Re: "Not Compliant" status. Antivirus not detected after reinstalled with Windows 10 1809

Fernando.Lando · ‎11-05-2018

After reinstalled my laptop with Windows 10 Pro version 1809 (OS Build 17763.55), I can't connect anymore to VPN.

The System Scan finish with "Not Compliant" status, according to Antivirus policies (Installed & Updated)

I guess this is because antivirus definition version and/or date is not correctly detected by de agent. I can read, in AnyConnect > Advanced Window > System Scan > Security Products:

Product Name Prod Type Prod Version Definition Ver Def Date

========================== ======== ========= ========== =======

System Center Endpoint Protection AV 4.7.13.0 (empty) 00/00/0

System Center Endpoint Protection AS 4.7.13.0 (empty) 00/00/0

My Windows reports it's Antivirus protection is Ok: SCEP, is updated and running.

As part of the changes in 1809 of 2018/NOV/02, the old Defender suffered big changes (or disappeared at all)

Microsoft community is talking about this here: Upgraded to Win10 version 1809 and Cisco AnyConnect VPN no longer can locate anti-virus

My client versions:

==============

Windows 10 Pro version 1809 (OS Build 17763.55)
Cisco AnyConnect Secure Mobility Client version 4.1.06013 (also tried with 4.3.05017, same result)
anyconnect-iseposture-win-4.1.06013
anyconnect-isecompliance-win-3.6.10294.2

Previous Windows versions (i.e. 1083) with same client is working fine in other colleague’s laptops. But the AV detected is Defender (with the proper Definitions version & date) or Defender + System Center Endpoint Protection (without definitios ver&date).

Thanks in advance,

Regards

Fernando

David Castro F. · ‎11-05-2018

Hello Fernando,

I hope you are doing great,

If it is urgent to solve this by making this PC to connect, you could go to the ISE and modify the posture on this AV to not check for definition versions, and instead look for the installation date of the SCEP or any other AV products.

Now in case you have time, I would uninstall Anyconnect, and follow some of the below steps in the link to check on the service for the programs:

https://www.microsoft.com/en-us/wdsi/definitions

Keep me posted, and please qualify the helpful answer!

David Castro,

Fernando.Lando · ‎11-07-2018

Thanks David for your suggestions.

We discussed with my client your first workaround proposal during last week (to change the ISE rules for some exceptions) but they are still evaluating the request.... I’m just a remote user, and a provider of the VPN’s owner. And by the moment (since Microsoft has stopped distributing this update) we have few machines affected by this problem.

Regarding your second suggestion, my AV is properly updated (by the daily automatic update).

My surprise was, following the steps indicated in the note, that Windows Defender (not my SCEP, but not sure) reported, (when running MpCmdRun.exe -removedefinitions -dynamicsignatures)

Service Version: 0.0.0.0

Engine Version: 0.0.0.0

Could it be related to the HotScan “confusion”?

My second workaround was to uninstall the 1809 update, but it could be done just in the first ten days after the update, so now is too late.

My third workaround was to install another antivirus protection, along with my SCEP. It will deactivate de AV features of SCEP and would be recognized as a valid AV product and definitions (provided it is in the Cisco’s list). I made a lab using Avira free, and it was Ok. I could see both AV/AS products, Avira with the right definition values. But again, is not an option for me, since I can’t install unauthorized software nor modify the security settings of my corporative machine.

Thanks again,

Fernando

David Castro F. · ‎11-07-2018

Hello Fernando,

When removing the definitions on the defender it would clear the existing ones, then you have to get the latest definitions, but this is where I can see where the problem might be. When you run the updates and the defender gets its feeds, the Anyconnect might not be detecting those and showing "definitions as empty". You could double confirm it the feeds are showing properly in the system with the command on powershell:

PS C:\> Get-MpComputerStatus

AMEngineVersion : 1.1.15400.4
AMProductVersion : 4.18.1810.5
AMServiceEnabled : True
AMServiceVersion : 4.18.1810.5
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 11/7/2018 7:15:42 AM
AntispywareSignatureVersion : 1.279.1367.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 11/7/2018 7:15:44 AM
AntivirusSignatureVersion : 1.279.1367.0
BehaviorMonitorEnabled : True
ComputerID : A4FAFD04-B26D-5A32-E1C2-7091D8863B79
ComputerState : 0
FullScanAge : 273
FullScanEndTime : 2/6/2018 2:51:22 PM
FullScanStartTime : 2/6/2018 1:20:15 PM
IoavProtectionEnabled : True
LastFullScanSource : 1
LastQuickScanSource : 2
NISEnabled : True
NISEngineVersion : 1.1.15400.4
NISSignatureAge : 0
NISSignatureLastUpdated : 11/7/2018 7:15:44 AM
NISSignatureVersion : 1.279.1367.0
OnAccessProtectionEnabled : True
QuickScanAge : 2
QuickScanEndTime : 11/4/2018 9:27:32 PM
QuickScanStartTime : 11/4/2018 9:22:49 PM
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
PSComputerName :

Also check the following info stated by Cisco:

Windows 10 Defender False Positive─Cisco AnyConnect Adapter Issue

When upgrading to Windows 10 Creator Update (April 2017), you may encounter a Windows Defender message that the AnyConnect adapter has an issue. Windows Defender instructs you to enable the adapter under the Device Performance and Health section. In actuality, the adapter should be disabled when not in use, and no manual action should be taken. This false positive error has been reported to Microsoft under Sysdev # 11295710.

AnyConnect 4.4MR1 (or later) and 4.3MR5 are compatible with Windows 10 Creators Edition (RS2).

AnyConnect Compatibility with Microsoft Windows 10

AnyConnect 4.1MR4(4.1.04011) and later are compatible with Windows 10 official release. Technical Assistance Center (TAC) support is available beginning on 7/29/2015.

For best results, we recommend a clean install of AnyConnect on a Windows 10 system and not an upgrade from Windows 7/8/8.1. If you are planning to perform an upgrade from Windows 7/8/8.1 with AnyConnect pre-installed, make sure that you first upgrade AnyConnect prior to uprading the operating system. The Network Access Manager Module must be uninstalled prior to upgrading to Windows 10. After the system upgrade is complete, you can re-install Network Access Manager on the system. You may also choose to fully uninstall AnyConnect and re-install one of the supported versions after upgrading to Windows 10.

I dont think you are hitting this bug below, but take into account that having a "AV compound rule" check to any AVs this can create a confusion.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut12878/?rfs=iqvred

Now my recommendation in order to avoid this issue is to set the AV compound rule to check for installation date only, and it should work by detecting it.

If not your third options sounds great.

Please qualify all of the helpful answers!

Regards,

David Castro

benjaminkeith · ‎02-06-2019

Has anyone found a real fix for this issue other than "install another antivirus software"? That option isn't available to a lot of us corporate users.

Thanks

orlando717971 · ‎05-13-2019

yes I have the same issue with Avast, Norton and Kaspersky.

my anyconect version is 4.5.0.5030

and ISE version :2.0 patch 6

drivera_ · ‎05-27-2019

Hi, Fernando

Did you find any solution for this issue? I'm having the same problem with Windows 10 Build 1809 (17763.475), mcaffe, and ISE version 2.0 patch 3. When users connect through VPN , the compliance module says that there is no AV installed and Posture state goes to non compliant.

Fernando.Lando · ‎05-27-2019

I'm sorry but, I abandoned the use of that VPN with no real solution, just the Avira workaround.