Andrew, thanks for reply.

Yes, I have.

Does anybody have suggestions how to reloslve this problem?

Hi

Please provide:

1- debug menu dap 2

2- CSD logs (set to debugging) from the affected machine: Logging

3- Is Host Scan configured on the ASA?

4- Does this work on other machines?

Thanks.

Hi Javier, thanks for reply.

1 - debug in attach (debug menu dap.txt).

2 - I set loggin lvl to debugging in ASDM, but when I connected with AnyConnect client I don`t see any logs. I can see logs only when I use clientless SSL VPN, it`s good or not? Logs in attach (cscan.txt, cstub.txt, libcsd.txt). My goal is when user connected from home he must use AC client for full access, if user connected from InternetCafe he can use clientless SSL VPN, but access will be less privileged. I do it with ALIAS

3 - Yes, screenshot in attach (, hostscan1.jpg).

4 - Now I`am only in testing this decision and I have only one VW in lab environment.

Nice information

Now, from the logs:

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["notepad"]={}

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["notepad"].exists="false"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["notepad"].name="notepad.exe"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"]={}

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].exists="true"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].path="C:\bingo.txt"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].name="bingo.txt"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].lastmodified="1012327"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].timestamp="1362574050"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.file["example"].crc32="0x0"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["AC"]={}

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["AC"].exists="false"

[Mon Mar 18 08:59:43.674 2013][cscan][debug][get_data] endpoint.process["AC"].name="vpnui.exe *32"

So it looks like the Text File named "bingo", does exist.

The following DAP should check the AC session:

DAP record [    AnyConnect      ]:

(EVAL(aaa.cisco.tunnelgroup,"EQ","AC","string") or EVAL(aaa.cisco.grouppolicy,"EQ","AnyConnect","string")) and ((EVAL(endpoint.process.notepad.exists,"EQ","true","string")))

But the Notepad process does not seem be running on the system.

What if instead of the "notepad.exe" process you select the File checker? Does it work?

It could be an issue on the system, you are testing from a VM correct? What if you try from a real machine?

Thanks.

Portu.

On the other hand, I just checked again and noticed the following:

[Mon Mar 18 08:59:43.814 2013][cscan][debug][scan_process] scanning for process: (notepad.exe)

[Mon Mar 18 08:59:43.814 2013][cscan][debug][hs_file_verify_with_killdate] file verification bypassed: file = [C:\Windows\system32\kernel32.dll], signer = [(null)], type = [1]

[Mon Mar 18 08:59:43.814 2013][cscan][debug][hs_dl_load] attempting to load library (C:\Windows\system32\kernel32.dll)

[Mon Mar 18 08:59:43.814 2013][cscan][debug][hs_dl_load] library (C:\Windows\system32\kernel32.dll) loaded

[Mon Mar 18 08:59:43.814 2013][cscan][debug][set_debug_priv] The token does not have the specified privilege.

[Mon Mar 18 08:59:43.814 2013][cscan][debug][set_debug_priv] The token does not have the specified privilege.

[Mon Mar 18 08:59:43.814 2013][cscan][debug][hs_priv_proc_path] requesting path for (notepad.exe) from service.

[Mon Mar 18 08:59:43.846 2013][cscan][debug][priv_perform] received response msg.

[Mon Mar 18 08:59:43.846 2013][cscan][debug][hs_priv_proc_path] priv_proc_path fail.

What if you run the AC client as an Administrator, does it work?

Thanks.

Also try to run it from a real machine instead, since this is a VM:

[Mon Mar 18 08:59:37.434 2013][cscan][debug][scan_system_device_id] Device ID (VMware-56 4d 24 f2 66 c5 8f f9-5d a0 f1 0d 52 3f bc b9)

Portu

Further information:

Q. What CSD operations require Administrative privileges?

A. The CSD installation with Java already installed and most basic host scanning operations do not require administrative privileges. Operations such as enabling a FW process, do not work without administrative privilege, of course. Do not expect it to be scanned for files that it does not have privilege for which to scan; for example, if you are limited user, you cannot detect /users/administrator/mydocuments/file.txt. Key stroke logger requires administrative privileges.

http://www.cisco.com/en/US/products/ps6742/products_qanda_item09186a00809d4413.shtml#q33

Javier, now I`am trying to connect with AC from real machine, but I can`t see any log in ...\\AppData\Local\Cisco\Cisco HostScan\log. Previous logs was when I connected on clientless SSL VPN.

I see.

Is CSD install on your System?

AnyConnect version?

Thanks.

When you run AC, do you run it as an Admin?

Javier Portuguez написал(а):
When you run AC, do you run it as an Admin?

Yes

CSD was not installed.

Version AC and CSD in attach (CSD.jpg)

Also on this machine I have not AC Posture Module, I try to install throug SSL VPN, but error is appear (AC error).

Should I intsall Posture Module or it's not necessary?