Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
10
Helpful
1
Replies

Prevent bypass of AnyConnect DAP Hostcheck policies

DavidHughes87900
Level 1
Level 1

‎04-01-2020 09:16 AM

Hi,

 

We have just installed AnyConnect on our ASA and have setup a basic DAP hostcheck policy to check registry for domain membership, along with the presence of selected AntiVirus products.

 

However, some users have been able to bypass the hostcheck via programs such as https://github.com/Gilks/hostscan-bypass

 

It also seems to be possible for anyone to access the hostcheck criteria, registry keys etc via the https://<hostname>/CACHE/sdesktop/data.xml file

 

Does anyone know any methods of mitigating this exploit, or of obfuscating the client requirements/config from the data.xml file?

Labels:
0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎04-01-2020 09:55 AM

Hi,

 

   The way you should look at HostScan is like a very old and ancient safe box, which now everyone has learn how to bypass it, and nobody develops it anymore. At the same time, even with some developments in mind, being agentless, there are some inherent drawbacks. The only way to make the old safe box to be safe again, is to stop using it and develop one with a different and better architecture in mind; so use AnyConnect with the ISE Posture Module instead. Here's another thread on this topic.

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents