Windows
The custom scans feature allows you to search host computers for very specific information. Custom scans must be created separately for different operating systems. Within each operating system, there are different types of scans that can be created. Refer to Add A Windows Custom Scan below for a list of scan types and general instructions on adding scans. Refer to the instructions for each scan type for field level information. You can modify or delete the scans at any time. When a scan is modified, it affects any existing scan that use that custom scan.
Add a custom scan
- Click Policy & Objects.
- Expand Endpoint Compliance.
- Click the Scans option to select it.
- Click Custom Scans.
- Select Add.
- Select Windows from the Operating System drop-down list.
-
Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table below for settings.
Type
Description
Cert-Check
Test for a valid certificate on the host.
Requires Agent Version 3.5 or higher.
Domain-Verification
Test for the domain joined by the host.
Note: This scan has been deprecated. Please use "Domain-Check" instead.
Domain-Check
Replaces the "Domain-Verification" scan. Tests for the domain joined by the host. Scan is not Windows OS specific (Windows XP, Windows 7, etc). For additional details, see "Domain verification/Domain check" below.
File
Test for the existence and version of a specific file. If the file exists and is an executable the program can be forced to run.
HotFixes
Test for the existence of specific HotFixes for the specified Operating systems.
Processes
Test for the existence of a specific process name for the indicated Windows operating system.
Prohibited - Domain-Verification
Test for the domain joined by the host.
Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.
Prohibited-Processes
Test for the existence of a specific prohibited process for the indicated Windows operating system(s).
Registry-Keys
Test for a specific registry key and its associated data.
Registry-Version
Test for a specific program and its version. The program can be required for specific versions of Windows.
Service
Test the state of a service running on the operating system.
Requires Agent Version 3.5 or higher.
- Enter the Name for the custom scan.
- Enter the information for the custom scan.
- Click OK.
- The name of the custom scan displays in the Custom Scans section for each scan. You can select the custom scan to be part of the creation or modification of scan parameters.
Certificate check
The certificate being scanned must be obtained from the CA (e.g., Windows AD server), and installed on the host in the certificate Store under Local Computer > Personal > Certificates. The certificate must then be uploaded to FortiNAC Manager's certificate management to the Persistent Agent cert-check target. Go to System > Settings and under Security click Certificate Management. Click Upload Certificate, and then select the Persistent Agent Cert Check target.
Requirements for client certificates:
- The certificate must be signed by a CA specified by the customer.
- The certificate selected by the agent should adhere to the uses as specified:
- The certificate is a client certificate that is located in the certificate Store on the host under Local Computer > Personal > Certificates.
- The host name can be found in the certificate as part of the certificate’s subject alternative name (SAN). For example,
DNS Name=Win7QA.qatest.com
. -
The agent must also be able to sign data using the certificate's private key, so the key usage must have "Digital Signature". This refers to the key usage, not the enhanced key usage.
-
The certificate uploaded to FortiNAC's 'Persistent Agent Cert Check' target must be the CA certificate from the signer of the workstation authentication certificate.
In order to complete and pass this scan, Server and endpoint clocks must be within 5 minutes. If scans are not passing, please verify both clocks are in sync with each other. |
To create a custom scan for a certificate check, enter the information shown in the table below into the custom scan window after selecting the certificate check scan type.
Scan parameter |
Description |
Label (required) |
This label appears in the results page information to identify which scan the host failed. |
Web Address (optional) |
The URL of the page with information about this cert-check. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity (required) |
The severity of the failure if the certificate is not on the host. See Severity level for more details. |
CRL Revocation Checking (optional) |
If enabled, CRL revocation checking ensures the certificate has not been revoked by the CA. If the certificate is revoked, the host fails the custom scan. The application server must have access to the web server. When CRL verification is enabled, the server reads the CRL distribution point URIs from the client certificate. The application server will directly download a CRL from an "http://" URI, or indirectly download a CRL from a "ldap://" URI through your configured LDAP servers. |
Extended Key Usage Restrictions (optional) |
If enabled, determines how the private key may be used. Multiple extensions must be comma-separated. For example, if you select this option and enter "1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1" as the specified extensions,
|
File scan
To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window after selecting the File scan type.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Severity |
The severity of the failure if the file is not on the host. See Severity level for more details. |
File Name |
The name of the file being checked. |
File Contains String |
Enter the content that must be present within the file in order for the host to pass the scan (e.g., the version number of a product in a configuration file). When the information is found, the host passes the scan. If the information is not found, the host fails the scan. Requires Agent 4.0.4 or greater. |
Registry Key |
To speed up the search for a file you can first check the registry to determine the folder in which the file is installed. In this field you would enter the section of the registry where the information about the file you seek resides. For example, if you want to make sure that Windows Messenger is installed on the host, the scan needs to look for msmsgs.exe. Enter the registry key that points to the Value Name containing the location of msmsgs.exe, such as: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService |
Registry Value Name |
The Value Name that contains the path to the file the custom scan is seeking. To continue the example above, the Registry Key listed in the previous field tells the custom scan the part of the registry to access to determine where msmsgs.exe is installed. Once the custom scan is looking in the correct section, it needs to know the specific "container" or Value Name in the registry that has the path to msmsgs.exe, such as: InstallationDirectory The custom scan can begin its search in the directory specified in the "InstallationDirectory" Value Name, such as: "C:\Program Files\Messenger" |
Execute |
Default = No. Select Yes to run the file when it is located. |
Command-Line Options |
Command line options to be used when executing the file. |
Wait for Execution to Complete Before |
Default = No. If set to Yes, the scan waits until the execution of the program is complete before continuing. |
File Version (>=) |
The version number of the file has to be greater than or equal to the version number entered here. |
Web Address |
The URL of the page with information about this file. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Windows OS |
Select the check box next to the version(s) of Windows for which this key is required. |
Prohibit this product |
If the file is found and this is set to true, the host fails the scan for a prohibited product. Default = false. |
Registry keys
To create a custom scan for a specific registry key, enter the information shown in the table below into the custom scan window after selecting the registry keys scan type.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information about this registry key. If entered, this link appears on the results page. This is a user created web page. It must be stored in: /bsc/Registration/registration/site When completing this field you must enter part of the path for the page not just the page name, such as: site/pagename.jsp |
Severity |
The severity of the failure if the key is not on the host. See Severity level for more details. |
Hive |
The name of the hive to be searched. Supported hives are:
Scanning for registry keys in the HKEY_CURRENT_USER hive will not be successful because the user running Persistent Agent differs from the user logged on to the host. |
Key Name |
Name of the Registry Key that contains the value being located. |
Value Name |
The Value Name to be located. |
Type |
You must enter the REG_DWORD setting as a decimal value, not hexadecimal. |
Data |
The data to be contained in the selected type. |
Action |
Select an action from the drop-down list:
When the Type is REG_DWORD, the only actions available are Match Value and Sets the value (Use Caution). Example:Hive Name HKEY_LOCAL_MACHINE Key Name SOFTWARE\Widgets\Setup Value Name Version Data 1.0 |
DWORD Comparison Operation |
This field is enabled only when Type is set to REG_DWORD and Action is set to Match Value. The operator selected here is used in the comparison of the value in the Data field to the Data value in the registry. For example, if this field is set to = then both values must match exactly. If the operator is set to >= the Data value in the host registry must be greater than or equal to the Data value in the custom scan. |
Prohibit |
If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product. Default = False. |
Require for Windows... |
Select the check box next to the version(s) of Windows OS for which this key is required. You must select the OS within the custom scan to apply the scan to hosts with the selected OS. If you do not select an OS in the custom scan and the host has that OS, the host automatically passes the general scan. |
HotFixes
You can create a custom scan for a specific HotFix. Enter the information shown in the table below into the custom scan window after selecting the HotFix scan type.
As a best practice, add HotFix custom scans to a particular operating system within a general scan. If you enable the HotFix custom scan at the Scan level, every host that is evaluated by the scan is also scanned for the HotFix. Since HotFixes are operating system specific you could inadvertently deny access to the network to many hosts.
Scan parameter |
Description |
Label |
Label in the results page information identifying which scan the host failed. |
Web Address |
The URL of the page with information about this HotFix. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the HotFix is not on the host. See Severity level for more details. |
HotFix ID |
The name of the HotFix, such as KB123456. |
Bypass Service Pack (>=) |
Select the Bypass Service Pack check box to display a text field. Enter the numeric value for the Service Pack level in this field. The host must have the specified hotfix (HotFix ID above) OR a service pack level equal to or greater than the set value to pass the scan. |
Require for Windows... |
Select the check box next to the version(s) of Windows for which this key is required. |
Registry version
Create a custom scan to verify that a specific version of an application, such as Internet Explorer, is installed on the host. Enter the information shown in the table below into the custom scan window after selecting the Registry-Version scan type. When the scan runs, the registry is checked to see if the installed application has the required version.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information about this registry version. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the file is not on the host. See Severity level for more details. |
Hive |
The name of the Hive to be searched. Supported hives are:
|
Key Name |
Name of the Registry Key that contains the value being searched for. |
Value Name |
The Value Name that must be in the key entry. |
Version |
The Version that must be in the key entry. |
Operation |
Select an Operator for the version number: > = >= |
Prohibit |
If the Registry Key is found and this is set to True, the host fails the scan for a prohibited product. Default = False. |
Version Delimiter |
The character used to identify the delimiter. |
Require for Windows... |
Select the check box next to the version(s) of Windows for which this key is required. |
Processes
Create a custom scan for a specific process. Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for processes.
If you do not want to scan for a process on a particular operating system, leave the corresponding field blank. When you click ApplyFortiNAC Manager fills each blank field with the word SYSTEM. This indicates that the corresponding operating system should be passed for this scan.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information regarding this process. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as: When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the process is not running on the host. See Severity level for more details. |
Process Name for ... |
Enter the name of the process that is required for the specific operating system(s). |
Prohibited processes
Create a custom scan to prohibit a specific process on a host with selected operating system(s). Process names for various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom scan window for prohibited processes.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information regarding this prohibited process. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the prohibited process is running on the host. See Severity level for more details. |
Process Name for ... |
Enter the name of the process that is prohibited for the specific operating system(s). |
Domain verification/Domain check
Create a custom scan to verify that a host has joined the appropriate domain when it connected to the network. Domain names may differ between operating systems. Enter a comma separated list of domain names for each OS. Attach this custom scan to any Policies that require domain verification. A host will pass this scan if it is joined with any domain contained in the list for the host's operating system.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information regarding domain verification. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the host is not part of any of the domains specified. See Severity level for more details. |
Domain Names for ... |
Enter a comma separated list of the NetBIOS domain names that are required or permitted for the specific operating system(s). |
Prohibited domain verification
Create a custom scan to verify the domain a host is attempting to join and prohibit access to the network based on that domain. Domain names may differ between operating systems. Enter a comma general scan to prevent access based on domain verification. A host will fail this scan if it is joined with any domain contained in the list for the host's operating system.
Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless of the domain returned.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Web Address |
The URL of the page with information regarding domain verification. If entered, this link appears on the results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Severity |
The severity of the failure if the host is part of any of the domains specified. See Severity level for more details. |
Domain Names for ... |
Enter a comma separated list of the NetBIOS domain names that are prohibited for the specific operating system(s). |
Service
You can create a custom scan to check the status of a Windows Service. Enter the information shown in the table below into the custom scan window after selecting the Service scan type.
Scan parameter |
Description |
Label |
This label appears in the results page information to identify which scan the host failed. |
Severity |
The severity of the failure if the service is not in the desired state on the host. See Severity level for more details. |
Service Name |
The name of the service on the Windows OS. To retrieve the service name, open the Microsoft Management Console Local Services view. See Find the service name for information on how to locate the Service Name on your system. |
Desired State |
Select the the state of the service on the host to be scanned. Select Running to indicate the host must be running the service. Select Stopped to indicate the host must not be running the service. |
Web Address |
The URL of the page with information about this service. If entered, this link appears on the Results page. This is a user created web page. It must be stored in:
When completing this field you must enter part of the path for the page not just the page name, such as:
|
Find the service name
- Open Microsoft Management Console on your system.
- Navigate to the Local Services view.
- Right-click the process you want to create the custom scan for, and click Properties.
- Find the service name in the Properties view and enter it in the Service Name field of the custom scan.