Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.4.1
Configuring Host Scan
Downloads: This chapterpdf (PDF - 275.0KB) The complete bookPDF (PDF - 2.28MB) | Feedback

Configuring Host Scan

Table Of Contents

Configuring Host Scan

Using Host Scan without Secure Desktop and Cache Cleaner

Scanning for Registry Keys, Files, and Processes

Adding a File Check

Adding a Registry Key Check

Adding a Process Check

Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

Configuring Antivirus, Personal Firewall, and Antispyware Remediation


Configuring Host Scan


The following sections describe how to configure Host Scan:

Using Host Scan without Secure Desktop and Cache Cleaner

Scanning for Registry Keys, Files, and Processes

Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

Configuring Antivirus, Personal Firewall, and Antispyware Remediation

Using Host Scan without Secure Desktop and Cache Cleaner

If you want to run Host Scan on connecting computers, but do not want Secure Desktop and Cache Cleaner to run, follow these steps:


Step 1 Click the name of the CSD policy in the Secure Desktop Manager window and uncheck Secure Desktop and Cache Cleaner. (The name of the default policy is "Default," so if you have not used Secure Desktop Manager to create any policies, click Default in the Secure Desktop Manager menu, then uncheck Secure Desktop and Cache Cleaner.

Step 2 Use the sections below to configure Host Scan.

Step 3 Follow the instructions in Using Match Criteria to Configure Dynamic Access Policies to select optional registry entry, filename, and process name criteria accessed from the Basic Host Scan table and to specify antivirus, antispyware, and personal firewall application requirements as criteria for applying endpoint policies.


Scanning for Registry Keys, Files, and Processes

You can specify a set of registry entries, filenames, and process names, which form a part of Basic Host Scan. Host Scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a DAP. Following the Basic Host Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign a DAP.

See the sections that name the types of Basic Host Scan entries you would like to configure:

Adding a File Check

Adding a Registry Key Check

Adding a Process Check

Adding a File Check

You can check for a file on an endpoint running Microsoft Windows, Mac OS, or Linux.

To add a check for a specific file to the Basic Host Scan, follow these steps:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-1).

Figure 3-1 Host Scan


Note Regardless of whether you have an Advanced Endpoint Assessment license, you can use ASDM to configure Dynamic Access Policies for making policy decisions based on the scan results.


Step 2 Click Add > File Scan.

The Add File Scan pane opens (Figure 3-2).

Figure 3-2 Add File Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

File-okclient.exe

File Path—Enter the directory path to the file.

Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Linux or MacOS. The Microsoft Windows file system is not case-sensitive.

For example,

C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe

Step 4 Click OK.

ASDM closes the Add File Scan window and inserts the entry into the Basic Host Scan table.


Adding a Registry Key Check

Registry key scans apply only to computers running Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.

Add a check for a specific registry key to Basic Host Scan as follows:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-1).

Step 2 Click Add > Registry Scan.

The Add Registry Scan pane opens (Figure 3-3).

Figure 3-3 Add Registry Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Registry-SecureDesktop

Entry Path menu—Choose the hive, the initial directory path to the registry key. The options are as follows:

HKEY_CLASSES_ROOT\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Entry Path field—Enter the name of the registry key.


Caution Do not type quotes in a Registry Key name that includes spaces.

For example,

SOFTWARE\CISCO SYSTEMS\SECURE DESKTOP\(Default)

Step 4 Click OK.

ASDM closes the Add Registry Scan window and inserts the entry into the Basic Host Scan table.


Adding a Process Check

You can check for a process running on Microsoft Windows, Mac OS, or Linux.

To add a check for a specific process to Basic Host Scan, follow these steps:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-1).

Step 2 Click Add > Process Scan.

The Add Process Scan pane opens (Figure 3-4).

Figure 3-4 Add Process Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Process-Agent.exe

Process Name—Enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.

For example,

Agent.exe

Step 4 Click OK.

ASDM closes the Add Process Scan window and inserts the entry into the Basic Host Scan table.


Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

You can configure a scan for antivirus, personal firewall, and antispyware applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, CSD loads Endpoint Assessment checks and reports the results back to the security appliance for use in assigning a DAP.

To enable or disable Host Scan Extensions,


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan window opens (Figure 3-1).

Step 2 Check one of the following options in the Host Extensions area of the Host Scan window:

Endpoint Assessment—If you check this option the remote PC scans for a large collection of antivirus, antispyware, and personal firewall applications, and associated updates.

Advanced Endpoint Assessment—This option is present only if the configuration includes a key for an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant PCs to meet the version requirements you specify. To turn on this option after acquiring a key from Cisco, choose Configuration > Device Management > System Image/Configuration > Activation Key, enter the key in the New Activation Key field, and click Update Activation Key.

When you check this option, Secure Desktop Manager inserts a check mark next to both options.

To disable the host scan extensions, uncheck both options in the Host Extensions area of the Host Scan window.


Configuring Antivirus, Personal Firewall, and Antispyware Remediation

Advanced Endpoint Assessment lets you configure an attempt to update noncompliant computers to meet the version requirements you specify. If you configure remediation of antivirus and antispyware versions, associated definitions updates, and personal firewall versions, Host Scan attempts to update them if they are not present.

To configure Advanced Endpoint Assessment,


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan window opens (Figure 3-1).

Step 2 Check or click Advanced Endpoint Assessment.

Secure Desktop Manager activates the Configure button if the security appliance configuration has an Advanced Endpoint Assessment license. Otherwise, you need to get an Advanced Endpoint Assessment license to configure remediation. After doing so, choose Configuration > Device Management > System Image/Configuration > Activation Key, enter the key in the New Activation Key field, and click Update Activation Key. Then return to this step.

Step 3 Click Configure.

The Windows, Mac OS, and Linux tabs let you specify remediation for each respective operating system. The three tabs are the same; only the vendors and applications differ. By default, Host Scan does not attempt to remediate. Figure 3-5 shows the default Windows tab.

Figure 3-5 Advanced Endpoint Assessment (Windows Tab Example)


Note Secure Desktop Manager activates attributes and buttons in response to a selection only if the application supports the attributes and button functions. For example, you can click Add to add a personal firewall rule only if the selected personal firewall application supports rules.


Step 4 Click Add next to the Antivirus table, select one or more Vendor-Product options from the dialog box, and click OK.

Secure Desktop Manager inserts the options you selected into the antivirus table.

Step 5 Set the following optional antivirus attributes:

Force File System Protection—(Enabled only if the selected antivirus application supports this feature) Check if you want to turn on ongoing background scanning by the installed antivirus application. The application checks files as they are received and blocks access to files that are likely to contain viruses.

Force Virus Definitions Update—Check to require the remote host to check for a virus definitions update for the installed application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 6 Click Add next to the Personal Firewall table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 7 Configure the optional Personal Firewall action and rules, as follows:


Caution Any action and rules you configure persist on the end-user device even after the VPN session ends. Please apply them with discretion.

Firewall Action—The contents of this drop-down list depend on the options available for the selected personal firewall. Select None, Force Enable to enable the firewall, or Force Disable to disable the firewall.

Rules—This table is available only if the selected personal firewall supports rules. It lets you specify applications and ports for which the firewall allows or blocks ports or applications. See "Configuring Personal Firewall Rules" for instructions.

Step 8 Click Add next to the Antispyware table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 9 Set the following optional antispyware attributes:

Force Spyware Definitions Update—Check to require the remote host to check for a spyware definitions update for the selected application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 10 Click OK.


Configuring Personal Firewall Rules

Personal firewall rules let you specify applications and ports for the firewall to allow or block. The Add, Edit, and Delete buttons next to the Rules table in the Advanced Endpoint Assessment window (Figure 3-5) are active only if the selected personal firewall supports rules. For example, the applications that appear under the Internet Security Systems, Inc. options support personal firewall rules.

If you configure Advance Endpoint Assessment as described in the previous section and click Add or Edit next to the Rules table, the Add or Edit Rule window opens (Figure 3-6).

Figure 3-6 Add Personal Firewall Rule

To set the attributes in the Add or Edit Rule window,


Step 1 Use the following attribute description to select the rule.

Rule—Choose the action of this rule. The options are ALLOW Application, BLOCK Application, ALLOW Port, and Block Port.

Step 2 Go to the Application area and set the following attributes if you selected ALLOW Application or BLOCK Application.

Name—Enter the full file name and extension of the application to be allowed or blocked.

Full path—Enter the entire path to the application file.

Step 3 Go to the Port area and set the following attributes if you selected ALLOW Port or BLOCK Port.

Protocol—Select the protocols to be allowed or blocked. The options are Any, UDP, and TCP.

Port—Enter the port number to be allowed or blocked.

Step 4 Click OK.

Repeat this procedure for each personal firewall rule you want to configure.