I'm having a problem where a user is being denied access to the ASA because the host scan does not see his antivirus running. The user just upgraded his AVG antivirus to the latest version and this version is not in the endpoint assessment attributes list. I scan all AV listed on the ASA in the attributes table using a DAP expression. My question is how often does Cisco update the Antivirus vendor and version list and how can I update my ASA with this new list?
Basic support for the AVG 9 Free product was added in the October release of the support framework that is used by Cisco (OPSWAT's OESIS Framework). We try to get the software vendors to make sure that we are able to enagage all of the management functions that administrators using Cisco products are looking for, but it sometimes takes their cooperation. Because a lot of AV products are included by us automatically, a lot of vendors never feel the sting of when they break support. It's important that they are made aware.
AVG is a member of our endpoint software certification program, OESIS OK, however they have not submitted their recent products. Your reminder to them is certainly appreciated, as nothing gets a vendor’s attention as quickly as a customer concern. Sometimes vendors roll out products not realizing that some of the changes they made will break compatibility with a whole host of related solutions. Which is why it’s important that they always get OPSWAT the updates prior to release.
As a diagnostic tool, I would like to draw your attention to our Am I OESIS OK? utility, posted on our website http://www.oesisok.com/
It will analyze a user’s system and let them know how well their installed security applications will interoperate with your Cisco product. (Applications are either, Identified, Certified or Gold Certified). If you have endpoint users having some trouble with compatibility, you could point them to the utility and have them analyze their systems for what might be causing the issue.
Out certified applications are always listed in our product browser here: http://www.oesisok.com/application-lists
If AVG is not working with a user's system, I would recommend switching to an OESIS OK approved product.
Please feel free to let me know if you have any additional questions. I’m happy to help.
Since I posted this, I opened a TAC case and was told the endpoint attributes are updated in the Cisco Secure Desktop software package that runs on the ASA. The last CSD release from Cisco was Jun 8th, 2009. There is a beta of the next version available, but I've had issues in the past with beta versions. The general release is scheduled to be available within the next month or so. Having to wait 6 months for endpoint attribute updates is unacceptable.
I understand where you are coming from in regards to having software vendors cooperate by notifying Cisco regarding software upgrades, etc. For now, I've created an additional endpoint attribute to be satisfied that only checks the Vendor name and not the version, along with sig files being updated in the last X amount of days. This seems to be working. I guess I'll have to make exceptions for newer software that cannot be scanned using the DAP expression that checks the entire list...
DJ Did you write a LUA expression? I am working on a deploy right now and ran into the same problem you did. The only thing is that my DAP expressions ARE only on vendor and last def update. AVG 9 just comes up in the debug log as generic WMI same with Microsofts new Security Essentials the products don't actually detect with the actual vendor values.
If we have to wait over 6 months between Secure Desktop releases DAP really isn't practical when our VPN users are home users.
At the moment I am giving the beta a try since I am not in production yet, however I agree with you that running BETA is a risk.
I have one LUA expression to check all AV and the AVG 9.0 is an additional endpoint attribute to check. Seems to be working for me...
local block_connection = true
local update_threshold = "604800"
for k,v in pairs(endpoint.av) do
if CheckAndMsg(EVAL(v.exists, "EQ", "true", "string"), nil, k.." is not enabled") then
if CheckAndMsg((type(v.lastupdate) == "string" and
tonumber(v.lastupdate) ~= nil), nil, "No virus definition file information was received for "..k) then
if CheckAndMsg(EVAL(v.lastupdate, "LT", update_threshold, "integer"), nil,
k.." is enabled. The virus definition file was updated "..string.sub((tonumber(v.lastupdate)/86400), 1, 3).." days ago. Please update to current signatures.") then
block_connection = false
Is this close to what you are running? This was originally given to me by TAC, but I "tweaked" it a bit as the original wasn't working the way I wanted it to.
Hmm that is better than the ANY antivirus example they give in the manual however I really want to enforce a short list of vendors I trust. There are too many legitimate but ineffective antivirus packages out there.
At the moment I am using the ASDM gui and was limiting by Vendor, however the vendor value only exists if Cisco has updated their detection for the product.
I have noticed that the product / vendor name is returned by WMI in the debug log, maybe I can parse that....
P.S. Your example allows for virus definitions to be 7 days old!
Update: I did some testing on this script and it appears to be doing more than first meets the eye, .... still doesn't seem to work with microsoft security essentials.
Yes, 7 days reflects our current security policy as some machines go long periods of time before connecting to the Internet. Will probably drop this to 2...
Not surprised WRT the MS Security Essentials
Thanks for your script, I have modified it so that if the vendor returend is wmiAV (IE something new but registered in windows) I check the description for Vendor / product names. It isn't as secure but since Cisco does not have a rapid cycle to update Secure Desktop it will have to do.
7 days is way tool long for definitions to be out of date, do your av clients not update when off your network? Also if you are using Advanced Endpoint assessment and your primary av is supported then it will foce the update during the assesment.
dbgreekas : do you mind sharing your script now? As has been commented before, waiting
for a full release of Cisco Secure Desktop in order to get an updated list of AV vendors is ridiculous. Cisco, if
you're reading this, you really should get the list from an XML file that we can download from either Cisco or OESIS in order to keep ourselves
up to date with the latest vendor products.
We at OPSWAT are aware that consumption of OESIS Framework updates by Cisco (and other partners) for inclusion in Cisco host scan features released to end customers can be painful for Cisco and for its customers. We are committed to releasing OESIS more frequently (currently weekly, with a goal of daily updates by end of 2014) and to make it easier for Cisco to validate OESIS releases and incorporate into their packages.
In addition, OPSWAT recently released a configurable client, GEARS, which auto-updates OESIS and stores endpoint device compliance status in the Windows Registry or Mac OS p-list.
The Cisco ASA can access and use this information through a Process Scan within the Host Scan configuration to determine if a monitored endpoint should be granted network access. The steps found within this document assume that this configuration is occurring with the ADSM console
An ASA-GEARS configuration guide is posted at https://supportforums.cisco.com/document/12161301/how-set-cisco-asa-use-gears-client-host-scan
Using GEARS together with ASA should reduce the number of issues you encounter with your end users being blocked due to their running an unrecognized endpoint security application.