Cleaner behavior (available in pre-CSD 3.5 releases) by enabling Key Stroke Logger and/or Host Emulation.

the yellow icons will show up in the system tray.

Q. Does CSD record a log? Where are the locations for the CSD logs?

A. Yes, Host Scan records event messages to log files on the connecting computer, as follows:

I. CSD 3.4  log files

CSD 3.4 outputs 2 logs, csd.log and hostscan.log.

Root location on Windows is %APPDATA%; Type %APPDATA% into the Start-Run box to take you to the ROOT directory.

CSD logs on Vista and Win7:
C:\Users\<user_name>\AppData\Roaming\Cisco\Cisco HostScan\csd.log
C:\Users\<user_name>\AppData\Roaming\Cisco\Cisco HostScan\hostscan.log
  
CSD logs on XP:
C:\Documents and Settings\<user_name>\Application Data\Cisco\Cisco HostScan\csd.log
C:\Documents and Settings\<username>\Application Data\Cisco\Cisco HostScan\hostscan.log

CSD logs on Mac and Linux:
~/.cisco/hostscan/csd.log
~/.cisco/hostscan/hostscan.log

Note: ~ indicates a user's home directory

Vista/Win7 SBL Hostscan Log:
When a scan occurs during SBL on Vista, CSD places the log in a different location:
32-bit:
  C:\Windows\System32\config\systemprofile\AppData\Roaming\Cisco\Cisco HostScan\csd.log
  C:\Windows\System32\config\systemprofile\AppData\Roaming\Cisco\Cisco HostScan\hostscan.log
64-bit:
  C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cisco\Cisco HostScan\csd.log
  C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cisco\Cisco HostScan\hostscan.log

II. CSD 3.5  log files

CSD 3.5 outputs one to three logs; based on your operating system, privilege level and launching mechanism (WebLaunch or AnyConnect); csd.log, csd_child.log and hostscan.log.

Root location on Windows is %LOCALAPPDATA% ; Type %LOCALAPPDATA% into the Start-Run box to take you to the ROOT directory.

CSD logs on Vista and Win7:
C:\Users\<user_name>\AppData\Local\Cisco\Cisco HostScan\log\csd.log
C:\Users\<user_name>\AppData\Local\Cisco\Cisco HostScan\log\csd_child.log
C:\Users\<user_name>\AppData\Local\Cisco\Cisco HostScan\log\hostscan.log

CSD logs on XP:
C:\Documents and Settings\<username>\Local Settings\Application Data\Cisco\Cisco HostScan\log\csd.log
C:\Documents and Settings\<username>\Local Settings\Application Data\Cisco\Cisco HostScan\log\csd_child.log
C:\Documents and Settings\<username>\Local Settings\Application Data\Cisco\Cisco HostScan\log\hostscan.log

CSD logs on Mac and Linux:
~/.cisco/hostscan/log/csd.log
~/.cisco/hostscan/log/csd_child.log
~/.cisco/hostscan/log/hostscan.log

Note: ~ indicates a user's home directory

Vista/Win7 SBL Hostscan Log:
When a scan occurs during SBL on Vista, CSD places the log in a different location:
32-bit:
  C:\Windows\System32\config\systemprofile\AppData\Local\Cisco\Cisco HostScan\hostscan.log
64-bit:
  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Cisco\Cisco HostScan\hostscan.log

Related Information

• Cisco ASA 5500 Series Security Appliances
• Cisco ASA 5500 Series VPN Compatibility Reference
• Cisco Secure Desktop
• Configuring Cisco Secure Desktop
• Cisco Secure Desktop (CSD) FAQ
• Technical      Support & Documentation - Cisco Systems

Document ID: 107461