Cisco Secure Desktop

Table Of Contents

Release Notes for Cisco Secure Desktop 3.6

Introduction

Downloading the Latest Version of CSD

Upgrading from CSD 3.5.x to CSD 3.6.x

Changes in CSD 3.6.5005

Changes in CSD 3.6.4021

Changes in CSD 3.6.3002

Changes in CSD 3.6.2002

Changes in CSD 3.6.1001

Changes in CSD 3.6.185

New Features Introduced in CSD 3.6.181

Independent Host Scan Upgrades

Which Host Scan Image Gets Enabled When There is More than One Loaded on the ASA?

Keystroke Logger Detection and Host Emulation Detection Delivered with Host Scan Package

Host Scan Keystroke Logger Detection and Host Emulation Detection User Interface

Pre-login Keystroke Logger Detection Available in Host Scan Package

Secure Desktop (Vault) Support for Windows 7

Host Scan Support for Antivirus, Antispyware, and Personal Firewall Software

System and Environment Requirements

ASA Requirements

Operating System Requirements

Host Scan

Cache Cleaner

Secure Desktop (Vault)

Keystroke Logger Detection and Host Emulation Detection Delivered with CSD 3.6 Package

Keystroke Logger Detection and Host Emulation Detection Delivered with Host Scan Package

Host Scan, CSD, and AnyConnect Secure Mobility Client Interoperability

Browser Interoperability

Internet Explorer 8 Settings on Windows 7

License Types

Advanced Endpoint Assessment License

Host Scan Engine Update, 3.0.7042

System Requirements

Downloading the Host Scan Engine Update

Before Upgrading or Downgrading Between CSD 3.5.x and 3.6.x

Backing up and Restoring the Data.xml File During Upgrade or Downgrade

Reconfigure Prelogin Operating System Checks in the Data.xml File

Administrator Guidelines

Endpoints and Operating Systems no Longer Supported by CSD

Endpoint Devices No Longer Supported

Operating Systems No Longer Supported

Browsers No Longer Supported

Enabling the Taskbar to Display the Yellow Lock Icon when Cache Cleaner is Running

CSD Loads Slowly or Appears to Stop

Specifying Windows 7 in a Dynamic Access Policy

Specifying Windows 7 as an Endpoint Attribute in the ASDM GUI

Specifying Windows 7 as an Operating System Attribute Using a Lua Expression

Hostscan and GPS Interaction

Server Certificate Length Consideration

Application Compatibility Layer and User Account Control

Downgrade Support

End User Guidelines

Responding to Java Warning Dialog Boxes

ActiveX or Java Settings

User Interface Privilege Isolation

Windows Mail

Internet Explorer, Microsoft Office, and Adobe Acrobat Interaction with Cisco Secure Desktop

Configuring Antivirus Applications for CSD

Home Directory Requirement

User Guidelines Related to Cache Cleaner

Do Not Change Cache Locations

History Not Erased With Multiple Explorer Windows

Cache Cleaner Installation Behavior

Cache Cleaner Interface Change

Cache Cleaner Delay

Cisco Security Agent with Secure Desktop and Cache Cleaner

Installation Guidelines

CSD Installation through a Proxy

New Certificate Required

Starting Applications from within Folders Created inside Secure Desktop

Caveats

Caveats Resolved by CSD Release 3.6.185

Caveats Resolved by CSD Release 3.6.181

Caveats Resolved by Host Scan Engine Update 3.0.7042

Caveats Resolved by Host Scan Engine Update 3.0.5009

Caveats Resolved by Host Scan Engine Update 3.0.4216

Caveats Resolved by Host Scan Engine Update 3.0.4207

Caveats Resolved by Host Scan Engine Update 3.0.4016

Open Caveats in CSD

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Secure Desktop 3.6

---

Last Updated: March 21, 2012

This document contains release information for Cisco Secure Desktop version 3.6.x. Read the following sections carefully prior to installing, upgrading, and configuring Cisco Secure Desktop.

•Introduction

•Downloading the Latest Version of CSD

•Changes in CSD 3.6.5005

•Changes in CSD 3.6.4021

•Changes in CSD 3.6.3002

•Changes in CSD 3.6.2002

•Changes in CSD 3.6.1001

•Changes in CSD 3.6.185

•New Features Introduced in CSD 3.6.181

•System and Environment Requirements

•License Types

•Host Scan Engine Update, 3.0.7042

•Downloading the Host Scan Engine Update

•Before Upgrading or Downgrading Between CSD 3.5.x and 3.6.x

–Backing up and Restoring the Data.xml File During Upgrade or Downgrade

–Reconfigure Prelogin Operating System Checks in the Data.xml File

•Administrator Guidelines

•End User Guidelines

•Caveats

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

This document identifies the latest enhancement and guidelines. After reading about them, use the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Version 3.6 for more information about the features; and for installation, upgrade, and configuration instructions.

Introduction

Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution. The main features of CSD include:

•Host Scan checks for certain attributes on a remote endpoint device attempting to establish a Cisco AnyConnect client or browser-based (clientless) session. These attributes can signify whether the computer is corporate-owned. These attributes include registry entries, process names, and filenames. You can also use Host Scan to configure a check for antivirus and antispyware applications, associated definitions updates, and firewalls. CSD supports hundreds of versions of these applications. Host Scan reports results to the ASA, which integrates them with the dynamic access policies (DAPs).

•Secure Desktop (Vault) encrypts the data and files associated with, or downloaded during, a remote session into a secure partition and presents a graphical representation of a desktop that includes an image of a lock to signify a safe environment for the remote user to work in. When the remote session ends, a sanitization algorithm wipes the encrypted partition. Typically used during clientless SSL VPN sessions, Secure Desktop attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.

If you want to run Secure Desktop (the "Vault") on Windows XP over an AnyConnect connection, you must configure CSD to identify Windows Vista and Windows 7 operating systems in the prelogin policy and then run Cache Cleaner for those operating systems instead of Secure Desktop.

---

Note We do not support running AnyConnect from within the Secure Desktop on Windows Vista or Windows 7.

---

•Cache Cleaner, an alternative to Secure Desktop, attempts to eliminate information in the browser cache at the end of a session. This information includes entered passwords, auto-completed text, files cached by the browser, and browser configuration changes.

Cache Cleaner is only relevant to users making clientless SSL VPN connections. If your users are creating a VPN connection using the AnyConnect Secure Mobility Client, they will not need Cache Cleaner.

•Keystroke logger detection and host emulation detection let you deny access based on the presence of a suspected keystroke logging application or a host emulator. You can use Secure Desktop Manager to specify the keystroke logging applications that are safe or let the remote user interactively approve the applications and host emulator the scan identifies. Both keystroke logger detection and host emulation detection are available with Cache Cleaner, Secure Desktop, and Host Scan.

No technology that interoperates with an operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third party software installed. However, deployments of Cisco SSL VPN and AnyConnect using CSD, when combined with other security controls and mechanisms within the context of an effective risk management strategy and policy, can help reduce risks associated with using such technologies.

Downloading the Latest Version of CSD

To download the latest version of CSD you must be a registered user of Cisco.com.

---

Step 1 Follow this link to the CSD Product/Technology Support page:

http://www.cisco.com/en/US/products/ps6742/tsd_products_support_series_home.html

Step 2 Click Download Software.

Step 3 Log on to Cisco.com.

Step 4 Expand the All Releases > 3 directory and click the link for CSD 3.6.5005.

Step 5 There are different CSD packages for Windows, Mac OS X, and Linux. If you would like to simply download the CSD 3.6 package that contains versions for all operating systems, scroll down to find csd_3.6.5005-k9.pkg and click Download Now.

Step 6 Click Proceed With Download.

Step 7 After carefully reading the Software Download Rules, click Agree.

Step 8 Select a Download Option and click the Download link for the Cisco Secure Desktop package.

---

Upgrading from CSD 3.5.x to CSD 3.6.x

Before upgrading from CSD 3.5.x to CSD 3.6.x, read Before Upgrading or Downgrading Between CSD 3.5.x and 3.6.x.

Changes in CSD 3.6.5005

CSD 3.6.5005 is a maintenance release that incorporates Host Scan Engine Update, 3.0.7042 and resolves the Host Scan engine defects described in Table 4. This release does not introduce any new features.

Changes in CSD 3.6.4021

CSD 3.6.4021 is a maintenance release that incorporates the Host Scan Engine Update, 3.0.5077. This release does not introduce any new features.

Changes in CSD 3.6.3002

CSD 3.6.3002 is a maintenance release that incorporates the Host Scan Engine Update, 3.0.5009. This release does not introduce any new features.

Changes in CSD 3.6.2002

CSD 3.6.1001 is a maintenance release. It incorporates the Host Scan Engine Update,3.0.5009. This release does not introduce any new features.

Changes in CSD 3.6.1001

CSD 3.6.1001 is a maintenance release. It incorporates the Host Scan Engine Update, 3.0.4216. This release does not introduce any new features.

Changes in CSD 3.6.185

CSD 3.6.185 is a maintenance release that resolves the caveats in Table 2 and incorporates the Host Scan Engine Update, 3.0.4016. This release does not introduce any new features.

New Features Introduced in CSD 3.6.181

•Independent Host Scan Upgrades

•Keystroke Logger Detection and Host Emulation Detection Delivered with Host Scan Package

•Host Scan Keystroke Logger Detection and Host Emulation Detection User Interface

•Pre-login Keystroke Logger Detection Available in Host Scan Package

•Secure Desktop (Vault) Support for Windows 7

•Host Scan Support for Antivirus, Antispyware, and Personal Firewall Software

Independent Host Scan Upgrades

Starting with CSD 3.6, the Host Scan package becomes a shared component of CSD and the AnyConnect Secure Mobility Client. Previously, the Host Scan package was one of several components available only by installing CSD.

The purpose of providing a Host Scan package separate from CSD is to allow you to update Host Scan support charts more frequently than it was possible when they were delivered solely as part of CSD. The Host Scan support charts contain the product name and version information of the antivirus, antispyware, and firewall applications you use in your prelogin policies. We deliver the Host Scan application and the Host Scan support charts, as well as other components, in the Host Scan package.

The Host Scan package can now be delivered in one of these ways: as a standalone package, with CSD, with the AnyConnect Posture Module, or with the full AnyConnect client image.

In addition to identifying operating system, antivirus, antispyware, and firewall software installed on the endpoint, the host scan package delivers the components to perform a prelogin assessment, identify keystroke loggers, and detect host emulation and virtual machines running on the endpoint. Keystroke logger detection, host emulation and virtual machine detection were also features of CSD that are now included in the Host Scan package.

Still, the Host Scan package is not a replacement for CSD. Customers that want cache cleaning or Secure Desktop (Vault) need to install and enable CSD in addition to the Host Scan package. See http://www.cisco.com/en/US/products/ps6742/products_installation_and_configuration_guides_list.html to learn about the Secure Desktop (Vault) feature in the CSD Configuration Guides.

You can install, uninstall, enable, and disable a Host Scan package using the ASA's Adaptive Security Device Manager (ASDM) or its command line interface. You can configure prelogin policies using the Secure Desktop Manager tool on the ASDM.

Which Host Scan Image Gets Enabled When There is More than One Loaded on the ASA?

The Host Scan image is delivered with the Host Scan package. It can be deployed to the endpoint from the standalone Host Scan package, the full AnyConnect Secure Mobility Client package, and Cisco Secure Desktop. Depending on what licenses you have installed on your ASA, you may have all of these packages loaded on your ASA. In that case, the ASA enables the image that you specified as the Host Scan image first and if you haven't specified one, the ASA enables the Host Scan functionality from Cisco Secure Desktop.

If you uninstall the Host Scan package, the ASA cannot enable its Host Scan image.

These scenarios describe which Host Scan package the ASA distributes when it has more than one loaded.

•If you have installed a standalone Host Scan package on the ASA and have designated it as the Host Scan image, and you enable CSD/hostscan, ASA distributes the standalone Host Scan package.

•If you have installed a standalone Host Scan package on the ASA, and have designated it as the Host Scan image, and you have installed a CSD image on the ASA, and you enable CSD/hostscan, ASA distributes the standalone Host Scan image.

•If you have installed an AnyConnect Secure Mobility Client package on the ASA and have designated it as the Host Scan image, the ASA will distribute the Host Scan image from that package.

•If you install an AnyConnect Secure Mobility Client package file on the ASA but do not specify it as the Host Scan image, the ASA will not distribute the Host Scan package associated with that AnyConnect package. The ASA will distribute an installed Host Scan package or CSD package, provided CSD is enabled.

Keystroke Logger Detection and Host Emulation Detection Delivered with Host Scan Package

In order to help customers transition to the AnyConnect Secure Mobility Client, keystroke logger detection (KSL) and host emulation detection are now delivered with the standalone Host Scan package.

KSL and host emulation detection functions delivered with the standalone Host Scan package are identical to those delivered with CSD 3.5 but they also provide support for additional operating systems. Host Scan host emulation detection provides support for all windows desktop operating systems including x64 (64-bit) VMWare, VirtualBox, and Virtual PC. Support for these additional operating systems is not available in the host emulation detection functionality delivered with CSD 3.6 Secure Desktop (Vault) feature.

Both Host Scan and Vault are included in CSD 3.6. If CSD 3.6 is installed on the ASA, and Vault is enabled, the KSL and host emulation detection functionality provided by Vault takes precedence over the KSL and host emulation detection functionality provided in the standalone Host Scan package.

Host Scan Keystroke Logger Detection and Host Emulation Detection User Interface

The user interface provided by Host Scan keystroke logger (KSL) and host emulation functions is simpler than that provided by the Cisco Secure Desktop KSL and host emulation detection functions.

There are no longer user notifications indicating the starting of keystroke logger detection. Host Scan KSL only notifies users that a keystroke logger has been found when the keystroke logger is not listed among the List of Safe Modules specified in the Keystroke Logger & Safety Checks panel in ASDM.

There is only one translation template (pot file) for both CSD and Host Scan and there is only one translated file (po files), per language, for both CSD and Host Scan.

Pre-login Keystroke Logger Detection Available in Host Scan Package

The keystroke logger detection feature is now available with the Host Scan package. Like it does when deployed with Secure Desktop (Vault), KSL can detect the presence of keystroke loggers before the user logs in. You do not need to enable Secure Desktop (Vault) in order to enable the keystroke logger detection delivered with the Host Scan package.

Secure Desktop (Vault) Support for Windows 7

The Vault included in CSD 3.6 now provides support for x86 (32-bit) Windows 7. Other than support for this additional operating system, there are no new Vault features in CSD 3.6.

---

Note If you want to run Secure Desktop (the "Vault") on Windows XP over an AnyConnect connection, you must configure CSD to identify Windows Vista and Windows 7 operating systems in the prelogin policy and then run Cache Cleaner for those operating systems instead of Secure Desktop.

We do not support running AnyConnect from within the Secure Desktop on Windows Vista or Windows 7

---

Host Scan Support for Antivirus, Antispyware, and Personal Firewall Software

With an Advanced Endpoint Assessment license, on Windows desktops, Cisco Secure Desktop 3.6 updates the list of antivirus, antispyware, and personal firewall applications it supports. The Cisco Secure Desktop Compatibility site lists the antivirus, antispyware, and firewall applications that Host Scan checks for on the endpoint.

System and Environment Requirements

The following sections identify the ASA platform and end-user interoperability that CSD requires or supports.

ASA Requirements

In order to take advantage of all the Host Scan engine updates in CSD 3.6, you need to install CSD 3.6 with these versions of ASA and ASDM:

•Cisco ASA 5500 series security appliance with total memory of 512 MB.

•ASA release 8.4(1) or later

•ASDM 6.4(0)104 or later

For all other features, CSD 3.6 works with these minimum versions of ASA and ASDM:

•ASA 5500 series security appliance running ASA release 8.0(4) or later

•ASDM 6.1(3) or later

Operating System Requirements

The following section lists the CSD endpoint functions and identifies the endpoint OSs they support.

---

Note For information on endpoint devices and operating systems that CSD no longer supports, see Administrator Guidelines.

---

Host Scan

Host Scan supports the following operating systems:

Windows

•x86 (32-bit) and x64 (64-bit) Windows 7

•x86 (32-bit) and x64 (64-bit) Windows Vista, Vista SP1, Vista SP2

•x64 (64-bit) Windows XP SP2

•x86 (32-bit) Windows XP SP2 and SP3

•Windows Mobile versions 6.0, 6.1, 6.1.4, and 6.5 for touch screen devices only (Windows Mobile Professional).

Mac OS X

•32-bit and 64-bit Mac OS X v10.7

•32-bit and 64-bit Mac OS X v10.6

•32-bit and 64-bit Mac OS X v10.5

Linux

•32-bit and 64-bit biarch Redhat Enterprise Linux 3

•32-bit and 64-bit biarch Redhat Enterprise Linux 4

•32-bit and 64-bit biarch Redhat Enterprise Linux 5

•32-bit and 64-bit biarch Fedora Core 4 and later

•Ubuntu

---

Note Host Scan is a 32-bit application and requires the core 32-bit libraries to be installed on 64-bit Linux operating systems. Host Scan does not provide these 32-bit libraries at the time it is installed. Customers need to install the 32-bit libraries on the endpoints themselves, if they are not already provisioned.

---

Cache Cleaner

Cache Cleaner supports the following operating systems for 32-bit browsers only:

Windows

•x86 (32-bit) and x64 (64-bit) Windows 7

•x86 (32-bit) and x64 (64-bit) Windows Vista, Vista SP1, Vista SP2

•x64 (64-bit) Windows XP SP2

•x86 (32-bit) Windows XP SP2 and SP3

Mac OS X

•32-bit and 64-bit Mac OS X v10.7

•32-bit and 64-bit Mac OS X v10.6

•32-bit and 64-bit Mac OS X v10.5

Linux

•32-bit and 64-bit Redhat Enterprise Linux 3

•32-bit and 64-bit Redhat Enterprise Linux 4

•32-bit and 64-bit Redhat Enterprise Linux 5

•32-bit and 64-bit Fedora Core 4 and later

•Ubuntu

---

Note Host Scan is a 32-bit application and requires the core 32-bit libraries to be installed on 64-bit Linux operating systems. Host Scan does not provide these 32-bit libraries at the time it is installed. Customers need to install the 32-bit libraries on the endpoints themselves, if they are not already provisioned.

---

---

Note Cache Cleaner does not support the standalone startup of AnyConnect Client from any computer.

---

Secure Desktop (Vault)

Secure Desktop (Vault) is delivered only with CSD 3.6; the Vault runs on the following operating systems:

•x86 (32-bit) Windows 7

•x86 (32-bit) Windows Vista, SP1, and SP2

KB935855 must be installed on systems running Windows Vista without SP1 or SP2.

•x86 (32-bit) Windows XP SP2 and SP3

Keystroke Logger Detection and Host Emulation Detection Delivered with CSD 3.6 Package

The KSL and host emulation detection functions included with CSD 3.6 support the following operating systems:

•x86 (32-bit) Windows 7

•x86 (32-bit) Windows Vista, SP1, and SP2

KB935855 must be installed on systems running Windows Vista without SP1 or SP2.

•x86 (32-bit) Windows XP SP2 and SP3

Keystroke Logger Detection and Host Emulation Detection Delivered with Host Scan Package

The KSL and host emulation detection functions included with the standalone Host Scan package support the following operating systems:

•x86 (32-bit) Windows 7

•x86 (32-bit) Windows Vista SP2

•x86 (32-bit) Windows XP SP3

Host Scan, CSD, and AnyConnect Secure Mobility Client Interoperability

---

Caution A Host Scan package deployed along with AnyConnect Secure Mobility Client version 3.0.x, must have the same or a later version number than the AnyConnect Secure Mobility Client.

---

•If you have Cisco Secure Desktop (CSD) version 3.5, or earlier, enabled on the ASA and you do not upgrade the Host Scan package to match or exceed the version of AnyConnect Secure Mobility Client 3.0.x you are deploying, prelogin assessments will fail and users will not be able to establish a VPN session. This will happen even if the AnyConnect 3.0.x posture module is pre-deployed to the endpoint because the ASA will automatically downgrade the Host Scan package on the endpoint to match the Host Scan package enabled on the ASA.

•AnyConnect versions 2.5 and earlier are compatible with Host Scan packages 3.0.x and later. For example, if you are using CSD 3.5 or earlier and AnyConnect 2.5 or earlier and you upgrade just the Host Scan image to 3.0.x or later, prelogin assessments will succeed.

•Cisco Secure Desktop versions 3.6 and later are not compatible with AnyConnect version 2.4 and earlier.

---

Tip See "Chapter 5, Configuring Host Scan" in the AnyConnect Secure Mobility Client Administrator's Guide, Release 3.0 for instructions on installing and enabling the Host Scan image.

---

Browser Interoperability

These are the minimum versions of browsers Host Scan, Cache Cleaner, Secure Desktop (Vault), and Web Launch support:

•Internet Explorer 6.0

•Safari 3.2.1

•Firefox 3.0.x

Host Scan, Cache Cleaner, Secure Desktop (Vault), and Web Launch also require Sun Java 1.5 or later. These browsers must also have JavaScript capabilities enabled and the browsers must support XML parsing operations.

Host Scan and Cache Cleaner do not support 64-bit versions of Internet Explorer. Please instruct users of x64 (64-bit) Windows OSs to use the 32-bit version of Internet Explorer or Firefox to avoid VPN connection issues. (At this time, Firefox is available only in a 32-bit version.) If you use a 64-bit version of Internet Explorer to try to establish a VPN session with a security appliance configured to install Host Scan or Cache Cleaner on the endpoint, a "Platform Detection" message states, "Web-based launch of Cisco Secure Desktop is not supported with 64-bit versions of IE. Please retry with the 32-bit version of IE."

Internet Explorer 8 Settings on Windows 7

CSD has been tested on, and supports, Windows 7 using Internet Explorer 8 running in Browser Mode Internet Explorer 8 and Document Mode Internet Explorer 8 Standards (Page Default). CSD does not support IE8 running in IE7 modes.

License Types

Cisco Secure Desktop requires an AnyConnect Premium SSL VPN Edition (single device) or AnyConnect Premium SSL VPN Edition shared license (main device and participant device) license. Some features require the purchase of an Advanced Endpoint Assessment license.

Advanced Endpoint Assessment License

With the purchase of an Advanced Endpoint Assessment license installed on the ASA, you can use these advanced features of CSD:

•Remediation - On Windows, Mac OS X, and Linux desktops, Advanced Endpoint Assessment can attempt to initiate remediation of various aspects of antivirus, antispyware and personal firewall protection if that software allows a separate application to initiate remediation.

•Windows Mobile Device Lua Expressions - For Windows Mobile Devices, administrators will be able to write Lua expressions in Dynamic Access Policies (DAPs) to perform posture checks on those attributes unique to mobile devices. See Specifying Windows 7 in a Dynamic Access Policy for an example of a Lua expression.

Host Scan Engine Update, 3.0.7042

The Host Scan engine, which is among the components delivered AnyConnect Secure Mobility Client, identifies endpoint posture attributes of the host. An updated Host Scan package, hostscan_3.0.7042-k9.pkg, is now available. This package provides an updated Host Scan engine. See the "Independent Host Scan Upgrades" section for a detailed description of the independent Host Scan package.

The List of Antivirus, Antispyware, and Firewall Applications Supported by Host Scan 3.0.7042 is available on cisco.com. The support chart opens most easily using a Firefox browser. If you are using Internet Explorer, download the file to your computer and change the file extension from .zip to .xlsm. You can open the file in Microsoft Excel, Microsoft Excel viewer, or Open Office.

System Requirements

This new independent Host Scan package supports AnyConnect 3.x releases and CSD releases 3.5 or higher. It can be installed on ASA version 8.4 or higher.

Downloading the Host Scan Engine Update

To download the latest Cisco Host Scan Engine Updates, you must be a registered user of Cisco.com.

---

Step 1 Click this link to reach the software download area for Cisco VPN Client Tools:

http://www.cisco.com/cisco/software/release.html?mdfid=282414594&flowid=4470&softwareid=282364364&release=Engine%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Step 2 In the product tree, select All Releases > Hostscan > Engine Updates.

Step 3 In the Release Engine Update table, find hostscan_3.0.7042-k9.pkg and click Download.

Step 4 Enter your cisco.com credentials and click Login.

Step 5 Click Proceed with Download.

Step 6 Read the End User License Agreement and click Agree.

Step 7 Select a download manager option and click the download link to proceed with the download.

Step 8 See "Installing, Enabling, and Uninstalling Host Scan on the ASA" in the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6 or instructions on installing and enabling the Host Scan image.

---

Before Upgrading or Downgrading Between CSD 3.5.x and 3.6.x

---

Caution Read these two procedures before upgrading and downgrading between CSD 3.5.x and CSD 3.6.x.

---

•Backing up and Restoring the Data.xml File During Upgrade or Downgrade

•Reconfigure Prelogin Operating System Checks in the Data.xml File

Backing up and Restoring the Data.xml File During Upgrade or Downgrade

When upgrading from CSD version 3.5.x or earlier to CSD 3.6.x, or downgrading from CSD 3.6.x to CSD version 3.5.x or earlier, the Adaptive Security Device Manager (ASDM) overwrites the data.xml file with the default CSD settings without notifying the administrator. The data.xml file is the CSD configuration file and must be preserved or all previous configurations will be lost upon upgrade. We maintain a record of this problem in our Bug Toolkit and use the number CSCto11223 to identify it.

This problem affects the following configurations:

•CSD Global Settings

•Prelogin policies

•Keystroke Logger & Safety checks

•Cache cleaner customization

•Secure Desktop (Vault) configurations

•Secure Desktop Customization

•Host Scan entries manually configured for registry scan, file scan, and process scan

•Endpoint Assessment licenses

---

Tip To work around this problem, backup the data.xml file before you upgrade or downgrade.

---

To backup your data.xml file before you upgrade or downgrade and reinstate it afterwards, follow this procedure:

---

Step 1 Open ASDM, click the Tools menu and select Backup Configurations.

Step 2 Click File Transfer and select Between Local PC and Flash.

Step 3 Expand the directory tree for disk0:/sdesktop and transfer the data.xml file to your local PC.

Step 4 Close the File Transfer window.

Step 5 Close the File Management window.

Step 6 (Optional) If you are upgrading and you have configured a prelogin policy that uses an operating system check, read Reconfigure Prelogin Operating System Checks in the Data.xml File and edit the your local copy of the data.xml file as described in steps 4 - 6 of that procedure.

Step 7 (Optional) If you are downgrading and you have configured a prelogin policy that uses an operating system check, read Reconfigure Prelogin Operating System Checks in the Data.xml File and edit the your local copy of the data.xml file as described in steps 4, 7 and 8 of that procedure.

Step 8 Upgrade or downgrade the CSD image using the procedures in the Installing and Enabling CSD chapter of Cisco Secure Desktop Configuration Guide.

Step 9 Click the Tools menu in the ASDM menu bar and select File Management.

Step 10 Click File Transfer and select Between Local PC and Flash.

Step 11 Transfer the data.xml file from your local PC to the disk0:/sdesktop directory.

Step 12 Click Save.

Step 13 Restart ASDM.

Step 14 (Optional) If you had the Advanced Endpoint Assessment or the Endpoint Assessment license activated before the upgrade, you will need to re-enable them manually:

a. In ASDM, navigate Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan.

b. Check either or both the Advanced Endpoint Assessment or Endpoint Assessment in Host Scan Extensions.

c. Click Apply All.

d. Click Save.

e. Restart ASDM.

---

Reconfigure Prelogin Operating System Checks in the Data.xml File

Upgrading from CSD version 3.5.x or earlier to CSD 3.6.x, or downgrading from CSD 3.6.x to CSD 3.5.x or earlier introduces a labeling mismatch in the data.xml file that results in your prelogin policies being hidden from view in the Prelogin Policy window. We maintain a record of this problem in our Bug Toolkit and use the number CSCtq02168 to identify it.

---

Tip To work around this problem, edit the data.xml file directly to fix the label.

---

Follow this procedure to perform this workaround:

---

Step 1 Open ASDM, click the Tools menu and select File Management.

Step 2 Click File Transfer and select Between Local PC and Flash.

Step 3 Expand the directory tree for disk0:/sdesktop and transfer the data.xml file to your local PC.

Step 4 Open the data.xml file on your local PC in a plain text or XML editor.

Step 5 (Optional) If you are upgrading your version of CSD, look for an entry similar to this:

<choose type="os_check">

<when label="Win 2K/XP" test="os_check" arg1="win2k">

Step 6 Change this string "Win 2K/XP" to this string "Win 2K/XP/Vista/Win7" and save your local copy.

Step 7 (Optional) If you are downgrading your version of CSD, look for an entry similar to this:

<choose type="os_check">

<when label="Win 2K/XP/Vista/Win7" test="os_check" arg1="win2k">

Step 8 Change this string "Win 2K/XP/Vista/Win7" to this string "Win 2K/XP" and save your local copy.

Step 9 On the ASDM, click File Transfer and select Between Local PC and Flash.

Step 10 Transfer the data.xml file from your local PC to the disk0:/sdesktop directory.

Step 11 Click Yes to overwrite the existing data.xml file.

Step 12 Close the File Transfer window.

Step 13 Close the File Management window.

Step 14 Click Save.

Step 15 Restart ASDM.

Step 16 After logging back in to ASDM, select Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy and then you will see your prelogin policy.

---

Administrator Guidelines

Refer to the following sections for information you should know before installing, upgrading, and configuring CSD. These sections supplement the information provided in the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6.

Endpoints and Operating Systems no Longer Supported by CSD

This section lists hardware and software which were previously supported by CSD but are no longer. We do not maintain a list of hardware and software that CSD has never supported.

See System and Environment Requirements for a list of hardware and software CSD 3.6 does support.

Endpoint Devices No Longer Supported

Starting with release 3.6.181, CSD stopped supporting MAC PowerPCs.

Operating Systems No Longer Supported

Starting with release 3.5.841, CSD stopped supporting Windows 2000 and Mac OS X v10.4.

Browsers No Longer Supported

Starting with release 3.5.841, Cache Cleaner stopped supporting Internet Explorer 5.0.

Enabling the Taskbar to Display the Yellow Lock Icon when Cache Cleaner is Running

By default, the taskbar no longer displays the yellow lock icon while Cache Cleaner is running. Releases of Cisco Secure Desktop earlier than 3.5 displayed this icon with Cache Cleaner. To display the icon, enable keystroke logger detection, host emulation detection, or both.

---

Caution Enabling keystroke logger detection, host emulation detection, or both turns on the Cisco Secure Desktop 3.4.2048 behavior of Cache Cleaner. It also replaces the Cisco Secure Desktop 3.5 version of Host Scan with that provided in Cisco Secure Desktop 3.4.2048 for both Cache Cleaner and AnyConnect sessions.

---

CSD Loads Slowly or Appears to Stop

If CSD is taking too long to load, it may be that the SSL client (your browser) cannot access the certificate revocation list (CRL) server. In this case, your browser will attempt to reconnect. Eventually, the connection will time-out. These extra attempts delay CSD from launching.

Ensure that your CRL server is properly configured so that your browser can reach it and access the certificate revocation list. This will help CSD launch more quickly.

Here is an example of when the SSL server and SSL client attempt to reach the certificate revocation list:

During the initial SSL handshake between the ASA and the client, the ASA (the SSL server) sends down a certificate, that has its name on it, to the SSL client (your browser). Your browser then attempts to validate the certificate. For example, it could check that the certificate's name corresponds to the host and domain name the browser is pointing to. After that, the client may also contact the certificate revocation list server to determine if the certificate has been revoked.

The ASA may also request a certificate from the client, in which case, the client, if it has one, submits its client certificate. The ASA will then attempt to validate the certificate similarly to the way the client did.

Specifying Windows 7 in a Dynamic Access Policy

Specifying Windows 7 as an Endpoint Attribute in the ASDM GUI

You will be able to specify Windows 7 as an endpoint attribute, using the ASDM GUI, if you are using ASDM version 6.2.(5) on an ASA running version 8.2.2 or earlier. See Figure 1 for an example.

Figure 1 Windows 7 Specified as an Endpoint Attribute Using ASDM GUI

Specifying Windows 7 as an Operating System Attribute Using a Lua Expression

If you are running a version of ASDM, which is earlier that 6.2(5), on your ASA, you can still use a DAP to check for the Windows 7 OS but you will need to do this using a Lua expression.

To learn more about Lua expressions in Dynamic Access Policies, see the section on "Configuring Dynamic Access Policies" in Cisco Security Appliance Configuration Guide Using ASDM.

This Lua expression is true if the operating system on the endpoint is Windows 7:

(EVAL(endpoint.os.version,"EQ","Windows 7","string"))

See Figure 2 for an example of the previous Lua expression displayed in the ASDM interface.

Figure 2 Windows 7 Specified in a Lua Expression

Hostscan and GPS Interaction

Host Scan does not wait for the GPS device to activate in order to retrieve location information. It reports the latest GPS location if the GPS device is active and has a GPS fix.

If the GPS hardware is off, hostscan does not switch it on. It uses the cached location information at the timestamp noted. If the mobile device has erased or invalidated latitude and longitude information, it will not be reported to hostscan.

Server Certificate Length Consideration

Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits can cause a high CPU usage on the ASA and rejected VPN log-ins.

Application Compatibility Layer and User Account Control

Windows Vista uses virtualization to provide application compatibility. CSD turns off user account control (UAC) from within Secure Desktop to avoid collisions with the CSD file system virtualization. Consequently, applications running over Secure Desktop (Vault) do not always share the same resources, such as mapped drives, as non-secure desktop applications.

Downgrade Support

CSD supports upgrades and downgrades between versions 3.6.185 and 3.4.2 on the ASA. Users can establish remote sessions with one or the other, but cannot connect to ASAs running CSD versions earlier than 3.2.1.

With the use of the procedures Before Upgrading or Downgrading Between CSD 3.5.x and 3.6.x, CSD supports upgrades and downgrades between versions 3.6.181 and 3.4.2 on the ASA. Users can establish remote sessions with one or the other, but cannot connect to ASAs running CSD versions earlier than 3.2.1.

---

Tip Avoid downgrade issues from 3.6.181 to other versions of CSD by upgrading to CSD 3.6.185.

---

End User Guidelines

Be sure to communicate these guidelines to end users.

Responding to Java Warning Dialog Boxes

If a user who has not added the URL of the VPN as a trusted site initiates a Firefox connection to the ASA, Firefox displays the following warning message in a dialog box: "The web site's certificate cannot be verified. Do you want to continue?" Please instruct users to do the following:

---

Step 1 Click Always trust content from this publisher, then click Yes.

A second dialog box indicates "The application's digital signature has been verified. Do you want to run the application?"

Step 2 Click Always trust content from this publisher, then click Run.

Following these two steps prevents the associated dialog boxes from appearing during subsequent connection attempts originating from that user profile on that computer.

---

ActiveX or Java Settings

CSD tries different methods to install itself on Microsoft Windows client computers until it finds a method that works. The installation is automatic and transparent to the user, however, one of the methods must be available on the remote computer and the user must have privileges to use that method. Table 1 shows the installation methods and associated user requirements.

---

Note Starting in this release, CSD no longer supports Microsoft Java VM.

---

Table 1 CSD Installation Methods and Requirements

Installation Method	Remote User Requirement
ActiveX	Administrator privileges
Sun JavaVM	Any user
Exe	Any user with execution permissions Note When User Account Control (UAC) is enabled on Windows Vista, users need to be able to provide the administrator password in order to install CSD.

The following Internet Explorer security settings are required. Use these settings as a guideline for other browsers:

To access and launch the executable page:

•Scripting > Active scripting > Enable

•Downloads > File download > Enable

To launch ActiveX:

•Scripting > Active scripting > Enable

•ActiveX controls and plug-ins > Download signed ActiveX controls > Enable

•ActiveX controls and plug-ins > Run ActiveX controls and plug-ins > Enable

User Interface Privilege Isolation

Because tasks such as Host Scan and idle mouse detection require monitoring of other processes, CSD cannot run at a low integrity level. This means that starting CSD sometimes requires privilege elevation. Users experience prompting for privilege elevation and have to consent to use CSD.

Internet Explorer (7 or later) on Vista runs at a low integrity level by default to avoid installation of software that monitors the system. This creates a conflict with CSD. Users who have limited privileges must add the URL of the ASA to the trusted zone list before proceeding.

Windows Mail

CSD does not support Windows Mail, the e-mail client that comes with Windows Vista.

Internet Explorer, Microsoft Office, and Adobe Acrobat Interaction with Cisco Secure Desktop

CSD closes all instances of Internet Explorer, Microsoft Office applications, and Adobe Acrobat running on Windows operating systems before Secure Desktop installs or before users switch to the Secure Desktop.

If Desktop Switching is enabled, you cannot switch from a Secure Desktop session to the host desktop and then open Internet Explorer, Microsoft Office applications, or Adobe Acrobat. This Windows limitation might cause some applications running on the host desktop to fail.

Configuring Antivirus Applications for CSD

Antivirus applications can misinterpret the behavior of some of the applications included in Cisco Secure Desktop as malicious. Before installing CSD, configure your antivirus software to "white-list" or make security exceptions for these applications:

•cscan.exe

•ciscod.exe

•cstub.exe

Home Directory Requirement

The home directory on the remote computer must not contain any folder or file named .cachedlg.zip.

User Guidelines Related to Cache Cleaner

Do Not Change Cache Locations

Cache sessions may not get cleaned if a user changes cache locations during Secure Desktop and Cache Cleaner sessions.

History Not Erased With Multiple Explorer Windows

Windows Explorer does not erase browser history because other Explorer windows could share it. Before users start Cache Cleaner, they should uncheck "Launch folder windows in a separate process" in the Windows Explorer Tools > Folder Options > View > Launch folder.

Cache Cleaner Installation Behavior

Cisco Secure Desktop's Cache Cleaner has a configurable option in the Cache Cleaner panel of Secure Desktop Manager called, Show success message at the end of successful installation. (Windows only). When this option was selected in CSD 3.4 and earlier releases, a message informed users when Cache Cleaner was successfully installed. Cache Cleaner no longer displays this message.

Cache Cleaner Interface Change

In CSD 3.4 and earlier releases, when Cache Cleaner was running, a yellow lock icon displayed in the system tray as a visual reminder to the user. Cache Cleaner no longer displays this icon.

Cache Cleaner Delay

When an SSL VPN s0ession ends, Cache Cleaner may take about a minute to clean the cache and close the browser. Differences in endpoints and the size of the cache can affect the length of the delay.

Cisco Security Agent with Secure Desktop and Cache Cleaner

Because Secure Desktop and Cache Cleaner connect tightly with the OS, the Cisco Security Agent often prompts the user to confirm that the CSD components can be trusted. It is important that the user confirms that they can be trusted when prompted by a dialog.

CSA Versions before V4.5 often prompt the user on the local desktop instead of Secure Desktop; for this reason we encourage administrators to check the "Enable switching between Secure Desktop and Local Desktop" configuration option.

Installation Guidelines

CSD Installation through a Proxy

To specify CSD installation through a proxy server, regardless of the browser, go to the Internet Options control panel under Microsoft Windows, click the Connections tab, and click the LAN Settings button.

To use the ActiveX installation of CSD, go to the "Internet Options" control panel under Windows, click the Advanced tab, and enable the "Use HTTP 1.1" option.

To use the Java installation of CSD, go to the "Java" control panel under Windows, click the General tab, click the Network Settings button, and configure the proxy.

New Certificate Required

Cisco Secure Desktop 3.6 is signed with the new certificate VeriSign Class 3 Public Primary Certification Authority - G5. Upon installation, Windows XP, Windows Vista, Mac OS X, and Linux users might see a downloader error message, such as the following:

An internal certificate chaining error has occurred.

This event can occur if one or all of the following are true:

•One has intentionally pruned root certificates.

•Update Root Certificates is disabled.

•The internet is not reachable when an upgrade occurs (e.g. you have your ASA in a private network without Internet access).

CSD installations and upgrades might require endpoint users to install the root CA before upgrading or installing CSD. To do so, enable Update Root Certificates and verify that the Internet is reachable before the CSD installation. By default, Update Root Certificates is enabled. Users can also update the root CA manually, as instructed on the VeriSign website.

For more information, see:

•http://technet.microsoft.com/en-us/library/bb457160.aspx

•http://technet.microsoft.com/en-us/library/cc749331%28WS.10%29.aspx

Starting Applications from within Folders Created inside Secure Desktop

Microsoft Windows treats folders created within Secure Desktop differently from other folders. An application cannot always determine the default folder location for files if you start it from within these folders. For example, if you create a folder within a Secure Desktop session, open the command prompt, change the directory to that folder without specifying the full path, and run FTP, it does not download files to that folder. We recommend that you specify the full path or explicitly change the working directory (for example, using the lcd command in the case of FTP) from within the applications. This problem occurs only for applications launched from within a shell. Otherwise, the problem does not occur.

Caveats

For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description.

---

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

---

The following sections lists the caveats this release resolves and the open caveats.

Caveats Resolved by CSD Release 3.6.185

Table 2 lists the caveats that have been resolved by CSD Release 3.6.185.

Table 2 Caveats Resolved by 3.6.185

Caveat ID	Headline
CSCsw17514	CSD:deny access if emulation message box has blank button
CSCtd26933	CSD: Hostscan returns protection="vault" with XP 64,should return "secur
CSCtl17920	CSD only logs the last connection attempt
CSCtn87540	CSD Add support for Avast
CSCtn93301	CSD 3.5 fails to validate Sophos AV 7.x on MacOSX
CSCto11223	Upgrade csd from 3.5.x to 3.6.x sets the data.xml file to defaults
CSCto45087	We need a way to roll over logs like AnyConnect VPN RollingLogger
CSCto65864	Improper return value for the Kaspersky Antivirus
CSCto91503	CSD: PreLogin Device Protection is reported incorrectly
CSCto96682	AnyConnect Hostscan module noisy log warnings
CSCtq00045	Vault login denied when Host Scan incorrectly reports main.exe not running
CSCtq02168	Errors in CSD 3.6 prelogin policy panel if reusing data.xml from CSD 3.5
CSCtq08733	cscan.exe consuming 195MB of memory and climbing
CSCtq18019	CSD weblaunch with ActiveX fails (Java OK) - Fingerprints do not match
CSCtq34383	Privacy protection value not working
CSCtq48037	DOC: Need to remove wrong doc on csd Prelogin Cert check for MAC
CSCtq61788	Expired cert with CSD's Java file....
CSCtq68002	CSD: Error 1920 when installing CSD 3.6.181 MSI on French Windows 7
CSCtq81064	DOC: CSD does not support Symantec Endpoint Protection 12.x anti-spyware
CSCtq92552	CSD: HostScan fails to check LastUpdate for Microsoft Forefront AV
CSCto11223	Upgrade csd from 3.5.x to 3.6.x sets the data.xml file to defaults

Caveats Resolved by CSD Release 3.6.181

This table lists the caveats that have been resolved by CSD Release 3.6.181.

Table 3 Caveats resolved by CSD 3.6.181

Caveat ID	Description
CSCsr68962	CSD: KeyStroke Logger should require no initial interaction
CSCsx05118	CSD displays "Inspection has timed out or exited unexpectedly"
CSCtc05747	Prelogin OS list should include Windows 7
CSCtd23098	An instance of IE is not closed by Cache Cleaner on disconnect
CSCte49200	CSD: Add support for Norton AV 2010 and Internet Sec 2010
CSCtf31080	CSD: Host Scan Displays unlisted OID numbers as "O"
CSCtf33588	CSD 3.5 & anyconnect SBL w/ keystroke logger fails with hostscan error
CSCtf34055	CSD: AV not recognized by HS when KSL-MachineCert are enabled
CSCtf36376	CSD: Machine Cert detection fails when all Locations have KSL enabled.
CSCtf39471	CSD 3.5 Explain new Cache Cleaner behavior in docs
CSCtf46292	Heap leak in libcsd.dll causing vpnui.exe to crash
CSCtf78998	CSD: Linux Hostscan generates large number of /tmp/OPSWAT_* files
CSCtf93020	HostScan invokes UAC for Admin Users on Vista in any case
CSCtf94771	CSD secure Vault ignores proxy configured via PAC file
CSCtf98980	CSD: Hostscan fails to return AV info->unable to download required library
CSCtf99181	CSD should fall back to non-predeploy if ciscod can't be contacted
CSCth08882	CSD: Hostscan doesn't update 'lastupdate' for AV after forced AV update
CSCth42819	CSD: Prelogin Check cannot find certificate in Trusted Root CA folder
CSCth43939	CSD 3.5: Add DLLexceptions for Apps operation in Vault with ASA 8.3
CSCth53868	CSD:Vault does not allow smart tunnel access to CWA (VistaSP1+IE8)
CSCth58570	CSD not detecting hotfix
CSCth76255	CSD fails to read and evaluate top level registry keys
CSCti35153	OPSWAT causes memory leak
CSCti62349	UI is crashing in csdlib with CSD/hostscan enabled
CSCtj03005	Remote Code Execution Vulnerability in Cisco Secure Desktop. (Active X)
CSCtj07374	CSD - documentation of endpoint.device.hostname is missing
CSCtj59457	Libcsd.dll Causes GUI Crash
CSCtj61980	Implement logic to automatically restart the ciscod service if it fails
CSCtj62430	CSD fails to download and launch the stub when pre-deployed on Win7
CSCtj69426	Hostscan fails to report the path during process check on win7-32
CSCtj86557	CSD: Hostscan not reporting AV in Vault
CSCtj86833	AV.activescan value returned is "Ok" for disabled SymantecEndpoint
CSCtj99800	Vault not launching on Win 7.
CSCtk36156	CSD Vault/Hostscan is not launching with pre-deployment kit
CSCtk47345	failure while adding rule to firewall in win 7
CSCtl12989	Anyconnect credential page appears outside Vault with AC 2.5
CSCtl42142	CSD ver 3.6.152 has wrong Preinstaller (.msi) Package
CSCtn39379	Block port via firewall not working in Linux
CSCtn59240	Cannot configure certain file versions for pre-login file check
CSCtn71355	Release Notes link for CSD 3.5.2008 points to CSC 3.5.1077
CSCtn99517	FileScan is not working when some applications open target file
CSCto08218	Active-x & java not working_179 build

Caveats Resolved by Host Scan Engine Update 3.0.7042

Table 4 lists the caveats that Host Scan Engine Update, 3.0.7042 resolves.

Table 4 Caveats Resolved by Host Scan Engine Update, 3.0.7042

Defect ID	Headline
CSCtl00606	CSD Messaging needs to be reworked
CSCts26155	Host Emulation Detection not working on XP-64 bit
CSCtu69444	hostscan-win-build-pre-deploy-k9.msi file
CSCtu69657	Un-installation of older predeploy kit not happening automatically.
CSCtw70984	cscan.exe errors keep popping up modal with 3.0.5MR - CoreUtils.dll
CSCtw96017	POSTURE: [libcsd+3661] vpnui.exe: c0000005 (Crash 32bit)
CSCtx22002	POSTURE: [cscan!restore_ie_history+102] cscan.exe: c0000005 (Crash 32bit)

Caveats Resolved by Host Scan Engine Update 3.0.5009

Table 5 lists the caveats that Host Scan Engine Update, 3.0.5009 resolves.

Table 5 Caveats Resolved by Host Scan Engine Update, 3.0.5009

Defect ID	Headline
CSCts32184	HS:clean up persistent HostScan sessions.

Caveats Resolved by Host Scan Engine Update 3.0.4216

Table 6 lists the caveats that Host Scan Engine Update, 3.0.4216 resolves.

Table 6 Caveats Resolved by Host Scan Engine Update, 3.0.4216

Identifier	Headline
CSCtr35869	Telemetry fails to detect AV(McAfee) is installed
CSCtq31755	CSD: Prelogin Check cannot check for Root certificate on Mac OS X clients

Caveats Resolved by Host Scan Engine Update 3.0.4207

Table 7 lists the caveats that Host Scan Engine Update, 3.0.4207 resolves.

Table 7 Caveats Resolved by Host Scan Engine Update, 3.0.4207

Identifier	Headline
CSCtq48037	DOC: Need to remove wrong doc on csd Prelogin Cert check for MAC
CSCtq68002	CSD: Error 1920 when installing CSD 3.6.181 MSI on French Windows 7
CSCtq86204	Cscan popups taking place every minute
CSCtr20825	libcsd support for input callbacks was lost in 3.6 release

Caveats Resolved by Host Scan Engine Update 3.0.4016

Table 8 lists the caveats that Host Scan Engine Update 3.0.4016 resolves.

Table 8 Caveats Resolved by Host Scan Engine Update, 3.0.4016

Identifier	Headline
CSCsw17514	CSD: Deny access if emulation message box has blank button
CSCtd26933	CSD: Hostscan returns protection="vault" with XP 64,should return "secure desktop"
CSCtk99496	Hostscan Prelogin Error on AnyConnect on Red Hat 5.3 when FIPS enabled
CSCtl17920	CSD only logs the last connection attempt
CSCtn87540	CSD Add support for Avast 6.0
CSCtn93301	CSD 3.5 fails to validate Sophos AV 7.x on MacOSX
CSCto45087	We need a way to roll over logs like AnyConnect VPN RollingLogger
CSCto65864	Improper return value for the Kaspersky Antivirus
CSCto96682	AnyConnect Hostscan module noisy log warnings
CSCtq00045	Vault login denied when Host Scan incorrectly reports main.exe not running
CSCtq08733	cscan.exe consuming 195MB of memory and climbing
CSCtq18019	CSD weblaunch with ActiveX fails (Java OK) - Fingerprints do not match
CSCtq61788	Expired cert with CSD's Java file....
CSCtq81064	DOC: CSD does not support Symantec Endpoint Protection 12.x antispyware
CSCtq92552	CSD: HostScan fails to check LastUpdate for Microsoft Forefront AV

Open Caveats in CSD

Table 9 lists the severity 1-3 caveats that are open in this release:

Table 9 Open Caveats

Caveat ID	Description
CSCsw86243	CSD auto close vault dialog box fails to appear-using "withoutcsd"
CSCsw98952	Image does not shrink to fit screen size in Vault customization.
CSCsx78621	Hostscan log does not get overwritten with Secure Vault
CSCsy98882	CSD Vault should allow AnyConnect Downloader from any temp folder Marked as a "Duplicate" and combined with CSCtk32640 - CSD:Vault should check file signature, instead of white-listing a folder
CSCsz67469	Hostscan with Secure Vault fails to detect Service Pack on 64-bit Vista
CSCsz89773	CSD fails to detect Elite key logger software
CSCtc12807	"Disable Cancel Button" should not appear in the management plugin
CSCtc87581	Processor Architecture is not reported by Secure Vault
CSCtd18875	Cache Cleaner Customization should be removed from the management plugin
CSCte04839	Feedback is not provided on errors in manual launch
CSCte04866	Customization of Posture Assessment messages with CSD not working
CSCte15402	Session cache created 0~30 secs after logon is not cleaned Mac 10.6.x.
CSCtf40994	CSD 3.5 Cache Cleaner termination, long delay in closing browser
CSCtf70014	CSD: Hostscan reports incorrect time since last AV update
CSCtf96678	CSD: Weblaunch reports activex failure when Vault is loading
CSCtg66300	CSD: Vault Java install times out
CSCtg66943	CSD: Firefox Proxy settings are not carried forward into Vault
CSCtg68119	CSD: Cache Cleaner fails to clear the FF browser history
CSCti24021	Posture localization PO file needs updated translation This defect was previously listed as CSCtd94967 - Localization template files should be updated
CSCti30822	Contents not moved when folder created outside Vault is moved in Vault
CSCti97720	Remote Code Execution Vulnerability in Cisco Secure Desktop.
CSCtk32640	CSD:Vault should check file signature, instead of white-listing a folder
CSCtk94865	Copy Paste between secure desktop and local desktop is working
CSCtk95278	After launching Cache cleaner, the cache files are not getting cleared.

 

Related Documentation

•Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6

•List of Antivirus, Antispyware, and Firewall Applications Supported by Host Scan.

•Open Source Used In Cisco Secure Desktop, Release 3.6

•AnyConnect Secure Mobility Client Release Notes

•AnyConnect Secure Mobility Client Administrator Guide

•Cisco ASA 5500 Series Release Notes

•Cisco ASDM Release Notes

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

---

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2011 Cisco Systems, Inc. All rights reserved.