Aussie owned and operated, with 23+ years of industry experience, Gold Coast InfoTech is delighted to support all of your business technology requirements.

Gallery

Contacts

success@goldcoastinfotech.com.au

1800 291 071

Scripts, Commands, Registry WALK THROUGH

List of common Citrix Netscaler session policy expressions

My (non exhaustive) list of helpful Netscaler session policies expressions for EPA.

SCAN REGISTRY (Advanced free-form)

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE == domain.local

CLIENT.REG(‘HKEY_LOCAL_MACHINE_64\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CHECK FOR FILE EXISTENCE

CLIENT.FILE(‘C:\\WindowsCompany_Laptop.txt’)

CHECK FOR RUNNING PROCESS

CLIENT.APPLICATION.PROCESS(firewall.exe) EXISTS

CHECK OS VERSION (Match any expresssion)

CLIENT.OS(winxp).SP == 2

CLIENT.OS(win7) EXISTS

DETECT (or not) CITRIX RECEIVER (Match any)

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS ‘CitrixReceiver-iPad’

REQ.HTTP.HEADER User-Agent CONTAINS Android

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

CHECK SYMANTEC ENDPOINT PROTECTION, DEF FILE 5 DAYS, SERVICE RUNNING

CLIENT.FILE(‘C:\\ProgramData\\Symantec\\Symantec\ Endpoint\ Protection\\CurrentVersion\\Data\\Definitions\\VirusDefs\\definfo.dat’).TIMESTAMP != 5dy && CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE != domain.local && CLIENT.SVC(SepMasterService) NOTEXISTS

EPA SCAN RESULTS

The results of the EPA scan can be found in the following locations:
Windows XP: C:Documents and SettingsAll UsersApplication DataCitrixAGEEnsepa.txt
Windows Vista and Windows 7: C:UsersAll UsersCitrixAGEEnsepa.txt

Author

Customer

Comments (2)

  1. George Wozniak
    11 December 2014

    James,

    Do you have any experience with creating EPA scans to detect patch management or windows updates? I am using the OPSWAT editor with no success.

    Thank you

    • scanjam
      11 December 2014

      Only suggestion would be to scan for a particular registry entry or file to match against the ‘hotfix’ or update you require? Havent done anything specific.. truly the more you narrow the ‘success criteria’ the more users you quickly annoy! 🙂 – i usualyl keep it generic to Hostname, registry key for laptop image version or the like.
      Good luck

Leave a comment

Your email address will not be published. Required fields are marked *