Automatic Antivirus Remediation in Posture

Similar Messages

• Automatic AV Remediation

  We're working with Cisco ISE 1.3.0.876 and NAC Agent with posture policies and we need a remediation that automatically send to the Symantec Endpoint Protection server that's locally. How can we do that?

  We're running the version 12.1.4. Can I do a file remediation to the antivirus files? Why Cisco ISE only permits 50MB to upload files?

• Automatic antivirus install in NAC

  can i make requirement to automatically install the antivirus software on the client machine , if the  machine doesn't have antivirus installed ?
  and if tis will need the user to have admin privilege or not ?

  Hany,
  You can't make NAC install programs. If there's a need for program installation, it would depend on the program whether it needs admin rights. Most AVs I would assume would need it.
  HTH,
  Faisal

• McAfee Antivirus automatic remediation

  Hello All,
  I'm having an issue with McAfee Antivirus remediation. I'm using Cisco NAC 4.8.2 and it seems that automatic remediation is not working.
  Could someone help?
  Is there a webpage where we can check which AV can do automatic remediation?

  Hello,
  Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
  Regards.

• Antivirus for USB thumb drive

  Hi, I have a macbook at home and I need to constantly use a usb thumb drive between work and home. Work has new policy that I must have an up-to-date usb antivirus scanner in order to use the usb at work (windows). What would be the best free software to install that will run an automatic antivirus scan? Thx

  Any viruses you get are going to come from your work PC, not your Mac.  Honestly, I wouldn't bother - if the anti-virus software is up to scratch at work, then it should protect your work PC from a USB stick.  If it isn't good enough to do that, then it isn't good enough to protect itself from the internet either. 
  http://youtu.be/IglUmgYGxLM?t=1m33s
  Are they going to check?  If you absolutely must, ClamXav gets the best reviews. 
  http://www.clamxav.com/

• Wait for Next Sample Clock error, or 'How do I put this VI on a diet'?

  Hello!
  In the attached VI I've been running since June, I have all the functionality I need.  No questions there at all, thanks to much time and help from this board!
  My nagging problem is that any time I use the PC for other minor tasks other than Labview, it will display the following error:
  209802 occurred at DAQmx Wait For Next Sample Clock.vi:1
  A search earlier in the month indicated that it could have been a result of my old and outdated PC; I've since replaced it with a brand-new dell dimension 1100.  Celeron 2.53ghz with 1.00gb of ram.  Should be enough to service Labview and other minor tasks (automatic antivirus updating and also maintenance tasks).  However, any time any other program opens or even if the screen is scrolled around on Labview quickly, I get that same error.
  Resource usage when idle, with nothing but this VI running is 5-10%, all labview.  Upon scrolling the VI, it quickly jumps to the 58-60% and above mark and soon throws that error.
  I know that there's a lot of code here that can be cleaner--I know that even though it's functioning correctly, there could be a less resource-hogging way to go about it.  Can anyone give me any suggestions on how to make this VI a little 'lighter'?
  Thanks so much in advance,
  Ralph
  Still confused after 8 years.
  Attachments:
  Currently Running 063006.vi ‏899 KB

  Hi Ralph,
  The wait.vi waits until the amount of time has passed. While the wait on next ms.vi uses some kind of quotient and remainder on the computer time until the remainder passed zero.
  In this way you can synchronize 2 loops, and somehow it is less time-consuming. The only difference you will see is in the first run!
  There you see a smaller amount of time:
  Message Edited by TonP on 10-04-2006 04:21 PM
  Free Code Capture Tool! Version 2.1.3 with comments, web-upload, back-save and snippets!
  Nederlandse LabVIEW user groep www.lvug.nl
  My LabVIEW Ideas
  LabVIEW, programming like it should be!
  Attachments:
  Example_BD.png ‏2 KB

• Shortcuts or Scripts for repetitive tagging tasks

  Are there any scripts that I can attach to an icon in a toolbar to click just once to make remediating tagging less arduous? I'm constantly selecting an item, clicking on the >Options menu then click on the >Find selection from tag. Would love to assign this to a keyboard shortcut or click one icon. Or what do you know that I don't? I'm exhausted, my hand hurts, and I have hundreds of pages to go. Should I hire a programmer to do this? ACRObuttons was a hope but they're dead. Thanks so much, Community.

  You can automate a few document-wide things using an Action Wizard, for example set reading language, set tab order property, create bookmarks from structure, set open options, embed fonts using Preflight. I do not know of a way to automate tag remediation.

• ISE Posture Remediation issue with AV client installation

  Problem: If  user start AV client installation in pc via AV link remediation after some time (while AV client  installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def  remediation and Cisco NAC agent shows the message AV definition is not up to date.
  Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
  I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
  We have the following posture policies,
  1      AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
  2      AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
  3.     WSUS check
  4      SP   check
  Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
  Please can anybody let me know how remediation work internally ? like if  "AV inst" remediation start  so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
  Second question:what is remediation process sequence ?
  Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?

  Please check the below guide for Posture Configuration:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml

• ISE Automatic Remediation

  Hi,
  We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.
  In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.
  And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.
  Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.
  Can you help us with this issue? Thanks!
  Best regards,
  Carlos Morais

  Hi,
  No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:
  "If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."
  Best regards,
  Carlos Morais

• On my windows 8.1 pc (i5 processor with 8GB ram) I can't get the automatic update voor CS4 master collection. I removed my panda antivirus and still can't automatically update. somebody any suggestion?

  on my windows 8.1 pc (i5 processor with 8GB ram) I can't get the automatic update voor CS4 master collection. I removed my panda antivirus and still can't automatically update. somebody any suggestion?

  thanks for your reply.
  in Dutch it says that there are no updates available. I know that after
  installing cs4 there are updates but i can't load them automatically. I did
  a delete and reinstall, but still get the message.
  kind regards,
  2014-09-23 16:28 GMT+02:00 Atul_saini123 <[email protected]>:
      on my windows 8.1 pc (i5 processor with 8GB ram) I can't get the
  automatic update voor CS4 master collection. I removed my panda antivirus
  and still can't automatically update. somebody any suggestion?  created
  by Atul_saini123 <https://forums.adobe.com/people/Atul_saini123> in *Downloading,
  Installing, Setting Up* - View the full discussion
  <https://forums.adobe.com/message/6755843#6755843>

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Unwanted websites appear automaticly, some are detected malware with my antivirus program, how to block this

  unwanted websites connect automatically without clicking anything, mainly survey requests and some are blocked as dangerous by my antivirus program How can I avoid this connections.

  Do a malware check with some malware scanning programs on the Windows computer.<br>
  Please scan with all programs because each program detects different malware.
  Make sure that you update each program to get the latest version of their databases before doing a scan.
  *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
  *SuperAntispyware:<br>http://www.superantispyware.com/
  *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
  *Windows Defender: Home Page:<br>http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
  *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
  *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
  *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
  You can also do a check for a rootkit infection with TDSSKiller.
  *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
  See also:
  *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked

• Drive mapping during posture remediation

  I am doing ISE (1.1.1) deployment for client. The customer is using AD logon script do do drive map to a nas server. My posture remediation acl is blocking drive mapping unless I use 'permit ip any any' which is a security hole. My acl should be modified to allow the drive mapping during unknown/posture-remediation interval. Could any one suggest if you have faced similar issue.

  You need to permit access to your domain controllers during posture remediation and add a delay to your logon script -
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a70c18.shtml

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok