Using DAP to ensure Antivirus install

ethutchinson · ‎06-22-2023

We are currently using AnyConnect version 4.10 to connect to our FTDs which are managed by a FMCv. Both are 7.0.5. Can I use our dynamic access policy to ensure clients have a valid Antivirus program( hopefully not a trial) before they are granted access to our VPN gateway?

Thanks is advance for any information.

Rob Ingram · ‎06-22-2023

@ethutchinson yes you can use DAP to determine if AntiVirus/AntiMalware software is installed, then if not terminate the VPN connection.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_dynamic_access_policies.html#task_cym_qwn_34b

ethutchinson · ‎06-26-2023

Rob,

Thanks for the info. I found the endpoint criteria that shows lists what looks like every antivirus manufacturer.

ethutchinson · ‎06-26-2023

Rob,

Is there a way to just ensure that there is any antivirus installed and enabled and scanning. The way I read the anti malware criteria I have to pick a certain vendor.

Thanks

tvotna · ‎06-27-2023

@Rob Ingramcan correct me, but I believe you need to put Lua script into ASDM to achieve this (use endpoint.av or endpoint.am or add your own and/or logic to check both AV and AM):

assert(function()
for k,v in pairs(endpoint.av) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
return false
end)()

Also, note that OPSWAT library supports "activescan" for a limited number of AV/AS products. This means that it is possible to check if AV is really enabled only if it supports this check. For all others you can only check if it "exists", i.e. corresponding process is running (but scanning can be disabled). For those products which support activescan, "v.exists" checks if AV exists (corresponding process is running) *and* scanning is enabled. For those products which do not support activescan, "v.exists" doesn't check if scanning is enabled. Debug dap 255 can help, e.g.:

Session Attribute endpoint.am["362"]={}
Session Attribute endpoint.am["362"].exists="true"
Session Attribute endpoint.am["362"].description="Windows Defender"
Session Attribute endpoint.am["362"].version="4.18.1902.5"
Session Attribute endpoint.am["362"].activescan="failed"
Session Attribute endpoint.am["362"].lastupdate="66979002"
Session Attribute endpoint.am["362"].timestamp="1520666268"

HTH

ethutchinson · ‎06-27-2023

Thanks for the info tvotna. So if I am seeing this correctly the top LUA script will at least check if there "is" antivirus installed. Correct? I am trying to implement this requirement on our VPN users slowly. We mistakenly allowed them to purchase whatever antivirus product they deemed appropriate and made sure it is not just a trial version. Like I said our mistake.

tvotna · ‎06-27-2023

Correct.

ethutchinson · ‎06-27-2023

So I found this script in the Firepower documentation that should do what I want.

assert(function()
local am_count = 0;
CheckAndMsg( true, "endpoint.av="..type(endpoint.am), nil)
for k,v in pairs(endpoint.am) do
am_count = am_count + 1
-- CheckAndMsg( true, "v.exists"..v.exists, nil)
-- CheckAndMsg( true, "v.description"..v.description, nil)
-- CheckAndMsg( true, "v.version"..v.version, nil)
-- CheckAndMsg( true, "v.activescan"..v.activescan, nil)
end
CheckAndMsg( true, "Your request has "..am_count.." Ams", nil)
return true
end)()

I applied it to my DAP and it let me login to my VPN with access to all my files. It did give me this message however.

Any ideas?

tvotna · ‎06-27-2023

CheckAndMsg(value, "<message if true>", "<message if false>") is used for remediation, that is why it displays a message. This script is just an example of what can be achieved with Lua. It always returns "true" as you can see. But you need to return "true" to continue and "false" to terminate the connection (when there are no AV or AS products installed).