It is possible to create a Host Integrity script that does not assign the client to the quarantine on a single once-off failure, by using a temporary flag in the registry to "remember" the previous status. This can be useful for example when checking the antivirus-definition age, to give the client a number of extra minutes to finish downloading the update before being assigned to the quarantine network.

The following is an example script:

• IF NOT
  
  • Antivirus: signature file is up-to-date       // ..or any other check where a grace period is desired
• THEN
  
  • IF
    • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
    • Value name: FailedHIOnce
    • DWORD: 1       // this checks the flag to report FAIL only on the second failure in a row
  • THEN
    • FAIL       // this FAIL will be reported only if the signature file check failed AND the FailedHIOnce flag is set
  • END IF
  • Registry: Set registry value
    
    • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
    • Value name: FailedHIOnce
    • DWORD: 1       // this sets the flag so that the next check will see that it is the second failure in a row
  • PASS       // the signature file check failed but the flag was not set - reporting PASS
    
• END IF
• Registry: Set registry value
  
  • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\NAC\SNAC
  • Value name: FailedHIOnce
  • DWORD: 0       // this resets the flag so that we will not fail immediately on the next signature file check failure
• PASS       // the signature file check passed - report PASS status after resetting the registry flag

An exported example policy is attached (the policy uses a check for calc.exe as example).