Fortinet black logo

Administration Guide

Windows

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:356449
Download PDF

Windows

The Custom Scans feature allows you to search host computers for very specific information. Custom Scans must be created separately for different operating systems. Within each operating system, there are different types of scans that can be created. Refer to Add A Windows Custom Scan below for a list of scan types and general instructions on adding scans. Refer to the instructions for each scan type for field level information. You can modify or delete the scans at any time. When a scan is modified it affects any existing Scan that use that Custom Scan.

Add a custom scan

  1. Click Policy > Policy Configuration.
  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.
  3. Click the Scans option to select it.
  4. At the bottom of the window, click the Custom Scans button.
  5. In the Custom Scans dialog, click Add.
  6. Select Windows from the Operating System drop-down list.
  7. Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table below for settings.

    Scan Type

    Description

    Cert-Check

    Test for a valid certificate on the host.

    Note

    Requires Agent Version 3.5 or higher. See Certificate check settings

    Domain-Verification

    Test for the domain joined by the host. See Domain verification scan settings.

    Note: Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

    File

    Test for the existence and version of a specific file. If the file exists and is an executable the program can be forced to run. See File scan settings.

    HotFixes

    Test for the existence of specific HotFixes for the specified Operating systems. See HotFixes scan settings.

    Processes

    Test for the existence of a specific process name for the indicated Windows operating system. See Processes scan settings.

    Prohibited - Domain-Verification

    Test for the domain joined by the host. See Prohibited domain verification scan settings.

    Note: Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

    Prohibited-Processes

    Test for the existence of a specific prohibited process for the indicated Windows operating system(s). See Prohibited processes scan settings.

    Registry-Keys

    Test for a specific registry key and its associated data. See Registry keys scan settings.

    Registry-Version

    Test for a specific program and its version. The program can be required for specific versions of the Windows Operating System. See Registry version scan settings.

    Service

    Test the state of a service running on the operating system. See Service scan settings .

    Note

    Requires Agent Version 3.5 or higher.

  8. Enter the Name for the custom scan.
  9. Enter the information for the custom scan.
  10. Click OK.
  11. The name of the Custom Scan displays in the Custom Scans section for each scan. You can select the Custom Scan to be part of the creation or modification of scan parameters.
Certificate check settings

The certificate being scanned must be obtained from the CA (e.g., Windows AD server), and installed on the host in the Certificate Store under Local Computer > Personal > Certificates. The certificate must then be uploaded to FortiNAC's Certificate management to the Persistent agent cert-check target. Go to System > Settings and under Security click Certificate Management. Click Upload Certificate, and then select the Persistent Agent Cert Check target.

Requirements for client certificates:

  • The certificate must be signed by a CA specified by the customer.
  • The certificate selected by the agent should adhere to the uses as specified:
  • The certificate is a client certificate that is located in the Certificate Store on the host under Local Computer > Personal > Certificates.
  • The host name can be found in the certificate as part of the certificate’s subject alternative name (SAN). For example, DNS Name=Win7QA.qatest.com.
  • The agent must also be able to sign data using the certificate's private key, so the Key Usage must have "Digital Signature".

    Note

    This refers to the Key Usage and not the Enhanced Key Usage.

To create a custom scan for a Cert-Check, enter the information shown in the table below into the custom scan window after selecting the Cert-Check scan type.

Scan Parameter

Description

Label (required)

This label appears in the Results page information to identify which scan the host failed.

Web Address (optional)

The URL of the page with information about this cert-check. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity (required)

The severity of the failure if the certificate is not on the host. If you select Required and the certificate does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

CRL Revocation Checking (optional)

If enabled, CRL Revocation Checking ensures the certificate has not been revoked by the Certificate Authority (CA). If the certificate is revoked, the host fails the custom scan.

Note

The application server must have access to the web server. When CRL Verification is enabled, the server reads the CRL Distribution point URIs from the client certificate. The application server will directly download a CRL from an "http://" URI, or indirectly download a CRL from a "ldap://" URI through your configured LDAP servers.

Extended Key Usage Restrictions (optional)

If enabled, determines how the private key may be used. Multiple extensions must be comma-separated. For example, if you select this option and enter "1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1" as the specified extensions,

  • Disabled - There are no restrictions on key usage extensions.
  • All of - The certificate must include all of the specified extensions.
  • Exactly - The certificate must include only the specified extensions.
  • One or More of - The certificate must have at least one of the specified extensions.
  • None of - The certificate may have extensions, but it must not have one of the specified extensions.
File scan settings

To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window after selecting the File scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Severity

The severity of the failure if the file is not on the host. If you select Required and the file does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

File Name

The name of the file being checked.

File Contains String

Enter the content that must be present within the file in order for the host to pass the scan (e.g., the version number of a product in a configuration file). When the information is found, the host passes the scan. If the information is not found, the host fails the scan.

Note

Requires Agent 4.0.4 or greater.

Note

Requires AV/AS Definition Updates as of May 2, 2016.

Registry Key

To speed up the search for a file you can first check the registry to determine the folder in which the file is installed. In this field you would enter the section of the registry where the information about the file you seek resides.

For example, if you want to make sure that Windows Messenger is installed on the host, the scan needs to look for msmsgs.exe. Enter the registry key that points to the Value Name containing the location of msmsgs.exe, such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService

Registry Value Name

The Value Name that contains the path to the file the custom scan is seeking.

To continue the example above, the Registry Key listed in the previous field tells the custom scan the part of the registry to access to determine where msmsgs.exe is installed. Once the custom scan is looking in the correct section, it needs to know the specific "container" or Value Name in the registry that has the path to msmsgs.exe, such as:

InstallationDirectory

The custom scan can begin its search in the directory specified in the "InstallationDirectory" Value Name, such as:

"C:\Program Files\Messenger"

Execute

Default = No. Select Yes to run the file when it is located.

Command-Line Options

Command line options to be used when executing the file.

Wait for Execution to Complete Before
Continuing

Default = No. If set to Yes, the scan waits until the execution of the program is complete before continuing.

File Version (>=)

The version number of the file has to be greater than or equal to the version number entered here.

Web Address

The URL of the page with information about this file. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Windows OS

Select the check box next to the version(s) of Windows OS for which this key is required.

Select the OS within the Custom Scan to apply the custom scan to hosts with that OS.

If you do not select an OS in the Custom Scan, and the host has that OS, the host automatically passes the general scan.

Prohibit this product

If the file is found and this is set to true, the host fails the scan for a prohibited product.

Default = false.

Registry keys scan settings

To create a custom scan for a specific Registry key, enter the information shown in the table below into the custom scan window after selecting the Registry-Keys scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information about this registry key. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the key is not on the host. If you select Required and the registry key does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Hive

The name of the hive to be searched. Supported hives are:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG
Note

Scanning for registry keys in the HKEY_CURRENT_USER hive will not be successful because the user running Persistent Agent differs from the user logged on to the host.

Key Name

Name of the Registry Key that contains the value being located.

Value Name

The Value Name to be located.

Type

  • REG_SZ
  • REG_DWORD
Note

You must enter the REG_DWORD setting as a decimal value, not hexadecimal.

Data

The data to be contained in the selected type.

Action

Select an action from the drop-down list:

  • Match Value Exactly—The Value Name is used as a path to find the specified Key Name in the tree. Data listed in the scan is compared to the data on the key. If the value and data in the key are exact matches to the specified entries, the scan passes. Otherwise, it fails.
  • Search keys and values—The Key Name is used as a starting point. The search is for whatever is contained in Data. The data must be found in a key name, a Value name, or the data of all sub-keys of the key entered.
  • Value contains Data—The Value Name is used as a path to find the specified Key Name in the tree. Data listed in the scan is compared to the data in the value. If the contents in the value contains the data, the scan passes. Otherwise, it fails.
  • Key has a value—The Value Name is used as a path to find the specified Key Name in the tree. If the key is found by using the name in the value and the data is not empty, the scan passes. Otherwise, it fails.
  • Sets the value (Use Caution)— When checked, this scan ALWAYS PASSES. The scan checks to see if the key exists in the registry key. If it does, the scan overwrites the key to have the specified data. If it does not exist, the scan creates the key and sets the data as specified.
Note

When the Type is REG_DWORD, the only actions available are Match Value and Sets the value (Use Caution).

Example:

Hive Name HKEY_LOCAL_MACHINE

Key Name SOFTWARE\Widgets\Setup

Value Name Version

Data 1.0

DWORD Comparison Operation

This field is enabled only when Type is set to REG_DWORD and Action is set to Match Value. The operator selected here is used in the comparison of the value in the Data field to the Data value in the registry. For example, if this field is set to = then both values must match exactly. If the operator is set to >= the Data value in the host registry must be greater than or equal to the Data value in the custom scan.

Prohibit

If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product.

Default = False.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

HotFixes scan settings

You can create a custom scan for a specific HotFix. Enter the information shown in the table below into the custom scan window after selecting the HotFix scan type.

Note

As a best practice, add HotFix custom scans to a particular operating system within a general Scan. If you enable the HotFix custom scan at the Scan level, every host that is evaluated by the scan is also scanned for the HotFix. Since HotFixes are operating system specific you could inadvertently deny access to the network to many hosts.

Scan Parameter

Description

Label

Label in the Results page information identifying which scan the host failed.

Web Address

The URL of the page with information about this HotFix. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the hotfix is not on the host. If you select Required and the hotfix does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

HotFix ID

The name of the HotFix, such as, KB123456.

Bypass Service Pack (>=)

Select the Bypass Service Pack check box to display a text field. Enter the numeric value for the Service Pack level in this field.

The host must have the specified hotfix (HotFix ID above) OR a service pack level equal to or greater than the set value to pass the scan.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

Registry version scan settings

Create a custom scan to verify that a specific version of an application, such as Internet Explorer, is installed on the host. Enter the information shown in the table below into the custom scan window after selecting the Registry-Version scan type. When the scan runs, the registry is checked to see if the installed application has the required version.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information about this registry version. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the file is not on the host. If you select Required and the version of the application does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Hive

The name of the Hive to be searched. Supported hives are:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

Key Name

Name of the Registry Key that contains the value being searched for.

Value Name

The Value Name that must be in the key entry.

Version

The Version that must be in the key entry.

Operation

Select an Operator for the version number:

>

=

>=

Prohibit

If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product.

Default = False.

Version Delimiter

The character used to identify the delimiter.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

Processes scan settings

Create a custom scan for a specific process. Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for Processes.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding this process. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as: When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the process is not running on the host. If you select Required and the process does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Process Name for ...

Enter the name of the process that is required for the specific Operating System(s).

Note

If you do not want to scan for a process on a particular Operating System, leave the corresponding field blank. When you click ApplyFortiNAC fills each blank field with the word SYSTEM. This indicates that the corresponding Operating System should be passed for this scan.

Prohibited processes scan settings

Create a custom scan to prohibit a specific process on a host with selected Operating System(s). Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for Prohibited-Processes.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding this prohibited process. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the prohibited process is running on the host. If you select Required and the process does exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Process Name for ...

Enter the name of the process that is prohibited for the specific Operating System(s).

Domain verification scan settings

Create a custom scan to verify that a host has joined the appropriate domain when it connected to the network. Domain names may differ between operating systems. Enter a comma separated list of domain names for each OS. Attach this custom scan to any Policies that require domain verification. A host will pass this scan if it is joined with any domain contained in the list for the host's operating system.

Note

Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding domain verification. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the host is not part of any of the domains specified. If you select Required and the host is not in the correct domain, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Domain Names for ...

Enter a comma separated list of the NetBIOS domain names that are required or permitted for the specific Operating System(s).

Prohibited domain verification scan settings

Create a custom scan to verify the domain a host is attempting to join and prohibit access to the network based on that domain. Domain names may differ between operating systems. Enter a comma general scan to prevent access based on domain verification. A host will fail this scan if it is joined with any domain contained in the list for the host's operating system.

Note

Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding domain verification. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the host is part of any of the domains specified. If you select Required and the host is not in the correct domain, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Domain Names for ...

Enter a comma separated list of the NetBIOS domain names that are prohibited for the specific Operating System(s).

Service scan settings

You can create a custom scan to check the status of a Windows Service. Enter the information shown in the table below into the custom scan window after selecting the Service scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Severity

The severity of the failure if the service is not in the desired state on the host. If you select Required and the service is not in the desired state, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Service Name

The name of the service on the Windows OS. To retrieve the service name, open the Microsoft Management Console Local Services view. See Find the service name for information on how to locate the Service Name on your system.

Desired State

Select the the state of the service on the host to be scanned. Select Running to indicate the host must be running the service. Select Stopped to indicate the host must not be running the service.

Web Address

The URL of the page with information about this service. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Find the service name

  1. Open Microsoft Management Console on your system.
  2. Navigate to the Local Services view.
  3. Right-click the process you want to create the custom scan for, and click Properties.
  4. Find the service name in the Properties view and enter it in the Service Name field of the custom scan.

Windows

The Custom Scans feature allows you to search host computers for very specific information. Custom Scans must be created separately for different operating systems. Within each operating system, there are different types of scans that can be created. Refer to Add A Windows Custom Scan below for a list of scan types and general instructions on adding scans. Refer to the instructions for each scan type for field level information. You can modify or delete the scans at any time. When a scan is modified it affects any existing Scan that use that Custom Scan.

Add a custom scan

  1. Click Policy > Policy Configuration.
  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.
  3. Click the Scans option to select it.
  4. At the bottom of the window, click the Custom Scans button.
  5. In the Custom Scans dialog, click Add.
  6. Select Windows from the Operating System drop-down list.
  7. Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table below for settings.

    Scan Type

    Description

    Cert-Check

    Test for a valid certificate on the host.

    Note

    Requires Agent Version 3.5 or higher. See Certificate check settings

    Domain-Verification

    Test for the domain joined by the host. See Domain verification scan settings.

    Note: Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

    File

    Test for the existence and version of a specific file. If the file exists and is an executable the program can be forced to run. See File scan settings.

    HotFixes

    Test for the existence of specific HotFixes for the specified Operating systems. See HotFixes scan settings.

    Processes

    Test for the existence of a specific process name for the indicated Windows operating system. See Processes scan settings.

    Prohibited - Domain-Verification

    Test for the domain joined by the host. See Prohibited domain verification scan settings.

    Note: Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

    Prohibited-Processes

    Test for the existence of a specific prohibited process for the indicated Windows operating system(s). See Prohibited processes scan settings.

    Registry-Keys

    Test for a specific registry key and its associated data. See Registry keys scan settings.

    Registry-Version

    Test for a specific program and its version. The program can be required for specific versions of the Windows Operating System. See Registry version scan settings.

    Service

    Test the state of a service running on the operating system. See Service scan settings .

    Note

    Requires Agent Version 3.5 or higher.

  8. Enter the Name for the custom scan.
  9. Enter the information for the custom scan.
  10. Click OK.
  11. The name of the Custom Scan displays in the Custom Scans section for each scan. You can select the Custom Scan to be part of the creation or modification of scan parameters.
Certificate check settings

The certificate being scanned must be obtained from the CA (e.g., Windows AD server), and installed on the host in the Certificate Store under Local Computer > Personal > Certificates. The certificate must then be uploaded to FortiNAC's Certificate management to the Persistent agent cert-check target. Go to System > Settings and under Security click Certificate Management. Click Upload Certificate, and then select the Persistent Agent Cert Check target.

Requirements for client certificates:

  • The certificate must be signed by a CA specified by the customer.
  • The certificate selected by the agent should adhere to the uses as specified:
  • The certificate is a client certificate that is located in the Certificate Store on the host under Local Computer > Personal > Certificates.
  • The host name can be found in the certificate as part of the certificate’s subject alternative name (SAN). For example, DNS Name=Win7QA.qatest.com.
  • The agent must also be able to sign data using the certificate's private key, so the Key Usage must have "Digital Signature".

    Note

    This refers to the Key Usage and not the Enhanced Key Usage.

To create a custom scan for a Cert-Check, enter the information shown in the table below into the custom scan window after selecting the Cert-Check scan type.

Scan Parameter

Description

Label (required)

This label appears in the Results page information to identify which scan the host failed.

Web Address (optional)

The URL of the page with information about this cert-check. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity (required)

The severity of the failure if the certificate is not on the host. If you select Required and the certificate does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

CRL Revocation Checking (optional)

If enabled, CRL Revocation Checking ensures the certificate has not been revoked by the Certificate Authority (CA). If the certificate is revoked, the host fails the custom scan.

Note

The application server must have access to the web server. When CRL Verification is enabled, the server reads the CRL Distribution point URIs from the client certificate. The application server will directly download a CRL from an "http://" URI, or indirectly download a CRL from a "ldap://" URI through your configured LDAP servers.

Extended Key Usage Restrictions (optional)

If enabled, determines how the private key may be used. Multiple extensions must be comma-separated. For example, if you select this option and enter "1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1" as the specified extensions,

  • Disabled - There are no restrictions on key usage extensions.
  • All of - The certificate must include all of the specified extensions.
  • Exactly - The certificate must include only the specified extensions.
  • One or More of - The certificate must have at least one of the specified extensions.
  • None of - The certificate may have extensions, but it must not have one of the specified extensions.
File scan settings

To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window after selecting the File scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Severity

The severity of the failure if the file is not on the host. If you select Required and the file does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

File Name

The name of the file being checked.

File Contains String

Enter the content that must be present within the file in order for the host to pass the scan (e.g., the version number of a product in a configuration file). When the information is found, the host passes the scan. If the information is not found, the host fails the scan.

Note

Requires Agent 4.0.4 or greater.

Note

Requires AV/AS Definition Updates as of May 2, 2016.

Registry Key

To speed up the search for a file you can first check the registry to determine the folder in which the file is installed. In this field you would enter the section of the registry where the information about the file you seek resides.

For example, if you want to make sure that Windows Messenger is installed on the host, the scan needs to look for msmsgs.exe. Enter the registry key that points to the Value Name containing the location of msmsgs.exe, such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService

Registry Value Name

The Value Name that contains the path to the file the custom scan is seeking.

To continue the example above, the Registry Key listed in the previous field tells the custom scan the part of the registry to access to determine where msmsgs.exe is installed. Once the custom scan is looking in the correct section, it needs to know the specific "container" or Value Name in the registry that has the path to msmsgs.exe, such as:

InstallationDirectory

The custom scan can begin its search in the directory specified in the "InstallationDirectory" Value Name, such as:

"C:\Program Files\Messenger"

Execute

Default = No. Select Yes to run the file when it is located.

Command-Line Options

Command line options to be used when executing the file.

Wait for Execution to Complete Before
Continuing

Default = No. If set to Yes, the scan waits until the execution of the program is complete before continuing.

File Version (>=)

The version number of the file has to be greater than or equal to the version number entered here.

Web Address

The URL of the page with information about this file. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Windows OS

Select the check box next to the version(s) of Windows OS for which this key is required.

Select the OS within the Custom Scan to apply the custom scan to hosts with that OS.

If you do not select an OS in the Custom Scan, and the host has that OS, the host automatically passes the general scan.

Prohibit this product

If the file is found and this is set to true, the host fails the scan for a prohibited product.

Default = false.

Registry keys scan settings

To create a custom scan for a specific Registry key, enter the information shown in the table below into the custom scan window after selecting the Registry-Keys scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information about this registry key. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the key is not on the host. If you select Required and the registry key does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Hive

The name of the hive to be searched. Supported hives are:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG
Note

Scanning for registry keys in the HKEY_CURRENT_USER hive will not be successful because the user running Persistent Agent differs from the user logged on to the host.

Key Name

Name of the Registry Key that contains the value being located.

Value Name

The Value Name to be located.

Type

  • REG_SZ
  • REG_DWORD
Note

You must enter the REG_DWORD setting as a decimal value, not hexadecimal.

Data

The data to be contained in the selected type.

Action

Select an action from the drop-down list:

  • Match Value Exactly—The Value Name is used as a path to find the specified Key Name in the tree. Data listed in the scan is compared to the data on the key. If the value and data in the key are exact matches to the specified entries, the scan passes. Otherwise, it fails.
  • Search keys and values—The Key Name is used as a starting point. The search is for whatever is contained in Data. The data must be found in a key name, a Value name, or the data of all sub-keys of the key entered.
  • Value contains Data—The Value Name is used as a path to find the specified Key Name in the tree. Data listed in the scan is compared to the data in the value. If the contents in the value contains the data, the scan passes. Otherwise, it fails.
  • Key has a value—The Value Name is used as a path to find the specified Key Name in the tree. If the key is found by using the name in the value and the data is not empty, the scan passes. Otherwise, it fails.
  • Sets the value (Use Caution)— When checked, this scan ALWAYS PASSES. The scan checks to see if the key exists in the registry key. If it does, the scan overwrites the key to have the specified data. If it does not exist, the scan creates the key and sets the data as specified.
Note

When the Type is REG_DWORD, the only actions available are Match Value and Sets the value (Use Caution).

Example:

Hive Name HKEY_LOCAL_MACHINE

Key Name SOFTWARE\Widgets\Setup

Value Name Version

Data 1.0

DWORD Comparison Operation

This field is enabled only when Type is set to REG_DWORD and Action is set to Match Value. The operator selected here is used in the comparison of the value in the Data field to the Data value in the registry. For example, if this field is set to = then both values must match exactly. If the operator is set to >= the Data value in the host registry must be greater than or equal to the Data value in the custom scan.

Prohibit

If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product.

Default = False.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

HotFixes scan settings

You can create a custom scan for a specific HotFix. Enter the information shown in the table below into the custom scan window after selecting the HotFix scan type.

Note

As a best practice, add HotFix custom scans to a particular operating system within a general Scan. If you enable the HotFix custom scan at the Scan level, every host that is evaluated by the scan is also scanned for the HotFix. Since HotFixes are operating system specific you could inadvertently deny access to the network to many hosts.

Scan Parameter

Description

Label

Label in the Results page information identifying which scan the host failed.

Web Address

The URL of the page with information about this HotFix. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the hotfix is not on the host. If you select Required and the hotfix does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

HotFix ID

The name of the HotFix, such as, KB123456.

Bypass Service Pack (>=)

Select the Bypass Service Pack check box to display a text field. Enter the numeric value for the Service Pack level in this field.

The host must have the specified hotfix (HotFix ID above) OR a service pack level equal to or greater than the set value to pass the scan.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

Registry version scan settings

Create a custom scan to verify that a specific version of an application, such as Internet Explorer, is installed on the host. Enter the information shown in the table below into the custom scan window after selecting the Registry-Version scan type. When the scan runs, the registry is checked to see if the installed application has the required version.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information about this registry version. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the file is not on the host. If you select Required and the version of the application does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Hive

The name of the Hive to be searched. Supported hives are:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

Key Name

Name of the Registry Key that contains the value being searched for.

Value Name

The Value Name that must be in the key entry.

Version

The Version that must be in the key entry.

Operation

Select an Operator for the version number:

>

=

>=

Prohibit

If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product.

Default = False.

Version Delimiter

The character used to identify the delimiter.

Require for Windows...

Select the check box next to the version(s) of Windows OS for which this key is required.

You must select the OS within the Custom Scan to apply the scan to hosts with the selected OS.

If you do not select an OS in the Custom Scan and the host has that OS, the host automatically passes the general scan.

Processes scan settings

Create a custom scan for a specific process. Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for Processes.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding this process. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as: When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the process is not running on the host. If you select Required and the process does not exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Process Name for ...

Enter the name of the process that is required for the specific Operating System(s).

Note

If you do not want to scan for a process on a particular Operating System, leave the corresponding field blank. When you click ApplyFortiNAC fills each blank field with the word SYSTEM. This indicates that the corresponding Operating System should be passed for this scan.

Prohibited processes scan settings

Create a custom scan to prohibit a specific process on a host with selected Operating System(s). Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for Prohibited-Processes.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding this prohibited process. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the prohibited process is running on the host. If you select Required and the process does exist, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Process Name for ...

Enter the name of the process that is prohibited for the specific Operating System(s).

Domain verification scan settings

Create a custom scan to verify that a host has joined the appropriate domain when it connected to the network. Domain names may differ between operating systems. Enter a comma separated list of domain names for each OS. Attach this custom scan to any Policies that require domain verification. A host will pass this scan if it is joined with any domain contained in the list for the host's operating system.

Note

Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding domain verification. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the host is not part of any of the domains specified. If you select Required and the host is not in the correct domain, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Domain Names for ...

Enter a comma separated list of the NetBIOS domain names that are required or permitted for the specific Operating System(s).

Prohibited domain verification scan settings

Create a custom scan to verify the domain a host is attempting to join and prohibit access to the network based on that domain. Domain names may differ between operating systems. Enter a comma general scan to prevent access based on domain verification. A host will fail this scan if it is joined with any domain contained in the list for the host's operating system.

Note

Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Web Address

The URL of the page with information regarding domain verification. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Severity

The severity of the failure if the host is part of any of the domains specified. If you select Required and the host is not in the correct domain, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Domain Names for ...

Enter a comma separated list of the NetBIOS domain names that are prohibited for the specific Operating System(s).

Service scan settings

You can create a custom scan to check the status of a Windows Service. Enter the information shown in the table below into the custom scan window after selecting the Service scan type.

Scan Parameter

Description

Label

This label appears in the Results page information to identify which scan the host failed.

Severity

The severity of the failure if the service is not in the desired state on the host. If you select Required and the service is not in the desired state, the host fails the custom scan. If you select Warning, the host passes the custom scan and a Policy Warning event is generated. This event can be mapped to an alarm and set to notify the Administrator. See Severity level for more details.

Service Name

The name of the service on the Windows OS. To retrieve the service name, open the Microsoft Management Console Local Services view. See Find the service name for information on how to locate the Service Name on your system.

Desired State

Select the the state of the service on the host to be scanned. Select Running to indicate the host must be running the service. Select Stopped to indicate the host must not be running the service.

Web Address

The URL of the page with information about this service. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:

/bsc/Registration/registration/site

When completing this field you must enter part of the path for the page not just the page name, such as:

site/pagename.jsp

Find the service name

  1. Open Microsoft Management Console on your system.
  2. Navigate to the Local Services view.
  3. Right-click the process you want to create the custom scan for, and click Properties.
  4. Find the service name in the Properties view and enter it in the Service Name field of the custom scan.