Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Release 4.1(3) and Cisco NAC Profiler
Important Installation Information for NAC-3310
Additional Hardware Support Information
Supported Switches for Cisco NAC Appliance
VPN and Wireless Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.1(3) Compatibility Matrix
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco NAC Appliance Agents Versioning
Cisco Clean Access Updates Versioning
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Enhancements in Release 4.1.3.1
Enhancements in Release 4.1(3)
Support for Clients with Multiple Active NICs
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
Guest User Login and Registration Enhancements
LDAP Authentication Enhancement
Clean Access Server and WSUS Interaction Enhancement
Agent Restricted User Access Enhancement
Device Filter List Display and Import/Export Enhancement
Agent Report Information Display and Export Enhancement
Syslog Configuration Enhancement
Debug Log Download Enhancement
ARP Broadcast Packet Handling Improvement
Clean Access Server HA ARP Broadcast Enhancement
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
Clean Access Agent Auto Remediation
64-bit Windows Operating System Agent Support
Supported AV/AS Product List Enhancements (Version 67)
Access to Authentication VLAN Change Detection Enhancement
SNMP Inform Notification Enhancement
SNMP "MAC Move Notification" Switch Port Configuration Support
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.0)
Windows Clean Access Agent Enhancements
Windows Clean Access Agent Version 4.1.3.2
Windows Clean Access Agent Version 4.1.3.1
Windows Clean Access Agent Version 4.1.3.0
Mac OS X Clean Access Agent Enhancements
Mac OS X Clean Access Agent Version 4.1.3.1
Mac OS X Clean Access Agent Version 4.1.3.0
Cisco NAC Web Agent Enhancements
Cisco NAC Web Agent Version 4.1.3.10
Cisco NAC Web Agent Version 4.1.3.9
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows Vista/XP/2000)
Clean Access AV Support Chart (Windows ME/98)
Clean Access AS Support Chart (Windows Vista/XP/2000)
Supported AV/AS Product List Version Summary
Resolved Caveats - Windows Clean Access Agent 4.1.3.2
Resolved Caveats - Mac OS X Agent 4.1.3.1
Resolved Caveats - Release 4.1.3.1
Resolved Caveats - Cisco NAC Web Agent 4.1.3.10
Resolved Caveats - Windows Clean Access Agent 4.1.3.1
Resolved Caveats - Release 4.1(3)
Known Issues for Cisco NAC Appliance
Known Issues with HP ProLiant DL140 G3 Servers
Known Issue with NAC-3310 CD Installation
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
Known Issues with Cisco NAC Profiler Release 2.1.7
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
"Interactive Services Dialog Detection" and Uninstall
Known Issues with MSI Agent Installer
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.1(3)
Settings That May Change With Upgrade
General Preparation for Upgrade
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—HA Pairs
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Vista/IE 7 Certificate Revocation List
Windows Vista Agent Stub Installer Error
Agent Stub Upgrade and Uninstall Error
Clean Access Agent AV/AS Rule Troubleshooting
Generating Windows Installer Log Files for Agent Stub
Debug Logging for Cisco NAC Appliance Agents
Generate Windows Agent Debug Log
Generate Mac OS X Agent Debug Log
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Revised: June 24, 2008, OL-14508-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(3). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
Cisco NAC Appliance Releases
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the Cisco NAC Appliance Service Contract / Licensing Support.
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for system requirement information for the Clean Access Manager (CAM), Clean Access Server (CAS), and Cisco NAC Appliance Agents.
Hardware Supported
This section describes the following:
•
•
Cisco NAC Network Module
Release 4.1(3) supports the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs). The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another.
For hardware installation instructions (how to install the NAC network module in an Integrated Service Router), refer to the following sections of the Cisco Network Modules Hardware Installation Guide.
•
•
For software installation instructions (how to install the Clean Access Server software on the NAC network module) refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
Note
While upgrading to release 4.1(3) and later is not required to support Cisco NAC network modules, if you are supporting 64-bit Windows Vista client systems, you must upgrade to release 4.1.2.1 or later.
NAC-3300 Series Appliances
Release 4.1(3) supports Cisco NAC Appliance 3300 Series platforms.
Customers have the option to upgrade NAC-3310, NAC-3350, or NAC-3390 MANAGER and SERVER appliances to release 4.1(3) using a single upgrade file, cca_upgrade-4.1.3.x.tar.gz.
CD installation of release 4.1(3) is also supported:
•
Note
•
Note
Release 4.1(3) and Cisco NAC Profiler
Release 4.1(3) includes the Cisco NAC Profiler Collector component that resides on Clean Access Server installations.
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
See also Known Issues with Cisco NAC Profiler Release 2.1.7.
Important Installation Information for NAC-3310
•
•
NAC-3310 Required BIOS/Firmware Upgrade
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.
NAC-3310 Required DL140 or serial_DL140 CD Installation Directive
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.
Additional Hardware Support Information
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
See Troubleshooting for further details.
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for complete details on:
•
•
•
•
VPN and Wireless Components Supported for Single Sign-On (SSO)
Table 1 lists VPN and wireless components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.1(3)
Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches
N/A
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later2
AnyConnect
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or later
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
2 Release 4.1(3) supports existing AnyConnect clients accessing the network via Cisco ASA 5500 Series devices running release 8.0(3)7 or later. For more information, see VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal and CSCsi75507.
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3) and the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent and Cisco NAC Web Agent client software versions and AV integration support, see:
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.1(3) Compatibility Matrix
Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Clean Access Agent version supported with each CCA 4.1(3) release (if applicable). CAM/CAS/Clean Access Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.
Table 2 Release 4.1(3) Compatibility Matrix
4.1.3.1 5
4.1(3)4.1.3.1 5
4.1(3)4.1.3.2
4.1.3.1
4.1.3.04.1.3.1
4.1.3.04.1.3.10
4.1.3.94.1.2.x
4.1.1.0
4.1.0.x 64.1.2.x
4.1.1.0
4.1.0.x 6-
-
1 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
2 Version 4.1.3.0 and later of the Windows Clean Access Agent is compatible with the 4.1(3) CAM and 4.1(3) and later CAS releases. See Cisco NAC Appliance Agents for details and caveats resolved for each Agent version.
3 Mac OS X Clean Access Agent supports authentication only (no posture assessment) and auto-upgrade starting from version 4.1.3.0. See Mac OS X Clean Access Agent Version 4.1.3.0 for details.
4 Cisco NAC Web Agent 4.1.3.9 is a new user access option introduced in release 4.1(3). See Cisco NAC Web Agent Enhancements for more information.
5 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
6 Cisco strongly recommends running version 4.1.3.0 of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment (Windows only). Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Table 3 shows 4.1(3) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Table 3 Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Upgrade From:
4.1.3.1 3
4.1(3)4.1.3.1 3
4.1(3)
1 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms.
2 "In-place" upgrade from version 3.5(11) to 4.1(3) is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(3) must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(3). (See CSCsl76977.)
3 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
.
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(3) CAM/CAS upgrade. You can auto-upgrade any 3.5.1+ Windows Agent directly to the latest 4.1.3.x Windows Agent. You can auto-upgrade Mac OS X Agents starting from version 4.1.3.0 and later.
Note
Refer to the "Cisco NAC Appliance Agents Systems Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance for additional compatibility details.
Table 4 Release 4.1.3.x Agent Upgrade Compatibility Matrix
4.1.3.1
4.1(3)4.1.3.1
4.1(3)4.1.2.x
4.1.1.0
4.1.0.x 44.1.3.2
4.1.3.1 5
4.1.3.04.1.3.1 6
4.1.3.04.0.x.x
3.6.x.x
3.5.1 and later4.1.3.1 5
4.1.3.0—
1 Clean Access Agent versions are not supported across major releases. Do not use 4.1.3.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 and later Agent directly to the latest 4.1.3.x Agent.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 For checks/rules/requirements, version 4.1.1.0 and later Clean Access Agents can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
4 Cisco strongly recommends running the latest 4.1.3.x version of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
5 Windows Clean Access Agent version 4.1.3.1 resolves caveat CSCsm05207. See Windows Clean Access Agent Version 4.1.3.1 and Resolved Caveats - Windows Clean Access Agent 4.1.3.1 for details.
6 Auto-upgrade of the Mac OS X Agent is supported starting from version 4.1.3.0 and later. Release 4.1(1) and release 4.1(2)+ do not support auto-upgrade for the Mac OS X Agent. Users can upgrade client machines to the latest Mac OS X Agent by downloading the Agent via web login and running the Agent installation. For more information, see Mac OS X Clean Access Agent Enhancements.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. After you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
CAM Lite, Standard, Super
The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:
•
•
•
Note the following:
•
•
•
Clean Access Server (CAS) Version
You can determine the CCA software version running on the Clean Access Server (whether NAC-3300 appliances or Cisco NAC network modules) using the following methods:
•
•
•
Note
Cisco NAC Appliance Agents Versioning
On the CAM web console, you can determine versioning for the Cisco NAC Appliance Agents from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, Cisco NAC Web Agent, Clean Access Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Update > Summary on the CAM web console. See Clean Access Supported AV/AS Product List and Clean Access Supported AV/AS Product List for additional details.
New and Changed Information
This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
•
•
See Cisco NAC Appliance Agents for new features and enhancements to Cisco NAC Appliance Agents.
For additional details, see also:
•
•
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Added Agent language template support for Russian, Turkish, and Serbian (Cyrillic) for Windows Agents. The Agent will display localized text for these languages if run from localized Windows operating system.
Note
Note
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Enhancements in Release 4.1.3.1
Release 4.1.3.1 is a general and important bug fix release for the Clean Access Manager and Clean Access Server that addresses the caveats described in Resolved Caveats - Release 4.1.3.1. No new features are added.
For upgrade instructions, please refer to Upgrading to 4.1(3).
Enhancements in Release 4.1(3)
This section details the enhancements delivered with Cisco NAC Appliance release 4.1(3) for the Clean Access Manager and Clean Access Server.
General Enhancements
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Out-of-Band Enhancements
•
•
•
Cisco NAC Appliance Agent Enhancements
•
General Enhancements
Cisco NAC Web Agent
Warning
Cisco NAC Appliance release 4.1(3) introduces a new temporal Agent for Windows client machines. Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the Cisco NAC Appliance web login page, and chooses to launch the Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (Active X/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the Cisco NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following:
•
•
Note
Once the user has provided appropriate login credentials and the Web Agent ensures the client machine meets the NAC Appliance security requirements, the browser session remains open and the user is logged in to the network until the user clicks the Logout button in the Web Agent browser window, shuts off their system, or the NAC Appliance administrator terminates the session from the CAM. After the session terminates, the Web Agent "removes" itself from the client machine and the temporary files used to install are deleted from the system.
Note
The Cisco NAC Web Agent enhancement affects the following page of the CAM web console:
•
Note
Support for Clients with Multiple Active NICs
Cisco NAC Appliance release 4.1(3) includes an enhancement to help stabilize connection problems from client machines with more than one active Network Interface Card (NIC). For example, a client machine may have an active LAN Ethernet connection and an active wireless NIC connection where each interface sends SWISS UDP discovery packets to initiate a connection to a network CAS. To address this potential situation, the CAS now examines the SWISS packets from the client machine to record the requesting NIC IP address and verifies all subsequent SWISS UDP packets for the NIC IP address to ensure the same client only logs in from one interface.
Without this enhancement, the following scenario can occur:
The client machine A sends out SWISS UDP discovery packets to the CAS and receives a response directing the user to enter their authentication credentials. During this process, another active NIC on client machine A sends SWISS UDP discovery plackets to the same CAS even though the first interface is already establishing a connection. After the first client session is established, the user sees a login screen again, despite having already successfully established connection. Until the secondary NIC is disabled or the client machine does something to halt SWISS UDP packet transmission, the user can continually see login screen after login screen.
For information regarding clients with multiple active NICs and how to configure them to interoperate with the Access to Authentication VLAN change detection feature, see Access to Authentication VLAN Change Detection Interoperability with Clients Featuring More Than One Active NIC.
For more information, see the "Supporting Multiple Active NICs on the Clean Access Agent Client Machine" section in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Server HA heartbeat link capabilities have been enhanced in release 4.1(3). In addition to the existing serial interface and optional trusted (eth0 and eth2/eth3) interface heartbeat connections, you can now also configure the CAS to employ the (untrusted side) eth1 interface to provide redundant HA heartbeat monitoring.
This enhancement affects the following page of the CAS web console:
•
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
In release 4.1(3), the Clean Access Manager web console interface now features a new (separate) Failover tab as well as additional failover configuration settings to support up to three optional redundant Heartbeat UDP Interfaces. In addition to the existing optional serial interface and dedicated eth1 interface heartbeat connections, you can now also configure the CAM to employ the (trusted side) eth0 interface and an additional optional Ethernet link to provide redundant HA heartbeat monitoring.
This enhancement affects the following pages of the CAM web console:
•
•
Guest User Login and Registration Enhancements
Release 4.1(3) enhances the way the CAM handles Guest user login, registration, and access with a new Guest Registration feature. Rather than allow users to simply gain undifferentiated Guest access to the system, the administrator can now configure guest users to register their own local accounts on the CAM using a variety of fields, including email, phone number, or affiliation. The new feature provides a customizable level of guest authentication using a new Guest Auth Server Type, new Guest Registration configuration pages, and the default guest role.
The CAM can automatically time out guest accounts using token expiration, or flush out unused guest accounts from the local database after a configurable number of days. Administrators can view newly created guest accounts on a new Guest Users local users list, and on the Certified Device List and Online Users List by configured Guest Auth Provider and Guest role.
Note
To update any existing Guest user access model on the CAM to take advantage of the enhancements in release 4.1(3), administrators can perform the following tasks:
1.
2.
3.
4.
5.
This enhancement affects the following pages of the CAM web console:
•
•
•
LDAP Authentication Enhancement
Release 4.1(3) enhances the authentication settings available when authenticating user credentials against an LDAP server. Administrators can now specify either the "Simple" or Generic Security Services Application Programming Interface (GSSAPI) authentication mechanism to better provide secure credential authentication in the network.
This enhancement affects the following pages of the CAM web console:
•
–
–
Clean Access Server and WSUS Interaction Enhancement
Release 4.1(3) improves message text for Windows Server Update Services (WSUS) requirements. When the Clean Access Agent encounters a WSUS requirement compliance issue, the Agent launches a secondary client remediation frame from which the user can download the required Windows Update during client posture assessment.
Note
Agent Restricted User Access Enhancement
Cisco NAC Appliance Agent login behavior has been enhanced in release 4.1(3) to allow users "restricted" network access if/when their client machine does not pass posture assessment as configured in the requirements associated with the user's login role. If this function is enabled by the administrator, a new button labeled "Limited" now appears in the Clean Access Agent login dialog and "Get Restricted Network Access" (or another configurable text string) in the Cisco NAC Web Agent dialog to give the user the option to gain access to a restricted set of network resources via the NAC Appliance system. The administrator has control over which resources are available to users with restricted network access, according to the configuration settings specified in an existing user role. For example, the administrator can create a new user role called "Restricted" in User Management > User Roles that allows users who choose to accept restricted network access to launch their Email program and gain access to the WWW, but nothing else.
This enhancement affects the following web console page:
•
Device Filter List Display and Import/Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export device filter lists to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports, and the administrator can import device filter list information to populate (or repopulate) the CAMs device filter database from existing CSV files. In addition, the layout and function of the device filter list display (Device Management > Filters > Devices > List) has been updated in release 4.1(3) to give the administrator more direct control over the specific device entries displayed.
This enhancement affects the following page of the CAM web console:
•
Agent Report Information Display and Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export Agent report information to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports. In addition, the layout and function of the Agent report display list (Device Management > Clean Access > Clean Access Agent > Reports) has been updated in release 4.1(3) to give the administrator more direct control over the specific Agent report entries displayed.
This enhancement affects the following page of the CAM web console:
•
Note
The Export (with text) option provides an extra column containing the raw HTML code of the full Agent report that you can open for each report by clicking on view in the viewer.
VPN SSO Login Enhancement
Release 4.1(3) features a VPN SSO enhancement to ensure that users logging in via VPN are not erroneously presented with the Agent login dialog when signing in. When the user initiates a login session, the CAS passes information alerting the Agent that the user is already part of the VPN login list, thus enabling the CAM to avoid presenting the Agent login screen on the client machine. In network topologies that employ VPN concentrators, this potential situation can be made even more complex if the VPN concentrator delays sending the appropriate VPN login list notification to the CAS. To address this problem, the CAS is now able to specify a delay in the SWISS packet that tells the Agent to wait a short time before presenting the login screen.
VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
Release 4.1(3) adds accounting update functionality to support existing AnyConnect clients accessing the network via Cisco ASA 5500 Series Adaptive Security Appliances platforms. To support VPN SSO, you must be running Cisco NAC Appliance release 4.1(3) or later and the Cisco ASA 5500 Series device must be running release 8.0(3)7 or later and be configured to send interim accounting update packets.
For example, your Cisco ASA 5500 Series configuration should include:
aaa-server radius protocol radiusinterim-accounting-updateFor VPN/Wireless SSO support information, refer to VPN and Wireless Components Supported for Single Sign-On (SSO)
Note
Syslog Configuration Enhancement
Release 4.1(3) features a Syslog Settings page configuration enhancement allowing you to specify the Syslog Facility setting for a designated Syslog server where you direct Syslog messages originating from the CAM. You can use the default "User-Level" facility type, or you can assign any of the "local use" Syslog facility types defined in the Syslog RFC ("Local use 0" to "Local use 7"). This feature gives you the ability to differentiate Cisco NAC Appliance Syslog messages from "User-Level" Syslog entries you may already generate and direct to your Syslog server from other network components.
This enhancement affects the following page of the CAM web console:
•
Debug Log Download Enhancement
With release 4.1(3), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. The default setting is one week (7 days). Previously, debug logs included all recorded log entries in the CAM/CAS database.
This enhancement adds a new field, "Download technical support logs for the last [] days" to the following web console pages:
•
•
cisco_api.jsp Enhancement
In Release 4.1(3), the Cisco NAC Appliance API (https://<CAM-IP-address or hostmame>/admin/cisco_api.jsp) adds the following new functions which provide support for Cisco NAC Profiler deployments:
•
•
•
•
•
The API also includes the following enhancements:
•
•
See also CSRF Protection. For further details on the Cisco NAC Appliance API, see Appendix B "API Support" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3).
CSRF Protection
Release 4.1(3) enhances protection from Cross-Site Request Forgery attacks, which maliciously exploit web browser sessions. Release 4.1(3) provides the following enhancements:
•
•
•
Proxy Support Enhancements
Starting with release 4.1(3), proxy-related enhancements enable you to configure the Clean Access Server to allow proxy support for user login sessions using the Unauthenticated role:
•
Note
•
•
•
Note
These enhancements affect the following pages of the CAM web console:
•
•
ARP Broadcast Packet Handling Improvement
Release 4.1(3) features an ARP broadcast enhancement that helps alleviate erroneous ARP broadcast "re-broadcasting." When an ARP broadcast packet arrives at the untrusted eth1 interface on the CAS, the CAS now checks to verify the nature of the broadcast packet. If the destination IP address is a known IP address or a valid IP address as part of a managed subnet, the CAS "re-broadcasts" the packet on to the appropriate managed subnet. If the packet in question is an ARP broadcast itself (a request for the owner of x.y.z.255, for example), then the CAS does not forward/rebroadcast the request because no host on the managed subnet will be able to respond appropriately.
Therefore, the NAC Appliance system now performs as follows when we receive a broadcast message (with a broadcast destination IP address) at the trusted side of the CAS:
1.
2.
3.
Clean Access Server HA ARP Broadcast Enhancement
Release 4.1(3) features an ARP broadcast enhancement to improve Clean Access Server HA capabilities. In the event of a CAS failover, the HA-Secondary CAS (which assumes the HA-Primary role) now sends ARP request broadcast messages to all managed subnets on the untrusted (eth1) interface instead of just the primary subnet. These gratuitous ARPs help ensure that all clients on the untrusted side of the NAC Appliance network have a chance to update their ARP tables with the IP and MAC address of the new active CAS instead of first experiencing a session time-out and having to re-establish connection to the new active CAS.
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
The "Retag Trusted-side Egress Traffic with VLAN (In-Band)" feature for User Roles is deprecated in Release 4.1(3) and will be removed completely in a future release.
This affects the following page of the CAM web console:
•
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
The "Roaming" and "IPSec/L2TP/PPTP/PPP" features that have been deprecated in previous Cisco NAC Appliance releases now no longer appear in the web console interface for release 4.1(3). This change affects many pages of the CAM and CAS web user interfaces, most notably:
•
•
•
•
•
•
Clean Access Agent Auto Remediation
Release 4.1(3) introduces a new configurable Remediation Type[Manual | Automatic] option when configuring Clean Access Agent Requirements for the following requirement types:
•
•
•
•
•
•
Choosing the Manual Remediation Type preserves the previous Agent behavior. The user has to click through each of the requirements using the Next button.
Choosing the Automatic Remediation Type sets the Agent to perform Auto Remediation. When Auto Remediation is configured, the Clean Access Agent automatically performs updates or launches required programs on the client after the user logs in.
During Auto Remediation, the Agent dialog displays only two buttons: Details and Manual. Clicking Details shows additional progress messages for the auto remediation. Clicking Manual changes the Agent back to Manual mode, where the user has to click through each requirement.
The auto-remediation actions the Agent performs depend on the requirement type, such as:
•
•
•
•
•
This enhancement affects the following pages of the CAM web console:
•
Note
•
Note
Delay Agent Logoff on CAM/CAS
User logoff behavior for the Windows Clean Access Agent in In-Band deployments has been enhanced in release 4.1(3) to ensure that all scripts necessary to log the user out of the NAC Appliance system have had a chance to complete before the CAS restricts user traffic. The drawback of users not having had a chance to successfully log out of the CAM/CAS before Windows shuts down is that the user session may remain "active" on the CAM (the user ID and session information still appear in the Monitoring > Online Users > View Online Users display) and the user suffers connection issues the next time they attempt to connect to the network from the same client machine. To address this situation, the administrator can now configure a period of time to delay Agent logout from the CAS/CAM to ensure enough time to complete the logout script(s).
This enhancement affects the following page CAM web console:
•
64-bit Windows Operating System Agent Support
In release 4.1(3), the Windows Clean Access Agent and Cisco NAC Web Agent perform authentication only on 64-bit Windows Vista and Windows XP client operating systems.
Note
Supported AV/AS Product List Enhancements (Version 67)
•
•
Out-of-Band Enhancements
Access to Authentication VLAN Change Detection Enhancement
Cisco NAC Appliance release 4.1(3) further enhances VLAN change detection mechanisms for Clean Access Agent machines in Out-of-Band (OOB) deployments to allow the client port to change from the Access to the Authentication VLAN without having to bounce the port.
Caution
This feature applies to the Clean Access Agent only and does not apply to web login or to the Cisco NAC Web Agent. This feature is designed to enhance support for the following deployments:
•
•
•
In OOB, when the user is logged out and the client port changes from the Access VLAN to the Authentication VLAN, the IP address for the client machine typically needs to change to coincide with the Authentication VLAN. In OOB, when the user is in the Access VLAN, the Clean Access Agent no longer communicates with the CAM or CAS, so the Agent is not aware when the CAM changes the VLAN for the client port. Although the CAM can bounce the port to change the IP address on the client, this solution is not recommended for IP Phone environments, as it can disrupt voice services.
Versions earlier than 4.1.3.0 of the Windows Clean Access Agent could only learn of a change from the Access VLAN to the Authentication VLAN once the current DHCP lease had expired and the client was forced to re-establish connection. With release 4.1(3), the Agent detects that the client has the wrong IP address for the current VLAN and automatically triggers an IP address change (release/renew) to maintain connection. No additional configuration on the CAM is required to use this enhancement.
Note
Version 4.1.3.2 of the Windows Clean Access Agent modifies the Access to Authentication VLAN Change Detection feature as follows:
•
•
•
•
•
Note
•
•
•
Agent users with non-admin privileges and no Clean Access Agent Stub service installed on the client can use ICMP to detect the VLAN and then enable DHCP services (net dhcp stop/start) to change the client IP address. In order to utilize the option, however, you must configure a Group Policy Object (GPO) granting domain users full control of the DHCP client. Once DHCP control is enabled, the Agent attempts to restart the DHCP client to get a new IP address after failing IP address release/renew. See Table 5 for more information.
Note
Note
This feature may not be compatible with all Cisco NAC Appliance deployments (such as VPN deployments). Therefore, although you can still enable and configure this feature, versions 4.1.3.1 and 4.1.3.2 of the Clean Access Agent disable this feature by default. Refer to Windows Clean Access Agent Version 4.1.3.1 and Windows Clean Access Agent Version 4.1.3.2 for additional details.
Access to Authentication VLAN Change Detection Interoperability with Clients Featuring More Than One Active NIC
If you use the Access to Authentication VLAN change detection feature on a client machine with more than one active NIC, all active NICs on the client use the feature. By design, the NIC with the lowest metric always takes precedence for routing purposes, and you can determine the metric using the route print command from a command prompt. Client-to-CAS communication depends on the specific scenario:
•
If one of the CASs is in Layer 2 OOB Virtual Gateway mode, and the client somehow switches back to the authentication VLAN (if the client is deleted form the Certified Device List, for example), then the client can no longer ping its default gateway. This situation can result in the client performing unnecessary, repetitive IP refreshes even though that NIC is not the one the client is currently using for traffic.
If this configuration is required, you must configure a traffic policy on the CAM to allow ICMP traffic to the default gateway for the Unauthenticated Role.
•
Configuring Registry Keys on the Windows Client
In order to configure a client machine with multiple NICs to appropriately interact with the Cisco NAC Appliance Access to Authentication VLAN detect feature, you must define the appropriate registry keys on the client, as shown in Table 5. The following required DWORD registry keys are all located in the same HKEY_LOCAL_MACHINE\Software\Cisco\Clean Access Agent\ registry location.
For more information on multiple-NIC client support, see Support for Clients with Multiple Active NICs.
SNMP Inform Notification Enhancement
SNMP notification behavior has been enhanced in release 4.1(3) to feature SNMP "inform request" behavior. Because SNMP traps can be unreliable due to the fact that the SNMP receiver is not required to send an acknowledgment when it receives a trap, the sender cannot determine if the trap was received. In release 4.1(3), the CAM is able to transmit SNMP inform acknowledgements in response to switch SNMP inform requests to ensure reliable information delivery between the switch and the CAM. (The inherent SNMP "inform request/acknowledgement" retry mechanism helps increase the chances of successful information delivery from the managed switch to the CAM.)
SNMP "MAC Move Notification" Switch Port Configuration Support
With release 4.1(3), Cisco NAC Appliance now supports the "MAC Move Notification" switch port configuration and notification feature. When the managed switch sends out a notification trap announcing that a connected host has moved from one port to another within the same VLAN, the CAM responds to the notification by updating the discovered client information and, if necessary, changing the VLAN assignment for the host port to reflect the information in the switch trap notification.
Releases earlier than 4.1(3) depend on "MAC Changed Notification" to detect the client device when it connects to the switch. From the notification, the switch learns a new MAC address on the port, and the Clean Access Manager learns from the switch what device is connected to which port. Based on this learned information, the CAM changes the VLAN for that switch port.
However, when the MAC Move Notification Trap is configured on the switch, the switch sends out the trap when a connected device moves from one port to another on the same VLAN. With CCA versions earlier than 4.1(3), the MAC Move Notification is not supported, and the CAM does not update connected device information when a MAC Move event occurs. As a result, CAM can end up incorrectly setting the VLAN on the switch port from which the device has already disconnected.
With release 4.1(3) and later, OOB deployments now support:
•
•
•
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.0)
Added Agent language template support for Dutch, Hungarian, and Portuguese for Windows Agents. The Agent will display localized text for these languages if run from localized Windows operating system.
Note
Note
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Cisco NAC Appliance Agents
This section consolidates information for Clean Access Agent and Cisco NAC Web Agent client software versions, as follows:
•
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted. For all Agents:
•
•
Note
Note
See the "Clean Access Agent Version Summary" section in the Release Notes for Cisco NAC Appliance (Cisco Clean Access) Version 4.1(1) for details on the 4.1.1.0 Agent.For additional details refer to Known Issues for Cisco NAC Appliance and Troubleshooting for Agent-related information.
Windows Clean Access Agent Enhancements
This section contains the latest enhancements per version of the Windows Clean Access Agent.
•
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
Windows Clean Access Agent Version 4.1.3.2
Version 4.1.3.2 of the Windows Clean Access Agent resolves caveats CSCsl77778 CSCsl77801, CSCsm04923, CSCsm38529, CSCsm39238, CSCsm54763, CSCsm42572, CSCsm62326, CSCsm67052, and CSCso22399. Refer to Resolved Caveats - Windows Clean Access Agent 4.1.3.2 for additional details.
New features or enhancements for Windows Clean Access Agent version 4.1.3.2 (persistent):
•
–
–
–
–
–
Note
•
•
•
Supported AV/AS Product List Enhancements (Version 68)
•
•
Windows Clean Access Agent Version 4.1.3.1
Version 4.1.3.1 of the Windows Clean Access Agent resolves caveat CSCsm05207. Refer to Resolved Caveats - Windows Clean Access Agent 4.1.3.1 and Access to Authentication VLAN Change Detection Enhancement for additional details.
Note
•
•
Windows Clean Access Agent Version 4.1.3.0
New features or enhancements for Windows Agent version 4.1.3.0 (persistent):
•
•
•
•
•
•
•
Note
Note
Note
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.For more information on the stub installer and its behavior, see the "Configuring Agent Distribution/Installation" section of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3). See also Known Issues with MSI Agent Installer.
•
Note
Mac OS X Clean Access Agent Enhancements
This section contains the latest enhancements per version of the Mac OS X Clean Access Agent:
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
Note
Mac OS X Clean Access Agent Version 4.1.3.1
Version 4.1.3.1 of the Clean Access Agent resolves caveats CSCsl83353, CSCsl88985, CSCsl98060, CSCsm10311, CSCsm20813, CSCsm26806, and CSCsm47276 for Mac OS X Agents. Refer to Resolved Caveats - Mac OS X Agent 4.1.3.1 for additional details.
Mac OS X Clean Access Agent Version 4.1.3.0
New features or enhancements in Macintosh OS X Clean Access Agent version 4.1.3.0:
•
•
•
•
Note
•
•
•
•
Cisco NAC Web Agent Enhancements
This section contains the latest enhancements per version of the Cisco NAC Web Agent:
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
See Release 4.1(3) Compatibility Matrix for general compatibility details.
Cisco NAC Web Agent Version 4.1.3.10
For release 4.1(3) and later, new versions of the Cisco NAC Web Agent are available from the Clean Access Manager via the Updates mechanism (Device Management > Clean Access > Updates > Update). If use of the Cisco NAC Web Agent is required for the role, users will automatically download the latest version that is available on the CAM. If you do not want to distribute the latest version of the Web Agent, you can deselect the "Check for Cisco NAC Web Agent updates" checkbox on the Updates page.
New features or enhancements for Windows Agent version 4.1.3.10:
•
•
•
Signed Certificate Requirements
For version 4.1.3.10, the ActiveX control and Java Applet are signed by a certificate ("Cisco Systems") which is signed by "Thawte Server CA," and should be included in the Trusted Root Certificate Authority store.
If the certificate is not included in the Trusted Root Certificate Authority store, users will see a security alert dialog whenever they launch the Cisco NAC Web Agent. The dialog indicates a secure connection is required, but the certificate issuer is untrusted or unknown. The user can accept the certificate for this session, or install this certificate in the certificate store.
To install the certificate:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
For additional information, see also Vista/IE 7 Certificate Revocation List.
Cisco NAC Web Agent Version 4.1.3.9
Release 4.1(3) introduces the new (temporal) Cisco NAC Web Agent version 4.1.3.9.
Refer to Cisco NAC Web Agent for feature details.
Versions 4.1.3.9 and later of the Cisco NAC Web Agent have the following system requirements:
•
•
•
Operating System Dependencies
You can install and launch the Cisco NAC Web Agent on the following operating systems:
•
•
•
Note
Browser Support
You can install and launch the Cisco NAC Web Agent from the following web browsers:
•
•
ActiveX and Java Applet Requirements
•
•
•
Note
Microsoft Internet Explorer 7 in Windows Vista
By default, Windows Vista checks the server certificate revocation list and prevents the Web Agent from launching on the client machine.
To disable this functionality:
Step 1
Step 2
Step 3
Step 4
For additional information, see also Vista/IE 7 Certificate Revocation List.
Clean Access Supported AV/AS Product List
This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Updates > Update to provide the latest antivirus (AV) and anti-spyware (AS) product integration support for Cisco NAC Appliance Agents that support AV/AS posture assessment/remediation. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.
The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Windows Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends keeping your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.
Note
The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:
•
•
•
The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.
For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:
•
You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.
Note
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."
Clean Access AV Support Chart (Windows Vista/XP/2000)
Table 6 lists Windows Vista/XP/2000 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 7 for Windows ME/98).
Table 6 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2000)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 12)
(Minimum Agent Version Needed)1TrustPort Antivirus
2.x
yes (4.0.6.0)
-
yes
AhnLab Security Pack
2.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
AhnLab V3 Internet Security 2007
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 2007 Platinum
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2008 Platinum
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
V3Pro 2004
6.x
yes (3.5.10.1)
yes (3.5.12)
yes
V3 VirusBlock 2005
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
avast! Antivirus
4.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
avast! Antivirus (managed)
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
avast! Antivirus Professional
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Active Virus Shield
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AOL Safety and Security Center Virus Protection
102.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
1.x
yes (3.5.11.1)
yes (3.5.11.1)
-
AOL Safety and Security Center Virus Protection
210.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Command Anti-Virus Enterprise
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows Enterprise
4.x
yes (3.5.2)
yes (3.5.2)
yes
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG 8.0 [AntiVirus]
8.x
yes (4.1.3.2)
-
yes
Avira AntiVir PersonalEdition Classic
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Avira AntiVir PersonalEdition Premium
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira AntiVir Windows Workstation
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira Premium Security Suite
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Rising Antivirus Software AV
17.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
18.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
19.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Rising Antivirus Software AV
20.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BellSouth Internet Security Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
BullGuard 7.0
7.x
yes (4.1.2.0)
yes (4.1.2.0)
-
BullGuard 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Quick Heal AntiVirus Lite
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Quick Heal AntiVirus Plus
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Anti-virus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Anti-virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm (AntiVirus)
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm (AntiVirus)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antivirus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Security Suite Antivirus
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
ClamAV
devel-x
yes (4.0.6.0)
yes (4.0.6.0)
yes
ClamWin Antivirus
0.x
yes (3.5.2)
yes (3.5.2)
yes
ClamWin Free Antivirus
0.x
yes (3.5.4)
yes (3.5.4)
yes
CA Anti-Virus
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA Anti-Virus
9.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
CA eTrust Internet Security Suite AntiVirus
7.x
yes (3.5.11)
yes (3.5.11)
yes
CA eTrustITM Agent
8.x
yes (3.5.12)
yes (3.5.12)
yes
eTrust Antivirus
6.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Armor
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Armor
6.2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eTrust EZ Armor
7.x
yes (3.5.0)
yes (3.5.0)
yes
Defender Pro Anti-Virus
5.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Aluria Security Center AntiVirus
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiVirus
1.x
yes (3.5.10.1)
yes (3.5.10.1)
-
EarthLink Protection Control Center AntiVirus
2.x
yes (4.0.5.1)
yes (4.0.5.1)
-
EarthLink Protection Control Center AntiVirus
3.x
yes (4.1.3.0)
yes (4.1.3.0)
-
eEye Digital Security Blink Personal
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
eEye Digital Security Blink Professional
3.x
yes (4.0.6.0)
yes (4.0.6.0)
-
ESET NOD32 Antivirus
3.x
yes (4.1.3.2)
yes (4.1.3.2)
-
NOD32 antivirus system
2.x
yes (3.5.5)
yes (3.5.5)
yes
NOD32 antivirus system
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 Antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
FortiClient Consumer Edition
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
F-PROT Antivirus for Windows
6.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
F-Prot for Windows
3.14e
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.15
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.16c
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16d
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16x
yes (3.5.11.1)
yes (3.5.11.1)
yes
F-Secure Anti-Virus
5.x
yes (3.5.0)
yes (3.5.0)
yes
F-Secure Anti-Virus
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Anti-Virus 2005
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus Client Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
F-Secure Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Internet Security 2005
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security 2006 Beta
6.x
yes (3.5.8)
yes (3.5.8)
yes
AntiVirusKit 2006
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
-
G DATA AntiVirus 2008
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA AntiVirusKit
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA TotalCare [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Antivirussystem AVG 6.0
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus - FREE Edition
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus System
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 7.5
7.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG Antivirensystem 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.1
7.x
yes (3.6.3.0)
yes (3.6.3.0)
yes
AVG Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
ViRobot Desktop
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
ViRobot Desktop
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AntiVir PersonalEdition Classic Windows
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AntiVir/XP
6.x
yes (3.5.0)
yes (3.5.0)
yes
IKARUS Guard NT
2.x
yes (4.0.6.0)
yes (4.0.6.0)
-
IKARUS virus utilities
5.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Proventia Desktop
8.x
yes (4.0.6.0)
-
-
Proventia Desktop
9.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Jiangmin AntiVirus KV2007
10.x
yes (4.1.3.0)
-
yes
Kaspersky Anti-Virus 2006 Beta
6.0.x
yes (3.5.8)
yes (3.5.8)
-
Kaspersky Anti-Virus 6.0
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 6.0 Beta
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Anti-Virus for Windows File Servers
5.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows File Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Workstations
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows Workstations
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Kaspersky Anti-Virus for Workstation
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus Personal
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal
5.0.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal Pro
5.0.x
yes (3.5.11)
yes (3.5.11)
yes
Kaspersky Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Internet Security 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Internet Security 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky(TM) Anti-Virus Personal 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky(TM) Anti-Virus Personal Pro 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kingsoft AntiVirus 2004
2004.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiVirus 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Kingsoft Internet Security 2006 +
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan Enterprise
8.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
McAfee VirusScan Home Edition
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan Professional
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Total Protection for Small Business
4.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee Internet Security 6.0
8.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee Managed VirusScan
4.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
11.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
9xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.1.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Microsoft Forefront Client Security
1.5.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Windows Live OneCare
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Windows Live OneCare
2.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Windows OneCare Live
0.8.x
yes (3.5.11.1)
-
-
eScan Anti-Virus (AV) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Corporate for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Internet Security for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Professional for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Virus Control (VC) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norman Virus Control
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Antivirus 2007
2.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus 2008
3.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Panda Antivirus 6.0 Platinum
6
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus + Firewall 2007
6.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Antivirus + Firewall 2008
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Panda Antivirus Lite
1.x
yes (3.5.0)
yes (3.5.0)
-
Panda Antivirus Lite
3.x
yes (3.5.9)
yes (3.5.9)
-
Panda Antivirus Platinum
7.04.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.05.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.06.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Client Shield
4.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Internet Security 2007
11.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Internet Security 2008
12.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Panda Platinum 2005 Internet Security
9.x
yes (3.5.3)
yes (3.5.3)
yes
Panda Platinum 2006 Internet Security
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum Internet Security
8.03.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium 2006 Antivirus + Antispyware
5.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Panda Titanium Antivirus 2004
3.00.00
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.01.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.02.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Titanium Antivirus 2005
4.x
yes (3.5.1)
yes (3.5.1)
yes
Panda TruPrevent Personal 2005
2.x
yes (3.5.3)
yes (3.5.3)
yes
Panda TruPrevent Personal 2006
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
WebAdmin Client Antivirus
3.x
yes (3.5.11)
yes (3.5.11)
-
PC Tools AntiVirus 2.0
2.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools AntiVirus 2007
3.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
PC Tools AntiVirus 2008
4.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
PC Tools Internet Security [Antivirus]
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
-
-
Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
ThreatFire 3.0
3.x
yes (4.1.3.0)
-
-
Radialpoint Security Services Virus Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Virus Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Virus Protection
6.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Dr.Web
4.32.x
yes (3.5.0)
yes (3.5.0)
yes
Dr.Web
4.33.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Dr.Web
4.44.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Sereniti Antivirus
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
The River Home Network Security Suite
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Internet Security AntiVirus
9.x
yes (3.5.11.1)
yes (3.5.11.1)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender Antivirus 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Antivirus Plus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Antivirus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Client Professional Plus
8.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Free Edition v10
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Internet Security v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Total Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Sophos Anti-Virus
3.x
yes (3.5.3)
yes (3.5.3)
-
Sophos Anti-Virus
4.x
yes (3.6.3.0)
yes (3.6.3.0)
-
Sophos Anti-Virus
5.x
yes (3.5.3)
yes (3.5.3)
yes
Sophos Anti-Virus
6.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Sophos Anti-Virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Sophos Anti-Virus version 3.80
3.8
yes (3.5.0)
yes (3.5.0)
-
Norton 360 (Symantec Corporation)
1.x
yes (4.1.1.0)
yes (4.1.1.0)
yes
Norton 360 (Symantec Corporation)
2.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus
14.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton AntiVirus
15.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2002 Professional
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002 Professional Edition
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional Edition
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2006
12.0.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus 2006
12.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus Corporate Edition
7.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
7.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.2.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
9.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Norton Internet Security (Symantec Corporation)
10.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton Security Scan
1.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Norton SystemWorks 2003
6.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2004 Professional
7.x
yes (3.5.4)
yes (3.5.4)
yes
Norton SystemWorks 2005
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2005 Premier
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2006 Premier
12.0.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec AntiVirus
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Client
8.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Server
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus Win64
10.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Symantec Client Security
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec Client Security
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec Endpoint Protection
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Symantec Scan Engine
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
PC-cillin 2002
9.x
yes (3.5.1)
yes (3.5.1)
-
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
ServerProtect
5.x
yes (4.1.0.0)
yes (3.6.5.0)
-
Trend Micro Antivirus
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro AntiVirus
15.x
yes (3.6.5.0)
yes (3.6.5.0)
-
Trend Micro AntiVirus
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro Client/Server Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Trend Micro Client/Server Security Agent
7.x
yes (3.5.12)
yes (3.5.12)
yes
Trend Micro HouseCall
1.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro OfficeScan Client
5.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
6.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
7.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro OfficeScan Client
8.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro PC-cillin Internet Security 12
12.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 14
14.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro PC-cillin Internet Security 2006
14.x
yes (3.5.8)
yes (3.5.8)
yes
Trend Micro PC-cillin Internet Security 2007
15.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Fix-It Utilities 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiVirus]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiVirus]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
VirusBuster for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VirusBuster Professional
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Webroot Spy Sweeper Enterprise Client with AntiVirus
4.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper with AntiVirus
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AT&T Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
SBC Yahoo! Anti-Virus
7.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Verizon Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
ZoneAlarm Anti-virus
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm Security Suite
5.x
yes (3.5.0)
yes (3.5.0)
-
ZoneAlarm Security Suite
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm with Antivirus
5.x
yes (3.5.0)
yes (3.5.0)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AV Support Chart (Windows ME/98)
Table 7 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 6 for Windows Vista/XP/2000.)
Table 7 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 2)
(Minimum Agent Version Needed)1Rising Antivirus Software AV
18.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Armor
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.3)
yes (3.5.3)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Symantec AntiVirus
10.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Symantec AntiVirus
9.x
yes (3.5.8)
yes (3.5.3)
yes
Symantec AntiVirus Client
8.x
yes (3.5.9)
yes (3.5.9)
yes
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
7.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AS Support Chart (Windows Vista/XP/2000)
Table 8 lists Windows Vista/XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.
Table 8 Clean Access Antispyware Product Support Chart (Windows Vista/XP/2000)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 6)
(Minimum Agent Version Needed)1Outpost Firewall Pro 2008 [AntiSpyware]
6.x
yes (4.1.3.2)
yes (4.1.3.2)
-
AhnLab SpyZero 2.0
2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
AhnLab SpyZero 2007
3.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2007 Platinum AntiSpyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
AhnLab V3 Internet Security 2008 Platinum AntiSpyware
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware
7.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
AOL Safety and Security Center Spyware Protection
2.0.x
yes (4.1.0.0)
-
-
AOL Safety and Security Center Spyware Protection
2.1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.x
yes (3.6.1.0)
yes (3.6.1.0)
-
AOL Spyware Protection
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
AOL Spyware Protection
2.x
yes (3.6.0.0)
yes (4.1.3.0)
-
Anonymizer Anti-Spyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Anonymizer Anti-Spyware
3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
-
yes
AVG 8.0 [AntiSpyware]
8.x
yes (4.1.3.2)
-
yes
BellSouth Internet Security Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
ZoneAlarm (AntiSpyware)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Anti-Spyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Pro Antispyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antispyware
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Internet Security Suite AntiSpyware
10.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Internet Security Suite AntiSpyware
5.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
CA eTrust Internet Security Suite AntiSpyware
8.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
CA eTrust Internet Security Suite AntiSpyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol
5.x
yes (3.6.1.0)
yes (4.0.6.0)
yes
CA eTrust PestPatrol Anti-Spyware
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol Anti-Spyware Corporate Edition
5.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Corporate Edition
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Standard Edition (Evaluation)
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Aluria Security Center AntiSpyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiSpyware
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
EarthLink Protection Control Center AntiSpyware
2.x
yes (4.0.6.0)
-
-
EarthLink Protection Control Center AntiSpyware
3.x
yes (4.1.3.0)
-
-
Primary Response SafeConnect
2.x
yes (3.6.5.0)
-
-
X-Cleaner Deluxe
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AVG Anti-Malware [AntiSpyware]
7.x
yes (4.1.2.0)
-
-
AVG Anti-Spyware 7.5
7.x
yes (4.0.5.1)
yes (4.0.5.1)
-
STOPzilla
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SpywareBlaster v3.1
3.1.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.2
3.2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.3
3.3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.4
3.4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.5.1
3.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiSpyware 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security [AntiSpyware]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Ad-Aware 2007
7.x
yes (4.1.3.0)
-
-
Ad-Aware 2007 Professional
7.x
yes (4.0.6.1)
-
yes
Ad-aware 6 Professional
6.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Personal
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Professional
1.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
McAfee AntiSpyware
1.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
1.x
yes (3.6.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee AntiSpyware
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee Anti-Spyware Enterprise Module
8.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee AntiSpyware Enterprise Module
8.5.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan AS
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan AS
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Spyware Begone
4.x
yes (3.6.0.0)
-
-
Spyware Begone
6.x
yes (4.1.0.0)
-
-
Spyware Begone
8.x
yes (4.1.0.0)
-
-
Spyware Begone Free Scan
7.x
yes (3.6.0.0)
-
-
Spyware Begone V7.30
7.30.x
yes (3.6.1.0)
-
-
Spyware Begone V7.40
7.40.x
yes (3.6.1.0)
-
-
Spyware Begone V7.95
7.95.x
yes (4.1.0.0)
-
-
Spyware Begone V8.20
8.20.x
yes (4.1.0.0)
-
-
Spyware Begone V8.25
8.25.x
yes (4.1.0.0)
-
-
Spyware Begone! Version 9
9.x
yes (4.1.3.2)
-
-
Microsoft AntiSpyware
1.x
yes (4.0.6.0)
-
yes
Windows Defender
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Windows Defender Vista
1.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Omniquad Total Security
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Panda Titanium 2006 Antivirus + Antispyware [AntiSpyware]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
PC Tools Internet Security [Antispyware]
5.x
yes (4.1.3.0)
-
-
PC Tools Spyware Doctor
5.x
yes (4.1.3.2)
-
yes
Spyware Doctor
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor
5.x
yes (4.0.6.0)
-
yes
Spyware Doctor 3.0
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.1
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.2
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.5
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.8
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor [AntiSpyware]
5.x
yes (4.1.3.2)
-
yes
Prevx1
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx Home
2.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Radialpoint Security Services Spyware Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Spyware Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Spyware Protection
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Spybot - Search & Destroy 1.3
1.3
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.4
1.4
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.5
1.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Sereniti Antispyware
1.x
yes (4.0.6.0)
-
yes
The River Home Network Security Suite Antispyware
1.x
yes (4.0.6.0)
-
yes
BitDefender 9 Antispyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
-
BitDefender 9 Internet Security AS
9.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus Plus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
CounterSpy Enterprise Agent
1.8.x
yes (4.0.6.0)
-
-
CounterSpy Enterprise Agent
2.0.x
yes (4.1.3.0)
-
-
Sunbelt CounterSpy
1.x
yes (3.6.0.0)
-
yes
Sunbelt CounterSpy
2.x
yes (4.0.6.0)
-
yes
Norton Internet Security AntiSpyware
15.x
yes (4.1.3.0)
-
-
Norton Spyware Scan
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Trend Micro Anti-Spyware
3.5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Trend Micro Anti-Spyware
3.x
yes (3.6.0.0)
-
-
Trend Micro PC-cillin Internet Security 2007 AntiSpyware
15.x
yes (4.1.0.0)
yes (4.1.3.2)
yes
Fix-It Utilities 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiSpyware]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiSpyware]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Spy Sweeper
3.x
yes (3.6.0.0)
-
-
Spy Sweeper
4.x
yes (3.6.0.0)
-
-
Spy Sweeper
5.0.x
yes (4.1.3.0)
-
-
Spy Sweeper
5.x
yes (4.1.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
1.x
yes (3.6.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
2.x
yes (3.6.1.0)
-
-
Webroot Spy Sweeper Enterprise Client
3.5.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper Enterprise Client
3.x
yes (4.0.5.1)
-
-
AT&T Yahoo! Online Protection
2006.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
CA Yahoo! Anti-Spy
2.x
yes (4.1.3.2)
-
-
SBC Yahoo! Applications
2005.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Verizon Yahoo! Online Protection
2005.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Yahoo! Anti-Spy
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Integrity Agent
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
Supported AV/AS Product List Version Summary
Table 9 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list.
Caveats
This section describes the following caveats:
•
•
•
•
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.1(3)
Note
Table 10 List of Open Caveats (Sheet 1 of 8)
CSCsd03509
No
The Time Servers setting is not updated in HA-Standby CAM web console
After updating the "Time Servers" setting in HA-Primary CAM, the counterpart "Time Servers" setting for the HA-Standby CAM does not get updated in the web console even though the "Time Servers" setting is updated in the HA-Standby CAM database.
CSCsd90433
No
Apache does not start on HA-Standby CAM after heartbeat link is restored.
Output from the fostate.sh command shows "My node is standby without web console, peer node is active."
CSCse86581
No
Agent does not correctly recognize def versions on the following Trend AV products:
•
•
•
Tested Clients:
•
•
•
•
CSCsg07369
No
Incorrect "IP lease total" displayed on editing manually created subnets
Steps to reproduce:
1. Add a Managed Subnet having at least 2500+ IP addresses (for example 10.101.0.1/255.255.240.0) using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Advanced > Managed Subnet.
2. Create a DHCP subnet with 2500+ hosts using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > New.
3. Edit the newly created subnet using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > Edit.
4. Click Update. The CAM displays a warning informing the administrator that the current IP Range brings IP lease total up to a number that is incorrect. The CAM counts the IP address in the subnet twice, creating the incorrect count.
The issue is judged to be cosmetic and does not affect DHCP functionality.
CSCsg66511
No
Configuring HA-failover synchronization settings on Secondary CAS takes an extremely long time
Once you have configured the Secondary CAS HA attributes and click Update, it can take around 3 minutes for the browser to get the response from the server. (Configuring HA-failover synchronization on the Primary CAS is nearly instantaneous.)
CSCsh77730
No
Clean Access Agent locks up when greyed out OK button is pressed
The Clean Access Agent locks up when the client machine refreshes its IP address. This only occurs when doing an IP release/renew, so the CAS must be in an OOB setup.
If the Automatically close login success screen after <x> secs option is enabled and the duration set to 0 (instantaneous) in the Clean Access > General Setup > Agent Login page and the user clicks on the greyed out OK button while the IP address is refreshing, the Clean Access Agent locks up after refreshing the IP address. The IP address is refreshed and everything else on the client machine works, but the user cannot close the Clean Access Agent without exiting via the system tray icon, thus "killing" the Agent process.
Workaround: Either uncheck the box or set that timer to a non-zero value. If it is set to anything else, and the user hits the greyed out OK button while the IP is refreshing, then the Agent window closes successfully.
CSCsi07595
No
DST fix will not take effect if generic MST, EST, HST, etc. options are specified
Due to a Java runtime implementation, the DST 2007 fix does not take effect for Cisco NAC Appliances that are using generic time zone options such as "EST," "HST," or "MST" on the CAM/CAS UI time settings.
Workaround
If your CAM/CAS machine time zone setting is currently specified via the UI using a generic option such as "EST," "HST," or "MST." change this to a location/city combination, such as "America/Denver."
Note
CSCsk55292
No
Agent not added to system tray during boot up
When the Agent is installed on a Windows client, the Start menu is updated and Windows tries to contact AD (in some cases where the AD credentials are expired) to refresh the Start menu.
Due to the fact that the client machine is still in the Unauthenticated role, AD cannot be contacted and an approximately 60 second timeout ensues, during which the Windows taskbar elements (Start menu, System Tray, and Task Bar) are locked. As a result, the Agent displays a "Failed to add Clean Access Agent icon to taskbar status area" error message.
Workaround
•
•
CSCsk58244
No
Clean Access Report for WSUS shows failed
This situation applies to Windows XP and Windows Vista client machines. The Agent report on the CAM does not show any on the updates required for the client.
CSCsl00736
No
Download of the Cisco NAC Web Agent fails if the link speed is below 50Kbits/s
Note
CSCsl13782
No
Microsoft Internet Explorer 7.0 browser pop-ups on Windows Vista launched from the Summary Report appear behind the Summary Report window
This is also seen when you click on the Policy link in the Policy window. This issue appears on Vista Ultimate and Vista Home, but is not seen with Firefox or on Internet Explorer versions running in Windows 2000 or Windows XP.
Note
CSCsl71585
No
DHCP status does not display non-restricted scope with Relay IP restriction
When a DHCP range with no restrictions and a DHCP range with a Relay-IP restriction are created using the Clean Access Manager (CAM) GUI, the DHCP range with no restrictions does not display.
Steps to reproduce:
1. Create a DHCP scope with no restriction, either VLAN ID or Relay-IP on the CAS using the CAM GUI.
2. Add a static route on the CAS using the CAM GUI.
3. Create another DHCP scope with a relay-IP restriction.
4. Go to the DHCP Status web page. The web page only displays the IPs for the relay-IP restriction and does not display the non-restricted IP scope.Workaround: Avoid creating DHCP scopes having both no restrictions and Relay-IP restrictions.
Note
CSCsl17379
No
Multiple Clean Access Agent pop-ups with Multi NIC in L2 VGW OOB role-based VLAN
The user sees multiple Clean Access Agent login dialogs with two or more active NICs on the same client machine pointing to the Unauthenticated network access point (eth1 IP address).
After the first Clean Access Agent pops up and the user logs in, a second Agent login dialog pops up. If the user logs in to this additional Agent instantiation there are now two entries for the same system with both MAC addresses in the CAM's Certified Device List and Online Users List.
Workaround
The user can manually Disable Agent login pop-up after authentication.
CSCsl22653
No
Mac OS X Agent running on 10.2 does not display green colored icons in places like the "About Us" dialog in the Finder.
CSCsl22774
No
Incorrect download filename perfigo_dm_enforce.jsp for the 10.2 version of the Mac OS X Agent
The filename for the agent download file should be "CCAAgent_MacOSX.tar," similar to that in versions 10.3, 10.4, and 10.5.
CSCsl40626
No
Cisco NAC Web Agent should handle certificate revocation dialogs similar to Clean Access Agent
Upon logging in via the Cisco NAC Web Agent (with certificate revocation turned on or with Norton 360 installed), the user is presented with a "Revocation information for the security certificate for this site is not available. Do you want to proceed?" dialog box several times (approximately 40 to 50 times). If the user clicks Yes to proceed enough times, the Web Agent fails to login and reports "You will not be allowed to access the network due to internal error. Please contact your administrator." back to the user.
CSCsl40812
No
The Refresh Windows domain group policy after login option is not functioning for Cisco NAC Web Agent
(It is working fine with the Clean Access Agent.)
This scenario was tested configuring a GPO policy for a Microsoft Internet Explorer browser title. The browser was not refreshed as expected after login in using the Web Agent.
CSCsl75403
No
MAC filter does not work for Macintosh client machines connected to the network in VPN environment
Steps to reproduce:
1. Setup a VPN environment.
2. Get the MAC address of the en0 interface of Macintosh client machine.
3. Put the MAC address in the CAM device filter list with "Deny" access type.
4. Connect the Macintosh client machine to the VPN concentrator.
5. Agent will be allowed to perform VPN SSO [or present login page if no VPN SSO is configured].
6. Traffic originating from the client machine on the untrusted network is allowed to go to the trusted network even though the MAC address of the client machine is denied in the device filter list.CSCsl77701
No
Network Error dialog appears during CAS HA failover
When a user is logged in as ADSSO user on CAS HA system and the CAS experiences a failover event, the user sees is a pop-up message reading, "Network Error! Detail: The network cannot be accessed because your machine cannot connect to the default gateway. Please release/renew IP address manually."
This is not an error message and the user is still logged in to the system. The user simply needs to click on the Close button to continue normal operation.
CSCsl88429
No
User sees Invalid session after pressing [F5] following Temporary role time-out
When a user presses [F5] or [Refresh] to refresh the web page after the Agent Temporary role access timer has expired, the user sees an "Invalid" session message. If the user then attempts to navigate to the originally requested web address, they are prompted with the web login page again and are able to log in.
CSCsl88627
No
Description of removesubnet has "updatesubnet" in op field
The removesubnet API function description has "updatesubnet" listed in its operations field. The description should read "removesubnet."
CSCsm20254
No
CAS duplicates HSRP packets with Cisco NAC Profiler Collector Modules enabled.
SymptomHSRP duplicate frames are sent by CAS in Real-IP Gateway with Collector modules enabled. This causes HSRP issues and the default gateway to go down.
ConditionsReal-IP Gateway and Collector modules enabled on a CAS with ETH0 and or ETH1 configured for NetWatch.
WorkaroundDo not configure the CAS' ETH0 trusted interface or ETH1 untrusted interface in the NetWatch configuration settings for the CAS Collector. It is not a supported configuration.
CSCsm20655
No
Can not do a minor upgrade for Clean Access Agent from MSI package.
When CCAAgent.msi is used and the Clean Access Agent is upgraded to a minor version (e.g. 4.1.2.1 to 4.1.2.2) the following error message will be displayed:
"Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel."
Reason: Windows Installer uses only the first three fields of the product version. When a fourth field is included in the product version, the installer ignores the fourth field. For details refer to http://msdn2.microsoft.com/en-us/library/aa370859(VS.85).aspx
Workaround
Uninstall the program from Add/Remove Programs before installing it.
CSCsm25788
No
Avast 4.7 showing as not up to date with Cisco NAC Appliance Release 4.1(3)
User is told that Avast needs to be updated, but shows as up to date. This occurs when user is running Avast 4.7 and the Agent version is 4.1.3.0 or 4.1.3.1
Workaround
Create a custom check for Avast that allows the users on without verifying the definition version.
CSCsm53743
No
File ownership of Mac OS X Agent directory and related files should be corrected
File ownership of Mac OS X Agent and related files should be "root:admin."
Currently, the file ownership is with UID 505 and GID 505. Anyone able to assume this UID could potentially modify the Agent application files and introduce a security threat.
CSCsm76779
No
CSRF tag is added to CAS specific MAC Device Filter description field upon edit
Steps to reproduce:
1.
2.
"<a href='http://www.cisco.com'>Cisco</a>"3.
Subsequent entry updates also append the same CSRF tag each time the administrator edits the description. After editing the description 3 times, however, the entry can no longer be edited and the CAS returns an "Updating device MAC failed" error message.
Note
CSCsm79088
No
Mac OS X Agent reports "Unknown user" when sending the second logout request
The Mac OS X Agent specifies an "Unknown user" when it sends a second logout request before receiving a response from the first logout request.
Steps to reproduce:
1.
2.
3.
The Mac Agent displays a "Cisco Clean Access Agent is having a difficulty with the server. Unknown user." error message, resulting in a situation where the client machine no longer appears in the CAM's Online Users list even though the Agent indicates that the user is logged in. In this situation, the Mac Agent essentially "freezes" as the user is no longer able to log out, ether.
Resolved Caveats - Windows Clean Access Agent 4.1.3.2
Refer to Windows Clean Access Agent Version 4.1.3.2 for additional information.
Resolved Caveats - Mac OS X Agent 4.1.3.1
Refer to Mac OS X Clean Access Agent Version 4.1.3.1 for additional information.
Resolved Caveats - Release 4.1.3.1
Refer to Enhancements in Release 4.1.3.1 for additional information.
Table 13 List of Closed Caveats
CSCsm13673
Yes
CAM 4.1(3) upgrade from release 4.0(x) and 3.6(x) takes too long with too many Agent reports
Clean Access Manager (CAM) 4.1(3) upgrade from Cisco NAC Appliance release 4.0(x) and 3.6(x) should not take too long with too many Clean Access Agent reports. The upgrade can take over 90 minutes on a Cisco NAC-3310 appliance with 30,000 Agent reports in the CAM database before the upgrade.
CSCsm27731
Yes
CAM should not send Auth VLAN set request when receiving MAC move notification
Normally, when the CAM receives a MAC move notification, the CAM consults the client database to deduce the original managed port from which the MAC address first became known on the system, and set the port VLAN to Authentication VLAN.
This operation can cause problems in certain situations. If, for example, the port over which the client first authenticated and the port to which the client is moving (per the MAC move notification SNMP trap) are same, the CAM assigns the Authentication VLAN to the port even though the client MAC address has already been certified.
Although the period of time that the port remains assigned to the Authentication VLAN is very short:
•
•
CSCsm55679
Yes
CSRF tag is added to a global MAC device filter's description when edited
If the description of a global MAC filter contains a single quote (`) and you edit the description entry in the CAM web console, a CSRF tag is appended to the description when you save the changes. (The same CSRF tag is appended every time you edit and save the filter from the CAM web console.)
Note
Resolved Caveats - Cisco NAC Web Agent 4.1.3.10
Refer to Cisco NAC Web Agent Version 4.1.3.10 for additional information.
Resolved Caveats - Windows Clean Access Agent 4.1.3.1
Refer to Windows Clean Access Agent Version 4.1.3.1 for additional information.
Guest
