Problem
Cisco Identity Service Engine (Cisco ISE) is one of the Cisco products that allows the network manager to set the connection of devices to their network according to defined policies. This product has the ability to detect if an anti-virus is updated and installed on devices and apply policies accordingly.
Here you will read the Cisco ISE configuration to detect Padvish anti-virus.
Please note that it is possible to detect the installation and activation of anti-virus from Cisco ISE 2.0, but to detect if the anti-virus is updated you need to use Cisco ISE 2.4 or higher.
Solution
To detect anti-virus, you need to create some rules in Cisco ISE. So, go to Policy> Policy Elements> Conditions and build the below terms upon instructions:
Detecting of being installed
- File Condition
Name: AV_Padvish_ServiceFile
Description: Part of the installation check
Operating System: Windows All
Compliance Module: Any version
File Type: FileVersion
File Path: ABSOLUTE_PATH
File Path: C:\Program Files\Padvish AV\Apccsvc.exe
Operator: laterThan
File Version: 5 - File Condition
Name: AV_Padvish_ServiceFile_64
Description: Part of the installation check
Operating System: Windows All
Compliance Module: Any version
File Type: FileVersion
File Path: ABSOLUTE_PATH
File Path: C:\Program Files (x86)\Padvish AV\Apccsvc.exe
Operator: LaterThan
File Version: 5 - File Condition
Name: AV_Padvish_DrvSP
Description: Part of the installation check
Operating System: Windows All
Compliance Module: Any version
File Type: FileExistence
File Path: SYSTEM_ROOT
File Path: system32\drivers\apsp.sys
File Operator: Exists - File Condition
Name: AV_Padvish_DrvAVF
Description: Part of the installation check
Operating System: Windows All
Compliance Module: Any version
File Type: FileExistence
File Path: SYSTEM_ROOT
File Path: system32\drivers\avf.sys
File Operator: Exists - File Condition
Name: AV_Padvish_DrvAVF
Description: Part of the installation check
Operating System: Windows All
Compliance Module: Any version
File Type: FileExistence
File Path: SYSTEM_ROOT
File Path: system32\drivers\avf.sys
File Operator: Exists
Detection of being activated
- Service Condition
Name: AV_Padvish_ServiceRun
Description: Part of the activity check
Operating System: Windows All
Compliance Module: Any version
Service Name: AmnPardazControlCenterWinService
Service Operator: Running - Service Condition
Name: AV_Padvish_DriverRun
Description: Part of the activity check
Operating System: Windows All
Compliance Module: Any version
Service Name: Amnpardaz Filter
Service Operator: Runni - Service Condition
Name: AV_Padvish_DriverRun
Description: Part of the activity check
Operating System: Windows All
Compliance Module: Any version
Service Name: Amnpardaz Filter
Service Operator: Running
Detection of being updated
To detect if the anti-virus is updated, you need the within operator that is supported in Cisco ISE version 2.4 or higher.
- File Condition
Name: AV_Padvish_UpdateFile
Description: Part of the update check
Operating System: Windows All
Compliance Module: Any version
File Type: FileDate
File Path: ABSOLUTE_PATH
File Path: C:\Program Files\Padvish AV\apav_003.dat
File Date Type: Modification Date
Operator: Within
File Version: 5 - File Condition
Name: AV_Padvish_UpdateFile_64
Description: Part of the update check
Operating System: Windows All
Compliance Module: Any version
File Type: FileDate
File Path: ABSOLUTE_PATH
File Path: C:\Program Files (x86)\Padvish AV\apav_003.dat
File Date Type: Modification Date
Operator: Within
File Version: 5 - Compound Condition
Name: AV_Padvish_Update
Description: Padvish update check
Operating System: Windows All
Compliance Module: Any version
Condition: AV_Padvish_UpdateFile | AV_Padvish_UpdateFile_64