AAA, NAC, Guest Access & BYOD

Filecheck failing while doing health check using Clearpass Onguard on windows 7 64bit

Aruba Employee
Problem:

Clearpass Onguard, posture policy has the configuration to do a file check on windows 7. The file path is as below:

C:\Windows\System32\somefile.exe

We are able to do the health check and find the file in windows 7 32 bit with no issues. However, on the windows 7 64 bit machines, not able to find the file. Healthcheck fails with the below error:

 

 

 

 

 



Diagnostics:

Checked the onguard agent logs and found the below:

ClearPassOnGuard* log:

File Check:

2016-11-22 05:34:07,297 [Th 0000111c] DEBUG JsonWrapper.ProcessSoHRResponse - Message=
File Check:

2016-11-22 05:34:07,297 [Th 0000111c] DEBUG JsonWrapper.ProcessSoHRResponse - Message=somefile File not present

2016-11-22 05:34:07,297 [Th 0000111c] DEBUG OnGuardPlugin.BackendClientInfoCollector - ProcessHealthResponse: ProcessSoHR Response: Healthy - 0 Success - 1
2016-11-22 05:34:07,297 [Th 0000111c] INFO  OnGuardPlugin.InterfaceSessionHelper - ProcessSohr: Health response= Success=True Healthy=False Remediation URL= Msg:  Msg: Your machine is Quarantined! Please contact IT Support. Msg:
File Check:
 Msg: somefile File not present

2016-11-22 05:34:07,297 [Th 0000111c] DEBUG OnGuardPlugin.TextStore - GetFormattedTextFromResource: vswprintf result - 49
2016-11-22 05:34:07,298 [Th 0000111c] INFO  OnGuardPlugin.AuthSession - ProcessSoftReauthResponse: SoHR processing status for Local Area Connection = Status [healthState=3, msgList=, Your machine is Quarantined! Please contact IT Support.,
File Check:
, somefile File not present

 

In the Winagent_0.log, saw below:

2016-11-22 07:09:26,063 [Th 000001C0] INFO  WinSHA.HealthFactoryEx - GetHealthRequest: Not adding Health Class Info - InstalledApplications (17)
2016-11-22 07:09:26,063 [Th 000001C0] ERROR WinSHA.FileCheckHealthClassInfoFactory - GetHealth: Not adding file - 'C:\Windows\System32\somefile.exe' as it does not exist. Error - system:2
2016-11-22 07:09:26,065 [Th 000001C0] DEBUG WinSHA.FileCheckHealthClassInfoFactory - GetEnvVarMapEx: Detected 64-bit OS.
2016-11-22 07:09:26,065 [Th 000001C0] DEBUG WinSHA.FileCheckHealthClassInfoFactory - GetEnvVarMapEx: EnvVar - homedrive, Value - C:

 

Navigated to the location c:\Windows\System32\ to find the file, the file was present somefile.exe, able to see the file in that location.

 

As per the windows blog below:

http://csi-windows.com/blog/all/73-windows-64-bit/379-what-is-wow64-windows-64-bit

It seems that, when the onguard agent or any 32 bit application, tries to find the path belonged to system32, the 64bit operating system, automatically redirects the path to SysWOW64 of windows, since the copy of the file is not present at that location, we get the error, file does not exist.

Instead we could use the path as sysnative in windows, we would be able to find the file as the 64bit windows would understand no redirecting is required in this and will automatically find the file from system32.

 

 

 

 

 

 



Solution

We could either create a different service for 64bit operating system, with the new path or we could add one more condition to the existing policy configuration with the new path for 64 bit and set pass anyone as shown below:

 

In this case, it would work for both 32 bit and 64 bit as the rule says Pass any one.

 

To verify this, path works, i did a FCIV check for the file on a 64 bit operating system, see below:

C:\Users\<user>\Desktop>fciv.exe -md5 c:\Windows\System32\somefile.exe
//
// File Checksum Integrity Verifier version 2.05.
//
c:\windows\system32\somefile.exe\*
        Error msg  : The system cannot find the path specified.
        Error code : 3


C:\Users\<user>\Desktop>fciv.exe -md5 c:\Windows\Sysnative\somefile.exe
//
// File Checksum Integrity Verifier version 2.05.
//
58dc4df814685a165f58037499c89e76 c:\windows\sysnative\somefile.exe

 

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎12-02-2016 01:41 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.