Technical Tip: Identifying parameters Persistent Agent scan checks on client and how to check them in Windows registry

blarochelle · ‎07-23-2024

Description

This article describes how to identify the parameters the Persistent Agent scan has configured in Policy & Objects -> Endpoint Compliance -> Scans checks on the client, and how to check those parameters in the client's Windows registry.

Scope

FortiNAC-C, FortiNAC-F.

Solution

This article is for checking for Windows scans.
Scan parameters can be set under Policy & Objects -> Endpoint Compliance -> Scans -> Add -> Windows.

This example will use Sophos. Select the 'Sophos' hyperlink to open the 'Modify Product' dialog box:

There are two parameters the Persistent Agent client will check the Windows client for:

Last Update
Virus Definition

To review how FortiNAC learns the values for these parameters for this particular application (Sophos), locate the appropriate .xml file in the CLI:

/bsc/campusMgrUpdates/rm/templates/Windows/Anti-Virus/Sophos/

sophos.xml

The contents of this file will also be printed in the Persistent Agent client logs from the Windows client general.txt file.

The .xml will reflect this:

This section is for identifying the LastUpdateTime which corresponds with 'Last Update' in the FortiNAC GUI.

This shows it looks in the Windows registry for the following:

keyName="SOFTWARE\Sophos\AutoUpdate\UpdateStatus", valueName="LastUpdateTime", longValue="defVersionTime:$BSI$".

This section is for identifying the ProductVersion which corresponds with 'Virus Definition' in the FortiNAC GUI.

This shows it looks in the Windows registry for the following:

keyName="SOFTWARE\Sophos\AutoUpdate", valueName="ProductVersion", version="5.0".

The Persistent Agent client logs will look like the following after a scan has been performed:

For Last Update:

2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Requested: 1721049231 System: 1721419184 Delim: .
2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Returning: true
2024-07-22 12:19:26 UTC :: Debug: GetRegistryEntryTask Passed
2024-07-22 12:19:26 UTC :: Debug: andTask Passed
2024-07-22 12:19:26 UTC :: orTask Passed
2024-07-22 12:19:26 UTC :: Debug: orTask Passed
2024-07-22 12:19:26 UTC :: Info: andTaskandTask/
2024-07-22 12:19:26 UTC :: Debug: Info: andTaskandTask/
2024-07-22 12:19:26 UTC :: Sophos Definitions status 1
2024-07-22 12:19:26 UTC :: Debug: Sophos Definitions status 1
2024-07-22 12:19:26 UTC :: Sophos Definitions passed

Requested is what is configured in the FortiNAC GUI. 1721049231
System is what is reported by the Windows operating system. 1721419184

System is identified by the keyName="SOFTWARE\Sophos\AutoUpdate\UpdateStatus" looking for valueName="LastUpdateTime".

Registry example:

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus
Value 6
Name: LastUpdateTime
Type: REG_DWORD
Data: 0x669ac5b0

0x669ac5b0 is hexadecimal. Use a converter to get the decimal value. 0x669ac5b0 in decimal is 1721419184, which matches the client Persistent Agent logs:

2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Requested: 1721049231 System: 1721419184 Delim: .

For Virus Definition:

2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Requested: 5.0 System: 6.17.1046 Delim: .
2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Returning: true
2024-07-22 12:19:26 UTC :: Debug: DelimVersionTask Passed
2024-07-22 12:19:26 UTC :: Debug: andTask Passed
2024-07-22 12:19:26 UTC :: orTask Passed
2024-07-22 12:19:26 UTC :: Debug: orTask Passed
2024-07-22 12:19:26 UTC :: Info: andTaskandTask/DelimVersionTask/6.17.1046
2024-07-22 12:19:26 UTC :: Debug: Info: andTaskandTask/DelimVersionTask/6.17.1046
2024-07-22 12:19:26 UTC :: Sophos status 1
2024-07-22 12:19:26 UTC :: Debug: Sophos status 1
2024-07-22 12:19:26 UTC :: Sophos passed
2024-07-22 12:19:26 UTC :: Debug: Sophos passed
2024-07-22 12:19:26 UTC :: --Primary Passed and Section Not Skipped... Starting section 'Sophos Definitions' for group 'sophos'
2024-07-22 12:19:26 UTC :: Debug: --Primary Passed and Section Not Skipped... Starting section 'Sophos Definitions' for group 'sophos'
2024-07-22 12:19:26 UTC :: Testing Sophos Definitions
2024-07-22 12:19:26 UTC :: Debug: Testing Sophos Definitions
2024-07-22 12:19:26 UTC :: Debug: GetRegistryEntryTask Failed
2024-07-22 12:19:26 UTC :: Debug: GetRegistryEntryTask Failed
2024-07-22 12:19:26 UTC :: Debug: GetRegistryEntryTask Passed
2024-07-22 12:19:26 UTC :: Debug: orTask Passed
2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Requested: 5.0 System: 6.17.1046 Delim: .
2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Returning: true
2024-07-22 12:19:26 UTC :: Debug: DelimVersionTask Passed

Requested is what is configured in the FortiNAC GUI. 5.0.
System is what is reported by the Windows operating system. 6.17.1046.

System is identified by the keyName="SOFTWARE\Sophos\AutoUpdate" looking for valueName="ProductVersion".

Registry example:

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate
Value 5
Name: ProductVersion
Type: REG_SZ
Data: 6.17.1046

6.17.1046 matches the client Persistent Agent logs:

2024-07-22 12:19:26 UTC :: Debug: DelimVersion.. Requested: 5.0 System: 6.17.1046 Delim: .

Technical Tip: Identifying parameters Persistent Agent scan checks on client and how to check them in Windows registry

You are leaving our website