Endpoint Protection

 View Only

  • 1.  HI Policy - Registry Value w/ String Value

    Posted Jan 20, 2016 01:19 PM

    I'm creating a rule in HI for SEP 12.1.6 MP3 so that IF a registry key exists AND NOT a registry value with a string value then it runs a program and reports a FAIL.  However all are reporting a FAIL when I know that they have already run the command now the registry value with the string value does exist.  In looking at one of these test nodes I can also see that, whereas the policy is set to check every 2 minutes, it has not logged anything in the client management>security log since yesterday at 4 PM EST.  Below is the screen shot of the rule:

    Snap 2016-01-20 at 12.54.58.png



  • 2.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 20, 2016 06:31 PM

    What is the version of the SEP clients?

    Do you have a seperate license for SNAC?



  • 3.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 20, 2016 06:51 PM

    For what its worth I to have had issues with string values in the past with location awarness however once I used DWORD values and ran a script to put the value on that type of machine then the location awarness kicked in without any problems.



  • 4.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 21, 2016 09:36 AM

    Seyad,

    The clients are a mix of 12.1.6 MP1 & MP3.  No SNAC license just the host integrity that came built in with 12.1.5.  

    Falendoor,

    I tried using string values for location awareness and was told that it will only look for the presence of the key not the value.  We got it working by using the value name as part of the key path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet explorer\IE) and the value data as the string value.  Thought I tried it here but .... 



  • 5.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 21, 2016 12:38 PM

    I think your HI script needs an additional PASS command. At present, it does not matter if the first IF clause is true or false, in both cases the HI script will reach the FAIL command in the last line and the clients will respond FALSE.

    You should check if the registry value exists in an additional IF clause above the FAIL command, something like this (not tested):

    IF 
  Registry: Registry value equals
THEN
  PASS

    HTH!

     

     

     

     

     



  • 6.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 21, 2016 01:51 PM

    I think that might be direction to look greg12.  I made the following modificaiton and am testing now.

     

    Snap 2016-01-21 at 13.48.21.png



  • 7.  RE: HI Policy - Registry Value w/ String Value
    Best Answer

    Posted Jan 21, 2016 02:04 PM

    The last line must be FAIL (as in your first attempt). Move PASS command in the last THEN clause instead.

    Beginning with the last IF condition, it should look like this:

    IF
      Registry: Registry value equals
    THEN
      PASS
    END IF
    FAIL

     



  • 8.  RE: HI Policy - Registry Value w/ String Value

    Posted Jan 21, 2016 03:25 PM

    Thanks greg12, everything is now up and performing as expected.  Below is the final draft:

     

    Snap 2016-01-21 at 15.22.46.png