KB40996 - How to troubleshoot ESAP related Predefined Antivirus Host Checker policy issues

This article describes how to troubleshoot ESAP related Predefined Antivirus Host Checker policy issues.

How to determine why a user fails authentication due to a failed Predefined Antivirus Host Checker policy.

Why a client could fail to pass a Predefined Antivirus Host Checker policy depends on what the configured policy is checking for and what Host Checker is reporting.

The Endpoint Security Assessment Plug-In (ESAP) package installed on the PCS/PPS includes SDKs from OPSWAT to detect Antivirus products and associated information.  Host Checker downloads these in a file named UnifiedSDK.zip, extracts them, performs the required Antivirus checks, and communicates the results of checking back to the PCS/PPS.

If the client does not successfully pass and the Host Checker policy is enforced then they will be notified and an optional remediation action and/or message can be displayed.

If user is not able to remediate the problem they will need to contact the administrator for help in resolving the security issue.   This guide aims to assist administrators with this process, giving them knowledge on what data to collect and supply when opening a Support case with Pulse Secure.

Recommended Prerequisites

• Use the latest ESAP package that is available.
• Use the V4 framework as V3 will be End of Life by the end of 2017, see KB40318 - Impact / Changes between V3 and V4 OPSWAT SDK for more details.
• When downloading a new ESAP package always download the ESAP Diagnosis executables for the same version,  see KB28146 - [Host Checker] Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Windows Platform and KB29633 - Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Mac OS Platform for how to download and use these.
• Configure a web bookmark so users can download the diagnostic file from an internal server via a remediation Role for users who fail Host Checker policies, see Defining Web Resource Profile Boomarks in the Admin Guide for the configuration steps.
• Download or bookmark the Release Notes and List Of Products Supported guides for the installed ESAP version from the ESAP section of our Techpubs pages so they are easily available to reference.
• When possible, test and qualify Host Checker policies in your lab before implementing or updating any new Host Checker policies, Antivirus products and/or ESAP packages. These checks should be tested on a typical corporate imaged machine.
• ​Ask the user what the error message reported by Host Checker is and to take a screenshot of it, if Send Reason Strings is enabled it will report what failed, for example:

     1. HC_AV_and_Patches 
         Reasons: Symantec Hosted Endpoint Protection 3.00.10.2737 does not comply with policy.  Compliance requires latest virus definitions.

• Check if the antivirus product meets the requirements of the host Checker policy, such as whether it has recently updated virus definitions, that the antivirus product is running and Real time Protection (RTP) enabled, and/or if a system scan was performed recently and remediate any deficiencies.
• Ask the user what the Antivirus product and version,  supplying screenshots if possible and reference the List of Supported Products for ESAP version to see what can be checked and if requires any specific permissions for the evaluation methods.
• Check the latest ESAP Release Notes and Supported Products in case support was added or a problem fixed for reported antivirus version.

 

Data collection for Support

• If Host checker still fails after remediation attempts, if the product and/or version is not listed as supported then generate ESAP diagnostic output and open a case requesting support be added in a future ESAP release, including the ESAP diagnostic output and screenshots of the Antivirus product and version.

• If the Antivirus product and version are supported, the required permissions for the evaluation methods are met, and the product is compliant with the configured checks then gather the following data and open a case and attach the data.

1. Is this for all users with a certain antivirus product and version or do some pass?   Is there anything common about the set of affected users e.g. certain OS and/or patches; non-admin users; they have other Antivirus products installed?
2. Screenshots of any error messages.  
3. Screenshots of the Antivirus product about page.
4. Access log entries for the users connection attempt captured in the client deubglog.
5. ESAP diagnostic output generated after the failed host checker attempt.

 

• For the client debuglog, if Pulse is used then set detailed level logging in the client via  File > Logs > Log Level ​and then attempt to connect.   Once the Host Checker failure message is displayed save the client log file from the Pulse client.

Please refer attached Host Checker ESAP Troubleshooting Guide.pdf for troubleshooting assistance.
 

Admin Guide entry for upgrading ESAP