Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Detection Rule problem Altiris v. 7.1

Created: 02 Mar 2012 | 11 comments

hello all,
I have problem with a detection rule. I need to create Registry Key Value detection for a value contains %sapini_copy%.
when i write %sapini_copy% it not working, i was trying  ", ' before % but still not work.
Any ideas?

MK

Comments 11 CommentsJump to latest comment

Mistral's picture

If % gives you trouble (thats probably what you suppose it to do) ... why not just check if the registry key contains (not exact match) sapini_copy ... do you think it will make any difference?

KMariusz's picture

can you tell me how check if the registry key contains (not exact match) sapini_copy.
i got only this options (look ss)

Mistral's picture

Registry value: sapini_copy

Match: Substring

mclemson's picture

Change the Match from 'Entire String' to 'Substring'

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

KMariusz's picture

Mclemson,

i try this "substring" with value %sapini_copy%, sapini_ , and this didnt work

Mistral's picture

Somehow i have the feeling you should try:

HKEY_CURRENT_USER\Software\Wow6432Node\SAP\SAPLogon\Options

as Registry key path.

Are you deploying the software to a x64 client?

KMariusz's picture

no XP, x32.

I don't think so it's a problem with a registry kay , when i write other value that don't have %, the detection rule works fine its seems like Altiris have problem with %

Mistral's picture

Just tested with "%test%" and it was detected successfully.

I tested "%test%" with entired string -> detected

I tested "test" with substring -> detected.

As the key is in HKCU, are you executing the policy with the correct "Run As" settings (As the correct user)?

KMariusz's picture

yes, i run as the current user login, when i try %test% and more words it work, so i think it problem is

because %sapini_copy% is a environment variable, when i try %temp% don't work too.
 any ideas why?

Mistral's picture

No clue whats wrong ... for me it works with %temp% and %path% also.

Dmitri Dragunov's picture

Hi KMariusz,

We try to reproduce your issue on ITMS 7.1 SP2. What version of ITMS is installed on your environment?(or define your Software Management Solution version)

We able to reproduce your issue only if we put in registry value %Sapini_copy% but in rule we use %sapini_copy%. Do you have both values in same case or you have some difference between registry and rule values.

all next nuances should be met:

1. Detection rule value is case sensitive

2. "Run As" MD policy advanced option setting should be set to "Current logged-on user" (if not Detection rule will try to find this value in another registry hive)

Regards,

Dmitri