[ISSForum] re: Helpful information on System Scanner

[Kriss Warner]

Hi Folks: I just finished working with System Scanner and thought I would pass along some helpful hints…   If you have a need a need to create a custom policy that includes “Chunks” of all the intial-1 thru to 6  perform the following:                   Go to Program Files\ISS\systemscannerconsole\rules                   Use wordpad and open up initial-1 thru 6 and append them all together in a new file                   In Initial-2 and Initial-3 there is a section that talks about checkgroups called 'userchecks' – look at Initial-2 and change any occurance userchecks to 'userchecks2' or something different                   Save the file (not as a txt)                   Import the new file (with all the policies appended to each other) into System Scanner Now you will have a new policy that contains all the initial polices in one policy that you can tailor any way you want to.  This is beneficial if you are looking to incorporate checks from one policy to another quickly.     According to the documentation, when you add a groupcheck to a new policy it should pull all the checks for that groupcheck into the new policy that you are creating.  This feature does not work yet. Don’t bother to use it.  You must create your own groupchecks and add type source, variables etc manually. There is a small open problem with System Scanner.  If you take a default policy (Like Initial-1) and take one of the checkgroups and right click on it then say copy and past it back into the same default policy it will allow you to do this. Unfortuanatly this is not supposed to happen and will screw up your default policy.  The only way to get the default policy back to a usable format is to copy a like policy from another agent.  ISS is currently aware of this and working on it.  No big deal.. just don’t do it. System Scanner does not look for McAfee Anti virus under the antiviruskeys in Check config area.  I personally found it more meaningful to create a new entry into the ServiceTemplate area to see if the service was there, running and other bits of information.  The entry for McAfee looks like this: W2K_service Name=McShield Display Name = McAfee.com McSheild Description = < Any Description that you would like > Startup Type < What is the startup type that you are expecting > (for me it was Automatic) Log on As = LocalSystem Status = < what is the status that you expect on this server > (I used started) Path = C:\Program Files\mcafee.com\vso\mcshield.exe Expectation = < it should be there right ???!!> present Message = < your message that you would like to say about this >   The above tells me everything I want to know about that service.. I have found some very interesting things about alerting as well if anyone has any interest in that area ..   I am currently tearing apart Siteprotector and Server sensors next.  I will post anything that might be of use to the group.     Drop me a line if you have any questions..   Kriss Warner Security Consultant CYBERDINE www.cyberdinecorp.com