John Scherff wrote: > QUESTION: Can wildcards or ranges be used for text values in > REGISTRY_SETTING audits?
This is currently not supported. > I recently used Nessus compliance auditing to check for the presence of > four critical Symantec AV services on all systems. (See first four > items in Listing 1.) It works great. Excellent. Thanks for posting for other users to see. > Then I wrote an audit rule to check for the version of SAV running on > the host and the version of AV signatures installed. (See last two > items in Listing 1.) Prior to running the scan, I use sed to replace > the placeholders savVersion and defVersion. I get the latest def > version from the Symantec web site using a rather clunky script I wrote > (see excerpt in Listing 2). This also works great. Also excellent. I'd also like to point out this blog entry we wrote a while back which details how virus auditing is performed by Nessus: http://blog.tenablesecurity.com/2007/02/auditing_antivi.html > Unfortunately, I found that there are many slightly different, but > recent, versions of the SAV client running on our systems. I also found > that most clients are using virus signatures that are one or two days > older than the most recent one (probably due to the centralized nature > of our malware management architecture.) > > SO... > > What I need is to be able to specify a range of valid virus definitions > (e.g., the last three) and a range or wildcard value for valid software > versions. The nessus compliance audit documentation doesn't mention the > ability to do this. > > Is it possible? > Right now, functionality like: reg_item: "20070411" | "20070412" | "20070413" isn't part of the Windows Compliance Checks. The UNIX side has an "if" set of statements, but this isn't available on the Windows side (yet). I'd rather point you to the raw NASL for the auditing virus deployments like I outlined in the above blog. Ron Gula, CTO Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
