Summary
This document illustrates the steps necessary to implement registry scans for Access Gateway Enterprise Edition 8.0. The information contained in this article pertains to Access Gateway Enterprise Edition 8.0 Build 45.4.
Creating the Scanned Registry Key
For this example, a registry key was created called “ABCVirusSoftware” with a sub-value called “Version” and with a data value of “5.523.01” under the HKEY_LOCAL_MACHINE\SOFTWARE Hive (see screen shot below). This key serves as the initial scanned test key.
EPA Syntax (Introduction)
The basic syntax for EPA is as follows:
• Four backslashes are needed to separate keys and subkeys.
Example: HKEY_LOCAL_MACHINE \\\\SOFTWARE... .
• An underscore is used to separate a subkey and its associated value name.
Example: HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version.
• The entire registry key and value path needs to be placed within brackets and single quotes.
Example: (‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’).
The following various scenario scans were configured against this registry key using the Advanced Free-form option.
Scenario 1
Testing for the existence of the ABCVirusSoftware key and allowing logon access if the key exists.
Operation |
Action |
Testing for the existence of the ABCVirusSoftware key. |
If absent deny the users logon access. |
Steps
1. Noting the full path: HKEY_LOCAL_MACHINE\SOFTWARE\ABCVirusSoftware\ is the full path of the key that I would like to run the scan against.
2. Converting to EPA logic:
a. When scanning against Registry keys and values using the Advanced Free-form option the expression must begin with CLIENT.REG.
b. There must be four backslashes in-between each subkey and the entire registry path must be in single quotes.
‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware’
c. The registry path must then be enclosed within brackets as follows:
(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware’)
d. Adding the CLIENT.REG (noted in step A) and the EXISTS qualifier (for testing the existence of the key) we obtain the following:
CLIENT.REG(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware’) EXISTS
(See screen shot below. Note that the existence of this key allows logons).
Expression Magnified
Scenario 2
This test is configured to test for the existence of the Version value (under the ABCVirusSoftware key) with a data value of 5.523.01 (see screen shot below).
Operation |
Action |
Testing for the existence of the “ABCVirusSoftware Version” value name with a data value of 5.523.01. |
If the data value does not match the value you are testing against, deny logon access to the users. |
Steps
1. Noting the full path: HKEY_LOCAL_MACHINE\SOFTWARE\ABCVirusSoftware\ is the full path of the key that I would like to run the scan against (with Version being the data value associated with the subkey that I would like to run the scan against). The data value for Version that I am scanning against is 5.523.01.
2. Converting to EPA logic:
a. When scanning against Registry keys and values using the Advanced Free-form option the expression must begin with CLIENT.REG.
b. Again there must be four backslashes in-between each subkey and the associated Value name (for the ending subkey) must be separated by an “underscore” ( _ ) all within single quotes.
‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’
c. The registry path must then be enclosed within brackets as follows:
(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’)
d. Adding the CLIENT.REG (noted in step A) and the Value qualifier (for testing the value
of a key with the associated data value) we obtain the following:
Client.reg(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’).Value == 5.523.01
Note: There are spaces between “VALUE” and “==” and between “==” and “5.523.01”
(See the screen shot below; note that the existence of this key allows logons.)
Expression Magnified
Scenario 3
This test is a compound test to test the Existence of a subkey underneath the “ABCVirusSoftware” subkey called IDOEXIST (see screen shot Scanned Registry Key 2) AND a test for the existence of a value named “Version” with a data value of 5.523.01 in the “ABCVirusSoftware” subkey (see screen shot Scanned Registry Key 1 ).
Scanned Registry Key 1
Scanned Registry Key 2
Operation |
Action |
Testing for the following: (1) Existence of a subkey underneath the “ABCVirusSoftware” subkey called “IDOEXIST.” (2) Testing for the existence of the “ABCVirusSoftware Version” value name with a data value of 5.523.01. |
If the “IDOEXIST” subkey does not exists and the data value “Version” (in the “ABCVirusSoftware” key) does not match the value being tested against deny logon access to users. |
Steps
1. This involves noting the full path: HKEY_LOCAL_MACHINE\SOFTWARE\ABCVirusSoftware\ as the full path of the key with Version being the data value associated with the ABCVirusSoftware key that I would like to run the scan against. The value that I am scanning against for is 5.523.01.
2. Converting to EPA logic:
a. When scanning against Registry keys using the Advanced Free-Form option the expression must begin with CLIENT.REG.
b. Again there must be four backslashes in-between each subkey and the associated Value (for the ending subkey) must be separated by an underscore ( _ ) all within single quotes.
‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’
c. The registry path must then be enclosed within brackets as follows:
(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’)
d. Next perform the same step for the existence of the IDOEXIST subkey
('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware\\\\IDOEXIST')
e. Adding the CLIENT.REG (noted in step A) and the Value qualifier (for testing the value
of a value name with the associated data value) we obtain the following:
CLIENT.REG(‘HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version’).Value == 5.523.01
f. Adding the CLIENT.REG (noted in step A) and the Exists qualifier (for testing the
existence of a key) we obtain the following:
('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware\\\\IDOEXIST') EXISTS
Followed by
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware\\\\IDOEXIST') EXISTS
g. Testing and combining for the existence of both key and Value we obtain the following (see below).
CC CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware\\\\IDOEXIST') EXISTS && CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ABCVirusSoftware_Version').VALUE == 5.523.01 |
(Note that the existence of this key allows logons.)
Caveats/Concerns:
The following below are a few things I ran into in regards to configuring registry scans.
1. You cannot scan for the existence of a Value within a subkey. You must scan against the named Value and the associated data Value.
2. Keys and subkeys with underscores ( _ ) although probably uncommon don’t seen to work against the scan (ex: I_DO_EXIST). In testing against a scan with an underscore you should observe that the scan fails for every scan test. Dashes however ( - ) seem to work just fine (ex:I-DO-EXIST).
3. Be wary of copying from Word or WordPad and pasting into the expression text window when Advanced freeform is selected. Doing so you will copy over the font formatting (of the editor) into the Freeform dialog box. As a test I copied and pasted text (from Microsoft Word) into the expression window. Below is a screen shot of what was pasted (Note the style of the beginning quote and ending single quote):
After saving the entry closing and re-opening that particular EPA resources scan you will see the following special character formatting (Note the ↓ before the first single quote and before the ending single quote which is clearly incorrect). This scan will work for all users with or without the I-DO-EXIST key (due to the special character before and after the quotes).
