Client Management Suite

 View Only

  • 1.  DWORD support

    Posted Jul 18, 2017 11:23 AM

    It's only been years and years and years now. We are using 7.6 SP1 HF7 8675309. Does anyone know if the detection rules are able to read a windows registry value that is other than a string in 8.x?

    Cheers



  • 2.  RE: DWORD support

    Posted Jul 19, 2017 07:22 AM

    Hi MyITGuy,

    In 8.1 this is still a known limitation (Please see more in RN http://www.symantec.com/docs/DOC9471).

    Regards,
    Dmitri



  • 3.  RE: DWORD support

    Posted Jul 24, 2017 11:35 AM

    Hey Dimiti,

    We can see that the documentation is extensive, but don't see this issue addressed anywhere. Is there any plan to address this product deficiency?

    Thank you, again.



  • 4.  RE: DWORD support

    Posted Aug 01, 2017 10:57 AM

    Hi,

    I have forwarded your query to responsible persons.

    BTW: DWORD can be found if it's defined in decimal value (not hex), for more details please see: https://www.symantec.com/connect/forums/detection-rules-ok-string-version-not-dword-registry-value#comment-7865041​

    Regards,
    Dmtiri



  • 5.  RE: DWORD support

    Posted Aug 09, 2017 03:49 AM

    Hi MyITGuy,

    Our support have posted a KB with workaround, how to use DWORD in Inventory Rules.

    http://www.symantec.com/docs/TECH247218

    Does this resolve your problem, or you need a posibility to use QWORD, MULTI_SZ and BINARY in Inventory Rules?

    Regards,
    Dmitri



  • 6.  RE: DWORD support

    Posted Aug 10, 2017 12:35 PM

    Hey Dmitri,

    Unfortunately, TECH247218 is not a resolution. I'm certain you'd agree that most customers and consumers would expect that the product to be able to read the registry, in all aspects, without any caveats. Many vendors implement non-string values, most notibly the OS vendor themselves.

    The Windows registry has been around for many years with the ability to read it programatically since it's inception. If Symantec had taken the time, years ago, to correct this, there would only be the need to manage new methods, such as QWORD (64-bit), when new values are provided by Microsoft. Instead, we're still stuck with a busticated methodology that struggles to work in even the smallest degree.

    I'm not certain how the mechanism works for reading the registry and if Symantec returns only strings no matter what the Kind is that they are reading, but I am certain that in its current state, it's sadly lacking.

    Do you know if there are plans to correct the registry reading behavior?

    Thanks, again, for fielding this question. Much appreciated.