How to create a Host Integrity script with a grace period

Article:TECH175553  |  Created: 2011-11-28  |  Updated: 2011-11-28  |  Article URL http://www.symantec.com/docs/TECH175553
Article Type
Technical Solution


Issue



With Symantec Network Access Control (SNAC) is there a way to create a Host Integrity script with a "grace" period, or a script that needs to fail twice in a row before assigning the client to the quarantine network?

 


Solution



It is possible to create a Host Integrity script that does not assign the client to the quarantine on a single once-off failure, by using a temporary flag in the registry to "remember" the previous status. This can be useful for example when checking the antivirus-definition age, to give the client a number of extra minutes to finish downloading the update before being assigned to the quarantine network.

The following is an example script:

  • IF NOT
    • Antivirus: signature file is up-to-date       // ..or any other check where a grace period is desired
  • THEN
    • IF
      • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
      • Value name: FailedHIOnce
      • DWORD: 1       // this checks the flag to report FAIL only on the second failure in a row
    • THEN
      • FAIL       // this FAIL will be reported only if the signature file check failed AND the FailedHIOnce flag is set
    • END IF
    • Registry: Set registry value
      • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
      • Value name: FailedHIOnce
      • DWORD: 1       // this sets the flag so that the next check will see that it is the second failure in a row
    • PASS       // the signature file check failed but the flag was not set - reporting PASS
  • END IF
  • Registry: Set registry value
    • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
    • Value name: FailedHIOnce
    • DWORD: 0       // this resets the flag so that we will not fail immediately on the next signature file check failure
  • PASS       // the signature file check passed - report PASS status after resetting the registry flag

 

An exported example policy is attached (the policy uses a check for calc.exe as example).

 


Attachments

Fail-Twice-Test for calc.exe.dat (2 kBytes)


Article URL http://www.symantec.com/docs/TECH175553


Terms of use for this information are found in Legal Notices