Problem:Clearpass Onguard, posture policy has the configuration to do a file check on windows 7. The file path is as below:
C:\Windows\System32\somefile.exe
We are able to do the health check and find the file in windows 7 32 bit with no issues. However, on the windows 7 64 bit machines, not able to find the file. Healthcheck fails with the below error:
Diagnostics:Checked the onguard agent logs and found the below:
ClearPassOnGuard* log:
File Check:
2016-11-22 05:34:07,297 [Th 0000111c] DEBUG JsonWrapper.ProcessSoHRResponse - Message=
File Check:
2016-11-22 05:34:07,297 [Th 0000111c] DEBUG JsonWrapper.ProcessSoHRResponse - Message=somefile File not present
2016-11-22 05:34:07,297 [Th 0000111c] DEBUG OnGuardPlugin.BackendClientInfoCollector - ProcessHealthResponse: ProcessSoHR Response: Healthy - 0 Success - 1
2016-11-22 05:34:07,297 [Th 0000111c] INFO OnGuardPlugin.InterfaceSessionHelper - ProcessSohr: Health response= Success=True Healthy=False Remediation URL= Msg: Msg: Your machine is Quarantined! Please contact IT Support. Msg:
File Check:
Msg: somefile File not present
2016-11-22 05:34:07,297 [Th 0000111c] DEBUG OnGuardPlugin.TextStore - GetFormattedTextFromResource: vswprintf result - 49
2016-11-22 05:34:07,298 [Th 0000111c] INFO OnGuardPlugin.AuthSession - ProcessSoftReauthResponse: SoHR processing status for Local Area Connection = Status [healthState=3, msgList=, Your machine is Quarantined! Please contact IT Support.,
File Check:
, somefile File not present
In the Winagent_0.log, saw below:
2016-11-22 07:09:26,063 [Th 000001C0] INFO WinSHA.HealthFactoryEx - GetHealthRequest: Not adding Health Class Info - InstalledApplications (17)
2016-11-22 07:09:26,063 [Th 000001C0] ERROR WinSHA.FileCheckHealthClassInfoFactory - GetHealth: Not adding file - 'C:\Windows\System32\somefile.exe' as it does not exist. Error - system:2
2016-11-22 07:09:26,065 [Th 000001C0] DEBUG WinSHA.FileCheckHealthClassInfoFactory - GetEnvVarMapEx: Detected 64-bit OS.
2016-11-22 07:09:26,065 [Th 000001C0] DEBUG WinSHA.FileCheckHealthClassInfoFactory - GetEnvVarMapEx: EnvVar - homedrive, Value - C:
Navigated to the location c:\Windows\System32\ to find the file, the file was present somefile.exe, able to see the file in that location.
As per the windows blog below:
http://csi-windows.com/blog/all/73-windows-64-bit/379-what-is-wow64-windows-64-bit
It seems that, when the onguard agent or any 32 bit application, tries to find the path belonged to system32, the 64bit operating system, automatically redirects the path to SysWOW64 of windows, since the copy of the file is not present at that location, we get the error, file does not exist.
Instead we could use the path as sysnative in windows, we would be able to find the file as the 64bit windows would understand no redirecting is required in this and will automatically find the file from system32.
SolutionWe could either create a different service for 64bit operating system, with the new path or we could add one more condition to the existing policy configuration with the new path for 64 bit and set pass anyone as shown below:
In this case, it would work for both 32 bit and 64 bit as the rule says Pass any one.
To verify this, path works, i did a FCIV check for the file on a 64 bit operating system, see below:
C:\Users\<user>\Desktop>fciv.exe -md5 c:\Windows\System32\somefile.exe
//
// File Checksum Integrity Verifier version 2.05.
//
c:\windows\system32\somefile.exe\*
Error msg : The system cannot find the path specified.
Error code : 3
C:\Users\<user>\Desktop>fciv.exe -md5 c:\Windows\Sysnative\somefile.exe
//
// File Checksum Integrity Verifier version 2.05.
//
58dc4df814685a165f58037499c89e76 c:\windows\sysnative\somefile.exe