cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1991
Views
0
Helpful
0
Replies

Posure Assessment Failing Using Clientless SSL VPN

jshojayi
Level 1
Level 1

Version 9.1.3

ASDM 7.1(4)

Advanced Endpoint License ver 3.6.8133.2 Host Scan Image hostscan_3.1.04082-k9.pkg

Host computer is running McAfee HIPS/AV

I've written a number of DAP rules to check endpoint attributes for registry keys, active processes, files, and AV. When I connectsto the ASA, these rules are passed to the host computer. Cscan.exe runs these checks correctly, which is evident in the logs. The issue is that either 1. the host computer is not passing the results to the ASA or 2. the ASA is not processing the results correctly. When doing a debug on the ASA, I see DAP's being used as if the checks were unsuccessful, when the host computer is actually running them. Here's the log from cscan.exe on my computer. It reports that the results are being passed back to the ASA.

[Tue Dec 03 13:14:23.711 2013][cscan][debug][asa_post_dap] sending results to: (https://x.x.x.x/+CSCOE+/sdesktop/scan.xml?reusebrowser=1)
[Tue Dec 03 13:14:23.711 2013][cscan][debug][hs_transport_setredircount] setting redirects
[Tue Dec 03 13:14:23.711 2013][cscan][debug][hs_transport_setredircount] setting redirects: (10)
[Tue Dec 03 13:14:23.711 2013][cscan][debug][hs_transport_setredircount] setting redirects done
[Tue Dec 03 13:14:23.711 2013][cscan][debug][hs_transport_post] posting data
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] Using MD5 hash algorithm.
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] certinfo[SerialNumber=(N/A) IssuerCN=(wcdav1.dstsystems.com

wcdav1.dstsystems.com) subjectCN=(wcdav1.dstsystems.com

wcdav1.dstsystems.com)]
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] Fingerprints do not match: Given(371E5428A8F36E9EA30157E89F25732A) != Computed(7E9483E1DD6DDA613F5867F8C3B00BEC)
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] Fingerprints do not match: Given(371E5428A8F36E9EA30157E89F25732A) != Computed(7E9483E1DD6DDA613F5867F8C3B00BEC)
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] certinfo[SerialNumber=(A4A09051) IssuerCN=(wcdav1.dstsystems.com) subjectCN=(wcdav1.dstsystems.com)]
[Tue Dec 03 13:14:23.721 2013][cscan][debug][hs_transport_winhttp_verify_cert_hash_check] Fingerprints match: Given(371E5428A8F36E9EA30157E89F25732A) == Computed(371E5428A8F36E9EA30157E89F25732A)
[Tue Dec 03 13:14:23.741 2013][cscan][debug][process_response_headers] processing http response headers
[Tue Dec 03 13:14:23.741 2013][cscan][debug][process_response_headers] getting http headers from l2
[Tue Dec 03 13:14:23.741 2013][cscan][debug][process_response_headers] getting http headers headers from l2 done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][parse_response_headers] parsing http headers
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] --- Http Response Headers ---
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] HTTP-Version: 1.1
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Status-Code: 200
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Cache-Control: no-cache
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Connection: Close
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Date: Tue, 03 Dec 2013 19:14:23 GMT
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Pragma: no-cache
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Transfer-Encoding: chunked
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] Content-Type: text/xml
[Tue Dec 03 13:14:23.741 2013][cscan][debug][dump_http_headers] --------------------
[Tue Dec 03 13:14:23.741 2013][cscan][debug][parse_response_headers] parsing http headers done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][process_response_headers] processing http response headers done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_transport_post] posting data done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][asa_post_dap] results sent to (https://x.x.x.x).
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_transport_get_data] getting data
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_transport_get_data] getting data done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_transport_get_data] getting data
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_transport_get_data] getting data done
[Tue Dec 03 13:14:23.741 2013][cscan][debug][asa_post_dap] headend response: (<?xml version="1.0" encoding="ISO-8859-1"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>
)
[Tue Dec 03 13:14:23.741 2013][cscan][info][asa_parse_dap_response] parsing DAP response.
[Tue Dec 03 13:14:23.741 2013][cscan][debug][asa_parse_dap_response] TOKEN_SUCCESS
[Tue Dec 03 13:14:23.741 2013][cscan][debug][asa_parse_dap_response] no scan interval, defaulting to 60 sec.
[Tue Dec 03 13:14:23.741 2013][cscan][debug][asa_is_token_renewal_running] Token renewal not running
[Tue Dec 03 13:14:23.741 2013][cscan][debug][scan_vault_is_enabled] vault is not enabled in current config.
[Tue Dec 03 13:14:23.741 2013][cscan][debug][scan_vault_is_enabled] vault is not enabled in current config.
[Tue Dec 03 13:14:23.741 2013][cscan][warn][run] login timeout reached, scanning stopped.
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_cache_reset] Resetting cache for '0'
[Tue Dec 03 13:14:23.741 2013][cscan][debug][run] scanner exiting.
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_file_verify_with_killdate] file verification bypassed: file = [C:\windows\system32\kernel32.dll], signer = [(null)], type = [1]
[Tue Dec 03 13:14:23.741 2013][cscan][debug][hs_dl_load] attempting to load library (C:\windows\system32\kernel32.dll)
[Tue Dec 03 13:14:23.751 2013][cscan][debug][hs_dl_load] library (C:\windows\system32\kernel32.dll) loaded
[Tue Dec 03 13:14:23.751 2013][cscan][debug][set_debug_priv] The token does not have the specified privilege.
[Tue Dec 03 13:14:23.764 2013][cscan][debug][set_debug_priv] The token does not have the specified privilege.
[Tue Dec 03 13:14:23.764 2013][cscan][debug][hs_transport_free] de-initialization
[Tue Dec 03 13:14:23.764 2013][cscan][debug][hs_transport_free] de-initialization done
[Tue Dec 03 13:14:23.764 2013][cscan][all][halt] goodbye (0)

I used a different computer and it works fine, which leads me to believe it's my computer and not my ASA. The second computer doesn't have McAfee AV running. But the log above does report that the results have been returned to the ASA.

Thank you.

Joe

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: