Ron, Thank you for the quick and thorough response and for the blog ref. I'll add it to my personal KB.
Cheers, John Scherff -----Original Message----- From: Ron Gula <[EMAIL PROTECTED]> To: John Scherff CC: [email protected] <[email protected]> Sent: Wed Apr 25 08:30:11 2007 Subject: Re: SYMANTEC AV AUDITS John Scherff wrote: > QUESTION: Can wildcards or ranges be used for text values in > REGISTRY_SETTING audits? This is currently not supported. > I recently used Nessus compliance auditing to check for the presence of > four critical Symantec AV services on all systems. (See first four > items in Listing 1.) It works great. Excellent. Thanks for posting for other users to see. > Then I wrote an audit rule to check for the version of SAV running on > the host and the version of AV signatures installed. (See last two > items in Listing 1.) Prior to running the scan, I use sed to replace > the placeholders savVersion and defVersion. I get the latest def > version from the Symantec web site using a rather clunky script I wrote > (see excerpt in Listing 2). This also works great. Also excellent. I'd also like to point out this blog entry we wrote a while back which details how virus auditing is performed by Nessus: http://blog.tenablesecurity.com/2007/02/auditing_antivi.html > Unfortunately, I found that there are many slightly different, but > recent, versions of the SAV client running on our systems. I also found > that most clients are using virus signatures that are one or two days > older than the most recent one (probably due to the centralized nature > of our malware management architecture.) > > SO... > > What I need is to be able to specify a range of valid virus definitions > (e.g., the last three) and a range or wildcard value for valid software > versions. The nessus compliance audit documentation doesn't mention the > ability to do this. > > Is it possible? > Right now, functionality like: reg_item: "20070411" | "20070412" | "20070413" isn't part of the Windows Compliance Checks. The UNIX side has an "if" set of statements, but this isn't available on the Windows side (yet). I'd rather point you to the raw NASL for the auditing virus deployments like I outlined in the above blog. Ron Gula, CTO Tenable Network Security
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
