Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6
Configuring Host Scan
Downloads: This chapterpdf (PDF - 196.0KB) The complete bookPDF (PDF - 2.21MB) | Feedback

Configuring HostScan

Table Of Contents

Configuring HostScan

Overview of HostScan

Installing, Enabling, and Disabling HostScan

Using HostScan without Secure Desktop and Cache Cleaner

Determining the Operating Systems HostScan Detects

Scanning for Registry Keys, Files, and Processes

Adding a File Check

Adding a Registry Key Check

Adding a Process Check

Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

Configuring Antivirus, Antispyware, and Personal Firewall, Remediation


Configuring HostScan


The following sections describe the HostScan workflow and how to configure HostScan:

Overview of HostScan

Installing, Enabling, and Disabling HostScan

Using HostScan without Secure Desktop and Cache Cleaner

Determining the Operating Systems HostScan Detects

Scanning for Registry Keys, Files, and Processes

Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

Configuring Antivirus, Antispyware, and Personal Firewall, Remediation

Overview of HostScan

For a complete description of HostScan, see Host Scan.

Installing, Enabling, and Disabling HostScan

For procedrues regarding installing, upgrading, enabling, and disabling HostScan see Chapter 2 "Installing and Enabling CSD and HostScan".

Using HostScan without Secure Desktop and Cache Cleaner


Caution This section describes features that have been deprecated. Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.

For more information, see the deprecation field notice " Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

If you want to run HostScan on connecting computers, but do not want Secure Desktop and Cache Cleaner to run, follow these steps:


Step 1 Click the name of the CSD pre-login policy in the Secure Desktop Manager window and uncheck Secure Desktop and Cache Cleaner. (The name of the default policy is "Default," so if you have not used Secure Desktop Manager to create any policies, click Default in the Secure Desktop Manager menu, then uncheck Secure Desktop and Cache Cleaner.

Step 2 Follow the instructions in Using Match Criteria to Configure Dynamic Access Policies to select optional registry entry, filename, and process name criteria accessed from the Basic HostScan table and to specify antivirus, antispyware, and personal firewall application requirements as criteria for applying endpoint policies.


Determining the Operating Systems HostScan Detects

To view the list of the operating systems and service packs HostScan detects, follow this procedure:


Step 1 Open ASDM on the ASA and select Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

Step 2 Click Add or Edit next to the endpoint attributes table.

Step 3 Select Operating System from the Endpoint Attribute Type drop-down list, check OS Version, and click the arrow for the OS Version field.


Scanning for Registry Keys, Files, and Processes

You can specify a set of registry entries, filenames, and process names, which form a part of Basic HostScan. HostScan, which includes Basic HostScan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a DAP. Following the Basic HostScan, the ASA uses the login credentials, the HostScan results, prelogin policy, and other criteria you configure to assign a DAP.

See the sections that name the types of Basic HostScan entries you would like to configure:

Adding a File Check

Adding a Registry Key Check

Adding a Process Check

Adding a File Check

You can check for a file on an endpoint running Microsoft Windows, Mac OS, or Linux.

To add a check for a specific file to the Basic HostScan, follow these steps:


Step 1 Choose Secure Desktop Manager > Host Scan. The HostScan pane opens (Figure 3-1).

Figure 3-1 HostScan


Note Regardless of whether you have an Advanced Endpoint Assessment license, you can use ASDM to configure Dynamic Access Policies for making policy decisions based on the scan results.


Step 2 Click Add > File Scan. The Add File Scan pane opens (Figure 3-2).

Figure 3-2 Add File Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the HostScan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

File-okclient.exe
 
   

File Path—Enter the directory path to the file.

Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Linux or MacOS. The Microsoft Windows file system is not case-sensitive.

For example,

C:\Program Files\Cisco\CSAgent\bin\okclient.exe
 
   

Step 4 Click OK.

ASDM closes the Add File Scan window and inserts the entry into the Basic HostScan table.


Adding a Registry Key Check

Registry key scans apply only to computers running Microsoft Windows operating systems. Basic HostScan ignores registry key scans if the computer is running Mac OS or Linux.

Add a check for a specific registry key to Basic HostScan as follows:


Step 1 Choose Secure Desktop Manager > Host Scan.

The HostScan pane opens (Figure 3-1).

Step 2 Click Add > Registry Scan.

The Add Registry Scan pane opens (Figure 3-3).

Figure 3-3 Add Registry Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the HostScan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Registry-SecureDesktop
 
   

Entry Path menu—Choose the hive, the initial directory path to the registry key. The options are as follows:

HKEY_CLASSES_ROOT\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
 
   

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Entry Path field—Enter the name of the registry key.


Caution Do not type quotes in a Registry Key name that includes spaces.

For example,

SOFTWARE\CISCO SYSTEMS\SECURE DESKTOP\(Default)
 
   

Step 4 Click OK.

ASDM closes the Add Registry Scan window and inserts the entry into the Basic HostScan table.


Adding a Process Check

You can check for a process running on Microsoft Windows, Mac OS, or Linux.


Step 1 Choose Secure Desktop Manager > Host Scan. The HostScan pane opens (Figure 3-1).

Step 2 Click Add > Process Scan. The Add Process Scan pane opens (Figure 3-4).

Figure 3-4 Add Process Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the HostScan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Process-Agent.exe
 
   

Process Name—Enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.

For example,

Agent.exe
 
   

Step 4 Click OK. ASDM closes the Add Process Scan window and inserts the entry into the Basic HostScan table.


Enabling and Disabling Scanning for Antivirus, Personal Firewall, and Antispyware Applications

You can configure a scan for antivirus, personal firewall, and antispyware applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, CSD loads Endpoint Assessment checks and reports the results back to the ASA for use in assigning a DAP.

To enable or disable HostScan Extensions,


Step 1 Choose Secure Desktop Manager > Host Scan.

The HostScan window opens (Figure 3-1).

Step 2 Check one of the following options in the Host Extensions area of the HostScan window:

Endpoint Assessment—If you check this option the remote PC scans for a large collection of antivirus, antispyware, and personal firewall applications, and associated updates.

Advanced Endpoint Assessment—This option is present only if the configuration includes a key for an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant PCs to meet the version requirements you specify. To turn on this option after acquiring a key from Cisco, choose Configuration > Device Management > Licensing > Activation Key, enter the key in the New Activation Key field, and click Update Activation Key.

When you check this option, Secure Desktop Manager inserts a check mark next to both options.

To disable the HostScan extensions, uncheck both options in the Host Extensions area of the HostScan window.


Configuring Antivirus, Antispyware, and Personal Firewall, Remediation

With the purchase of an Advanced Endpoint Assessment license installed on the ASA, you can attempt to initiate remediation of various aspects of antivirus, antispyware and personal firewall protection. Remediation is possible if those software packages allow a separate application to initiate remediation. For example, this remediation function could initiate a request to update antivirus or antispyware definitions. It could also turn a personal firewall "on" if it was "off." See Advanced Endpoint Assessment for more information.

To configure Advanced Endpoint Assessment, follow this procedure:


Step 1 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan. The HostScan window opens (Figure 3-1).

Step 2 Check or click Advanced Endpoint Assessment.

Secure Desktop Manager activates the Configure button if the ASA configuration has an Advanced Endpoint Assessment license. Otherwise, you need to get an Advanced Endpoint Assessment license to configure remediation. See Entering an Activation Key to Support Advanced Endpoint Assessment if you need to enable your Advanced Endpoint License. Then return to this step.

Step 3 Click Configure.

The Windows, Mac OS, and Linux tabs let you specify remediation for each respective operating system. The three tabs are the same; only the vendors and applications differ. By default, HostScan does not attempt to remediate. Figure 3-5 shows the default Windows tab.

Figure 3-5 Advanced Endpoint Assessment (Windows Tab Example)


Note Secure Desktop Manager activates attributes and buttons in response to a selection only if the application supports the attributes and button functions. For example, you can click Add to add a personal firewall rule only if the selected personal firewall application supports rules.


Step 4 Click Add next to the Antivirus table, select one or more Vendor-Product options from the dialog box, and click OK.

Secure Desktop Manager inserts the options you selected into the antivirus table.

Step 5 Set the following optional antivirus attributes:

Force File System Protection—(Enabled only if the selected antivirus application supports this feature) Check if you want to turn on ongoing background scanning by the installed antivirus application. The application checks files as they are received and blocks access to files that are likely to contain viruses.

Force Virus Definitions Update—Check to require the remote host to check for a virus definitions update for the installed application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 6 Click Add next to the Personal Firewall table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 7 Configure the optional Personal Firewall action and rules, as follows:


Caution Any action and rules you configure persist on the end-user device even after the VPN session ends. Please apply them with discretion.

Firewall Action—The contents of this drop-down list depend on the options available for the selected personal firewall. Select None, Force Enable to enable the firewall, or Force Disable to disable the firewall.

Rules—This table is available only if the selected personal firewall supports rules. It lets you specify applications and ports for which the firewall allows or blocks ports or applications. See "Configuring Personal Firewall Rules" for instructions.

Step 8 Click Add next to the Antispyware table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 9 Set the following optional antispyware attributes:

Force Spyware Definitions Update—Check to require the remote host to check for a spyware definitions update for the selected application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 10 Click OK.


Configuring Personal Firewall Rules

Personal firewall rules let you specify applications and ports for the firewall to allow or block. The Add, Edit, and Delete buttons next to the Rules table in the Advanced Endpoint Assessment window (Figure 3-5) are active only if the selected personal firewall supports rules. For example, the applications that appear under the Internet Security Systems, Inc. options support personal firewall rules.

If you configure Advance Endpoint Assessment as described in the previous section and click Add or Edit next to the Rules table, the Add or Edit Rule window opens (Figure 3-6).

Figure 3-6 Add Personal Firewall Rule

To set the attributes in the Add or Edit Rule window,


Step 1 Use the following attribute description to select the rule.

Rule—Choose the action of this rule. The options are ALLOW Application, BLOCK Application, ALLOW Port, and Block Port.

Step 2 Go to the Application area and set the following attributes if you selected ALLOW Application or BLOCK Application.

Name—Enter the full file name and extension of the application to be allowed or blocked.

Full path—Enter the entire path to the application file.

Step 3 Go to the Port area and set the following attributes if you selected ALLOW Port or BLOCK Port.

Protocol—Select the protocols to be allowed or blocked. The options are Any, UDP, and TCP.

Port—Enter the port number to be allowed or blocked.

Step 4 Click OK.

Repeat this procedure for each personal firewall rule you want to configure.