Technical Tip: File-Check custom scan compliance policy

When a host is checked for compliance with the regular scan, the 'Custom Scan' is evaluated as well. However, the 'Custom Scan' must first be assigned to one of the 'Scans'.

In this example 1, a file name 'fortinet.txt' was created on a test endpoint in the following directory               'C:\ProgramFiles\Fortinet\FortiClient'. So if the file 'fortinet.txt' exists, the host will be compliant.

A custom scan with scan type 'file' and label 'testfortinetlabel' can be created in Policy & Objects -> Endpoint Compliance -> Scans -> 'Custom Scans'. 

Run a host scan, the host health scan status is successful, and all compliance conditions have been passed.

Check the agent logs on the host machine in 'C:\ProgramData\Bradford Networks\general.txt'.

Example 2: If the file 'fortinet.txt' exists on the user's desktop, the endpoint scan will fail the custom scan evaluation. Hence, it is necessary to create the following: 

Create a new Registry key string with Value name: Desktop and Value Data: C:\Users in the following Registry Location 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion'.  

Modify the 'Custom Scan' file created under Policy & Objects -> Endpoint Compliance -> Scans -> 'Custom Scans' and change Registry Value Name to Desktop.

Run a host scan again. The host health scan status is successful, and all compliance conditions were passed.

Example 3: If this file 'fortinet.txt' exists on the user's desktop, the host will not pass the scan (Non-compliant). 

Modify the Custom Scan file created in Policy & Objects -> Endpoint Compliance -> Scans -> 'Custom Scans' and change Prohibit This Product option from false to True.

Run a host scan again, the host health scan status is Failed, and the host is Isolated.

Example 4:  If this file 'fortinet.txt' exists on the user's desktop with a File Contains String 'Secret' value, which is a case-sensitive value, the host will not pass the scan (Non-compliant). 

Modify the Custom Scan file created in Policy & Objects -> Endpoint Compliance -> Scans -> 'Custom Scans' and change the Prohibit This Product option from false to True.

Run a host scan again, the host health scan status is Failed, and the host is Isolated.