Cisco Secure Desktop (CSD) – Part 3

      No Comments on Cisco Secure Desktop (CSD) – Part 3

Today we are going to talk about what CSD installs onto the client machine.  I will note here that I’m a Windows guy, so any and all of the below information will pertain directly to the CSD install on Windows (specifically XP).  You’ll recall that after you initially uploaded and configured WebVPN to use CSD that you got a different screen when you tried to access the portal login page.  The page you received should have looked like this…

image

Additionally, you were asked to install a plug-in  in Internet Explorer.  If you approved the installation, you should be able to see the the plug-in under Add-ins in internet explorer.  This is the first component that CSD installs.  image

Once the IE add-on is installed, the CSD package begins loading onto your machine.  For some reason it took me a very long time to initially locate where the CSD files were being installed.  Furthermore, the Cisco documentation, at first, wasn’t very helpful in revealing the location either.  The path where CSD gets installed is…

C:Documents and Settings<username>Application DataCisco

In the root of that directory you will most likely see two different folders.  One will be called ‘Cisco Secure Desktop’ and if you have enabled host scan, there should be a second called ‘Cisco HostScan’.  imageI think it’s important here to make a few distinctions.  With CSD you really have five options.  You configure these from the default policy menu in the ASDM.  Your options are….

Cache Cleaner with or without the use of host scan
image

Secure Desktop (Vault) with or without the use of host scan
image

Host Scan
image

If you are only looking for things like pre-login policy and host scan results to use with DAPs, then you simply uncheck both of the checked boxes. 

So back to our two folders.  If you opt to install cache cleaner or the vault feature all of the components for both of those items will be included within the ‘Cisco Secure Desktop’ folder.  That leaves just host scan components within the ‘Cisco HostScan’ folder. 

Ok, before I go into what goes where and why let’s talk about log files.  I’ll be honest, I’m thoroughly confused about this myself.  Take a look at what the Cisco release notes are for CSD 3.4.2 (which is the version I’m using)

“Control over the severity (called logging level) of the hostscan.log file. Secure Desktop Manager provides the option to record the CSD events to the hostscan.log file onto the user’s computer. This log file is now the only CSD log file. The default logging level, off, does not generate this file, and removes any hostscan.log and csd.log files left from previous releases. Choose Secure Desktop Manager > Logging Level to access this feature. From that panel, you can access the online help for instructions.”

Now, I will note that 3.4.2 is supposed to be a ‘fix’ release so really most of the document refers to the previous release 3.4.1.  At any rate, I tested this forever and I can’t seem to make the logging level setting work at all.  For instance, I tested with both cache cleaner and vault disabled and the logging level set to ‘off’.  Now if I’m reading their documentation correctly it sounds like if it’s set to off I shouldn’t get a log file.  And if there is one there already it should be deleted.  Not so…..  In fact not only do I get a hostscan.log file but I still get a csd.log file which is in total contradiction to their documentation.  A look at the hostscan.log file I get shows all sorts of log entries ranging from info to debug.  The bottom line being that I’m not convinced that the logging settings do anything at all.  Which is upsetting to say the very least…..

Additionally even when I have both the cache cleaner and the vault option disabled I still get a ‘Cisco Secure Desktop folder’ which has two sub folders that are empty.

Now that I’m done ranting (for the moment) let’s wrap up the article with the two options I have concerned myself with.  Host scan by itself and host scan with cache cleaner.   

Hostscan by itself
In this scenario I have both check boxes for on the default policy screen deselected.  The result is that I only get the benefits of host scan which can be used in conjunction with DAPs to limit access.  Let’s run through what gets installed and where.

The installer creates the ‘Cisco HostScan’ folder and creates two log files as well as installs the hostscan.exe executable.  If you look at task manager when the CSD installation screen is up, prior to being shown the logon screen, you’ll see the hostscan.exe running.
image

As the exe runs it pulls relevant system information and sends it back to the ASA so that the information can be used during logon by evaluating any defined DAPs.  The hostscan.log file and the csd.log file which are located in the root of the ‘Cisco HostScan folder’ contain information in regards to the CSD and HostScan installation.  Interestingly enough there isn’t any relevant information in the hostscan.log file in regards to what information it found during the hostscan which in my opinion would be nice to have. 

Cache Cleaner with Hostscan
Now this is where it gets interesting.  In this scenario, in addition to host scan running, you also get the Cisco cache cleaner application installed.  A few things will be obviously different here.  First off we’ll see the cache cleaner in the toolbar. 

image

A double click on the icon shows us the cache cleaner dialog which we aren’t allowed to exit out of.  I’m not going to explain what cache cleaner does.  The dialog box shown below does a pretty good job describing it.

imageAnother look at task manager shows the process cunning as ‘cleaner.exe’
imageJust like host scan, the files for the cache cleaner are installed within the ‘C:Documents and Settings<username>Application DataCisco’ folder under the folder name ‘Cisco Secure Desktop’.  However, there isn’t anything interesting within the root of this folder. You need to dig down to ‘…CiscoCisco Secure DesktopCacheTemp8-P00h’ to see any real information.  Unfortunately I don’t know much about the folder structure or why the folder is called ‘Temp8-P00h’.  However all my testing shows it being created with the same name each time.  I will note here that ‘Temp8-P00h’ is a hidden folder so you’ll need to set your file explorer attributes to show hidden files and folders to see it.

So what’s in this folder?  There’s a cab file including the installation for the cache cleaner application, A CSDWebLaunch.exe executable, and a hostscan.log file.  Yet another log file (beating the dead horse here but per Cisco’s documentation I don’t think it’s supposed to exist) and ironically one that’s called hostscan.log.  Better yet is the fact that this log file actually includes relevant information to host scan.  The log file not only includes better installation logs for host scan but also includes the host scan results! Is anyone else confused? 

A) The log is for host scan but it’s located in the ‘Cisco Secure Desktop’ folder
B) The log is only generated when the cache cleaner is enabled
C) There isn’t any mention of how to get the client host scan results in any of its documentation

Bottom line?  If you want to troubleshoot host scan, you need to have cache cleaner enabled.  Bigger bottom line, CSD logging is screwed up big time. 

To wrap it up let’s look at this hostscan.log file and see what sort of information it has in it.

Anti Virus
Sun Jan 24 14:10:53 2010
– ->endpoint.av["WmiAV"].description = "McAfee unknown product";
Notes: This is probably why my DAPs for Anti Virus don’t work.  It evidently cant determine what version of McAfee I’m using.  Ironically it cant even determine I’m using McAfee as well…..

Computer Name
Sun Jan 24 14:10:53 2010
– ->endpoint.device.hostname = "<system name>";
Notes: This returned correctly

System MAC addresses
Sun Jan 24 14:10:53 2010
– ->endpoint.device.MAC["<NIC MAC>"] = "true";
Sun Jan 24 14:10:53 2010
– ->endpoint.device.MAC["<NIC MAC>"] = "true";
Notes: These returned correctly

Firewall software
Sun Jan 24 14:10:53 2010
– ->endpoint.fw["MSWindowsFW"] = {};
Sun Jan 24 14:10:53 2010
– ->endpoint.fw["MSWindowsFW"].description = "Microsoft Windows Firewall";
Sun Jan 24 14:10:53 2010
– ->endpoint.fw["MSWindowsFW"].enabled = "failed";
Sun Jan 24 14:10:53 2010
– ->endpoint.fw["MSWindowsFW"].exists = "false";
Notes: I have my firewall turned off and the windows service disabled.  It looks like it can figure that out

And the list goes on.  It also returned my OS version, SP level, all of my installed hot fixes, and a list of open ports.  Bottom line is there some good information in this log that can help you troubleshoot why your DAPs aren’t working.  Its just too bad that these logs aren’t laid out in a more logical sense.  If I hadn’t played around with CSD for hours on end I would have never known that there was an actual host scan log file.  Moreover I wouldn’t have known cache cleaner had to be on to get it…..

Leave a Reply

Your email address will not be published. Required fields are marked *