Hello guys,

I have the following scenario:
ISE: 2.4.0.357

AnyConnect: 4.7.00136

Compliance Module Version: 4.3.890.6145

Condition: a Posture check if the AV is running (checks if the process ccSvcHst.exe from Symantec Endpoint Protection v14).

Next Scenario: enable the AV Definition: the host will be ok if the AV definition have less than 30 days.

We created the policies and AV Condition, tested with a host prepared to meet this condition, however,

with a ok definition (about 14 days) the host is not getting allowed to connect the corporate network.

In live logs absolutely no error or warning.

I've enabled the posture debug and searched in the log file.

It seems to me, when AnyConnect checks the host conditions, it returns OK for the running SEP process, and returns NOK for the AV definition because it have detected Windows Defender as the antivirus, as the debug log below suggests:

<av>
<av_vendor_name>Microsoft Corp.</av_vendor_name>
<av_prod_name>Windows Defender</av_prod_name>
<av_prod_version>4.13.17134.1</av_prod_version>
<av_def_version>1.299.1829.0</av_def_version>
<av_def_date>08/12/2019</av_def_date>
<av_prod_features>AV</av_prod_features>
</av>
<av>
<av_vendor_name>Microsoft Corp.</av_vendor_name>
<av_prod_name>Windows Defender</av_prod_name>
<av_prod_version>4.13.17134.1</av_prod_version>
<av_def_version>1.299.1829.0</av_def_version>
<av_def_date>08/12/2019</av_def_date>
<av_prod_features>AS</av_prod_features>
</av>
<package>
<id>10</id>
<status>1</status>
<check>
<chk_id>sep_running</chk_id>
<chk_status>1</chk_status>
</check>
</package>
<package>
<id>20</id>
<status>0</status>
<check>
<chk_id>sep_definition</chk_id>
<chk_status>0</chk_status>
</check>
</package>

There is a problem with my analysis or could this be an issue with AnyConnect? Or even SEP?