As I have mentioned many times before, my problem with CSD is that it just doesn’t work all of the time. The fact that it can detect my anti-virus manufacturer but not the type is frustrating. The fact that even though it detects the manufacturer but can’t use that result in a DAP is even MORE frustrating. I spent a lot of time searching the internet for a solution and one thing I came across was something called advanced expressions.
Advanced expressions can be defined within a DAP and use LUA functions to evaluate what gets returned to the ASA during host scan. The function is sort of hidden within the DAP interface. You need to select the down arrow on the right side of the screen in the ‘Advanced’ area. Once you press the down arrow your window should look like this… 
If you click the ‘Guide’ button you’ll pull up the help on how to define LUA’s and be shown some examples. Basically the advanced expression allows you to check for an instance of a anti-virus program, or an instance of an anti-spyware program, or that the client has a firewall installed. You can’t determine what it is, or if it’s up to date, you can just detect if it’s there. I see this as a sort of compromise for the host scan results not working at all. Yes, it would be VERY nice if host scan and DAPs worked perfectly, but at least this way you can determine if the client has a anti-virus program installed at all. I tested the LUA expression for anti-virus by uninstalling and reinstalling my anti-virus software and it worked.
Below are the different LUA expressions for anti-virus, anti-spyware, and client firewall. To use any of them simply copy and paste them in the logical expressions box within the advanced options of the DAP.
Note: I copied and pasted these from the help. This is NOT my own work
Anti-Virus
assert(function()
for k,v in pairs(endpoint.av) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
return false
end)()
Anti-Spyware
assert(function()
for k,v in pairs(endpoint.as) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
return false
end)()
Firewall
assert(function()
for k,v in pairs(endpoint.fw) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
return false
end)()
I think LUA expressions are a little more straight forward in some cases. I’d love to spend more time trying to hack apart the LUA expressions to figure out what all of the variables are. If anyone has done that I’d love to hear from you.
This post wraps up my coverage of CSD. I’m hoping that someone at Cisco reads these posts and sends me an email telling me that there has been a new update and everything magically works now; that would be great, however the reality is that it isn’t perfect. I imagine other manufacturers’ similar products aren’t perfect either. Regardless, there are some great pieces within CSD that do work, and work very well.
Hi, I’d like to thank you very much for all your posts regarding CSD.
I’ve learned a lot with them.
Thanks again and keep up the good work!