When an Endpoint Assessment Fails

richardblair · ‎09-03-2013

I have an ASA 5515-x running 9.03, and have AnyConnect clients running version 3.1.04063. I am licensed for Advanced Endpoint Assessment and CSD. The issue I am having is when I client connects using TrendMicro AV, and the Trend service is stopped, the Endpoint Assessment recognized this and attempts to start (which is good!), but it fails to start with the following warning logged:

[Tue Sep 03 10:53:38.957 2013][cscan][warn][scan_advanced_av] unable to enable antivirus (Trend Micro Client/Server Security Agent)

At the end of the scan, it also logs that the check for activescan failed:

[Tue Sep 03 10:53:43.668 2013][cscan][debug][get_data] endpoint.av["TrendMicroAV"].activescan="failed"

The VPN conenction is then established and the user works as if everything passed (which is not good!).

What I am looking for is: if restarting the service fails, like in this case, deny the connections and hopefully put up a friendly message that the access was denied because AV failed to start.

Any ideas?

Herbert Baerten · ‎09-07-2013

Hi Richard,

you should be able to do this using DAP (Dynamic Access Policies) on the ASA, i.e. create a DAP rule that denies the connection if endpoint.av["TrendMicroAV"].activescan has a value of false, and a default rule that allows all other connections.

see http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

hth

Herbert