Product and Software: This article applies to all ECS product and software versions.
Solution
To prevent clients with suspicious files from getting on the network, create a custom scan and associate it with your security policies.
1) From the NAC appliance admin UI, go to Security Management > Custom Scans.
2) Click the Add button to create a scan.
3) Enter a name for the scan, select File from the Scan Type pull-down menu, and click Add to display the scan's properties.
4) Enter the scan criteria:
-
Label - Information to be displayed on the results page.
-
Severity - Set to Required
-
File Name - Name of the file
-
Registry Key - Key that contains the file path
-
Registry Value Name - File path
-
Execute - No (default)
-
Command-Line Options - n/a
-
Wait for Execution to Complete Before Continuing - n/a
-
File Version (>=) - (If any)
-
Web Address - URL of page with information about this file (the link appears on the results page)
-
Windows OS - Select the Windows version(s) for the scan.
-
Prohibit this Product - Set to True to fail clients that have the file.
5) Click Apply.
6) Go to Security Management > Policy Configuration.
7) Select the security policy to associate with the scan.
8) Click the Windows tab.
9) From the menu on the left, select Custom.
10) From the list, select the scan you created.
11) Click Apply.
Validation
1) Connect the client with the file to the network.
2) Go to Scheduler view.
3) Select the scheduled security policy and right-click Run Now.
4) Verify that the client is removed from the production VLAN.
5) Go to Clients view.
6) Locate the client (use the filter if necessary), and double-click the client record.
7) Click the Health tab.
8) The scan results should show that the client failed the custom scan.