Review Secure Endpoint (CSE) Windows Scans

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.6 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.3 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 6, 2023
Document ID:220362

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.


    Introduction

    This document describes the different types of scans of a Windows connector.

    Prerequisites

    The prerequisites for this document are:

    • Windows Endpoint
    • Secure Endpoint (CSE) version v.8.0.1.21164 or later
    • Access to Secure Endpoint Console

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Secure Endpoint Console
    • Windows 10 Endpoint
    • Secure Endpoint version v.8.0.1.21164

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The scans were tested on a lab environment with Policy set to debug.
    Flash scan on install was enabled via Connector download.
    The scans were executed from the Secure Client GUI and from the Scheduler.

    Full Scan

    This log demonstrates when a Full scan is requested from the CSE Graphic User Interface (GUI).

    Scan from User InterfaceScan from User Interface

    Here, the ScanInitiator process begins the Scan process.

    (1407343, +0 ms) Aug 23 18:06:01 [9568]: ScanInitiator::RequestScan: Attempting to start scan: dConnected: TRUE, FileName: , Options: 0, PID: 0, Type: 5

    You can see that Full Scan is the type of Scan triggered on the GUI as shown in the image.

    Next, you have the Security Identifier (SID), which is a value of variable length assigned to this particular event, this Security Identifier helps you track the scan in the logs.

    Publish EventPublish Event

    You can match this with the event from the CSE console.

    Console EventConsole event







    Next, in the logs, you can see this:

    Publish SucceededPublish Succeeded



    This means that the event has been successfully published to the CSE Cloud.

    Then, the next action is actually to perform the scan:


    Scan StartScan start




    As you can notice, the SID is the same, so you are under the stream of SID 1407343.


    These are the steps that the connector performs when a Threat is detected during the Scan.

    Step 1. The connector tells you the File that caused the detection, in this example, it is caused by Hacksantana Trainer GLS.

    File DetectedFile detected




    Step 2. The event is published to the CSE console with the Threat Detection name and the path where it is found.

    Detection NameDetection name





    Threat Event PublishThreat event publish


    After the scan finishes, you can take a look at the Event viewer, for a summary of the Scan.

    Event ViewerEvent viewer

    Flash Scan

    Flash scans are quick, they take from seconds to minutes to finish.
    In this example, you can see when the Scan starts, and like previously, a SID is given, this time, with a value of 2458015.


    Flash Scan StartFlash scan start

    The next action is to publish the event to the CSE cloud.


    Publish to CSE Cloud


    When the Scan finishes, the Event is published to the cloud.


    Scan Finish PublishScan Finish Publish

    The event can be seen in the Windows Event viewer. As you can notice, the information is the same as the information presented in the logs.

    JSON EventJSON Event



    Scheduled Scans


    When it comes to Scheduled scans, you must be aware of a set of aspects.

    After a Scan is scheduled, a change in the Serial number occurs.

    Here, the test policy does not have any Scheduled Scans.

    Policy Serial NumberPolicy Serial Number

    If you want to schedule a Scan, click Edit.

    Navigate to Advanced Settings > Scheduled Scans.

    Advanced SettingsAdvanced Settings

    Click New.

    New Scan ConfigurationNew Scan Configuration

    The options are:

    • Scan Interval
    • Scan Time
    • Scan Type

    After you have configured your Scan, click Add.

    Scheduled Scan ConfigurationScheduled Scan Configuration

    Save your policy changes, a pop-up appears that confirms your changes.

    Pop-UpPop-Up

    Serial Number changeSerial Number change

    Serial Number changeSerial Number change












    The scan is configured in the Policy, in this example, two scans are configured scans, a Flash scan and a Full Scan.

    Policy XMLPolicy XML

    They are added to a Scheduler in HistoryDB. The characters next to the <scheduled> tag are the Process ID (PID) that identify the Scan.


    Process IDProcess ID

    As shown in the image, it is queued.

    Scan QueuedScan Queued

    You can search in the logs for the scan, and notice whether the scan can run now or not. If it can, the scan executes.

    Scan can ExecuteScan can Execute



    You can see that the options for the scan are loaded and the ScanInitiator process requests the Scan to begin.


    Process starts the Scan




    Then, the Process Scan::ScanThreadProcess starts the Scan.


    Type of Scan id Flash

    Similar to previous events, it needs to be published in the CSE cloud. The logs can tell you the type of Scan, which in this case is Flash.


    Publish Event of Scheduled ScanPublish Event of Scheduled Scan

    You can Navigate to Event Viewer > App and Services Registries.

    Application and Services LogsApplication and Services Logs


    Search for Cisco Secure Endpoint, and open Cloud and Events. Each tab gives you a different view.

    Events:


    Event ViewEvent View

    Cloud:

    Cloud ViewCloud View

    Once the Scan finishes, you can see the event published to the cloud.


    Scan Finish PublishScan Finish Publish


    Scheduled Full Scan


    The Windows event viewer shows Event Scan Started, as shown in the image.

    Event Scan Started







    Once it finishes, you can compare the published event.


    Compare the Published Event

    You can see this in the event viewer from Windows.

    Event ViewerEvent Viewer






    Other Scans

    When it comes to custom or rootkit scans, the main difference as you have noticed is the Scan Type in the Event viewer or in the logs.

    Troubleshoot

    When a Schedule Scan does not occur:

    • Ensure that the endpoint is available by the time the Scan is meant to occur.
    • Ensure the Scan is scheduled in the Policy. If you do not see it, trigger a Policy Sync.

    Revision History

    Revision Publish Date Comments
    1.0
    06-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Uriel Tadeo Montero Casas
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products