Gateway

Advanced Endpoint Analysis Policy Expression Reference

This reference describes the format and construction of Advanced Endpoint Analysis expressions. The expression elements contained here are built by the Citrix Gateway configuration utility automatically and do not require manual configuration.

Expression format

An Advanced Endpoint Analysis expression has the following format:

CLIENT.APPLICATION (SCAN-type_ Product-id_ Method-name _ Method-comparator_ Method-param _…)

Where:

SCAN-type is the type of application being analyzed.

Product-id is the product identification for the analyzed application.

Method-name is the product or system attribute being analyzed.

Method-comparator is the chosen comparator for the analysis.

Method-param is the attribute value or values being analyzed.

For example:

client.application(ANTIVIR_2600_RTP_==_TRUE)

Note: For non-application scan types, the expression prefix is CLIENT.SYSTEM instead of CLIENT.APPLICATION.

Expression strings

Each of the supported scan types in Advanced Endpoint Analysis uses a unique identifier in expressions. The following table enumerates the strings for each type of scan.

Scan type Scan type expression string
Anti-phishing ANTIPHI
Antispyware ANTISPY
Antivirus ANTIVIR
Backup Client BACKUP
Device Access Control DEV-CONT
Data Loss Prevention DATA-PREV
Desktop Sharing DESK-SHARE
Firewall FIREWALL
Health Agent HEALTH
Hard disk Encryption HD-ENC
Instant Messenger IM
Web Browser BROWSER
P2P P2P
Patch Management PATCH
URL Filtering URL-FILT
MAC address MAC
Domain check DOMAIN
Numeric Registry Scan REG-NUM
Non-Numeric Registry Scan REG-NON-NUM

Note: For macOS X specific scans, expressions include the prefix MAC- before the method type. Therefore, for antivirus and anti-phishing scans, the methods are MAC-ANTIVIR and MAC-ANTIPHI respectively. For example:

client.application(MAC-ANTIVIR_2600_RTP_==_TRUE)
<!--NeedCopy-->

Application Scan Methods

In configuring Advanced Endpoint Analysis expressions, methods are used to define the parameters of the endpoint scans. These methods include a method name, a comparator, and a value. The following tables enumerate all of the methods available for use in expressions.

Common Scan Methods:

The following methods are used for multiple types of application scans.

Method Description Comparator Possible values
VERSION* Specifies version of application. <, <=, >, >=, !=, == Version string
AUTHENTIC** Check if given application is authentic or not. == TRUE
ENABLED Check if application is enabled. == TRUE
RUNNING Check if application is running. == TRUE
COMMENT Comment field (ignored by scan). Delineated by [] within expressions. == Any text

* The VERSION string can specify a decimal string of up to four values, such as 1.2.3.4.

** An AUTHENTIC check verifies the authenticity of the binary files for the application.

Note: You can select a generic version for application scan types. When generic scans are selected, the product ID is 0.

Gateway provides an option to configure Generic scans for each type of software. Using generic scan, admin can scan the client machine without restricting the scanning check to any particular product.

For Generic scans, scan methods work only if the product installed on users system supports that scan method. To know which products support particular scan method, contact Citrix support.

Unique Scan Methods:

The following methods are unique to the specified types of scans.

Method Description Comparator Possible values
ENABLED-FOR Check whether anti-phishing software is enabled for selected application. allof, anyof,noneof For Windows: Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Safari. For Mac: Safari, Mozilla Firefox, Google, Chrome, Opera

Table 2. Antispyware and Antivirus

Method Description Comparator Possible values
RTP Check whether real time protection is on or not. == TRUE
SCAN-TIME How many minutes since a full system scan was performed. <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-TIME How many minutes since virus definition file was updated (that is, Number of minutes between virus definition file stamp and current timestamp). <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-VERSION Version of definition file. <, <=, >, >=, !=, == Version string
ENGINE-VERSION Engine version. <, <=, >, >=, !=, == Version string

Table 3. Backup client

Method Description Comparator Possible values
LAST-BK-ACTIVITY How many minutes since last backup activity was completed. <, <=, >, >=, !=, == Any positive number

Table 4. Data loss prevention

Method Description Comparator Possible values
ENABLED Check whether application is enabled or not and time protection is on or not on. == TRUE

Table 5. Health check agent

Method Description Comparator Possible values
SYSTEM-COMPL Check whether system is in compliance. == TRUE

Table 6. Hard disk encryption

Method Description Comparator Possible values
ENC-PATH PATH for checking encryption status. NO OPERATOR Any text
ENC-TYPE Check whether encryption type for specified path. allof, anyof, noneof List with following options: UNENCRYPTED, PARTIAL, ENCRYPTED, VIRTUAL, SUSPENDED, PENDING

Table 7. Web browser

Method Description Comparator Possible values
DEFAULT Check whether set as default browser. == TRUE

Table 8. Patch management

Method Description Comparator Possible values
SCAN-TIME How many minutes since last scan for patch was performed. <, <=, >, >=, !=, == Any positive number
MISSED-PATCH Client system is not missing patches of these types. anyof, noneof ANY Pre-selected (Pre-selected patches on Patch Manager server)
NON      
Method Description Comparator Possible values
ADDR Check whether client machine MAC addresses are or are not in given list. anyof, noneof Editable list

Table 10. Domain membership

Method Description Comparator Possible values
SUFFIX Check whether client machine exists or does not exist in given list. anyof, noneof Editable list
Method Description Comparator Possible values
PATH Path for registry check. In the format: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\EnableAutoUpdate. No escaping of special characters is required. All registry root keys: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USERS, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG NO OPERATOR Any text
REDIR-64 Follow 64-bit redirection. If set to TRUE, WOW redirection will be followed (i.e. Registry path is checked on 32-bit systems but WOW redirected path is checked for 64-bit systems.) If not set, WOW redirection is not followed (that is, Same registry path is checked for 32-bit and 64-bit systems.) For registry entries that are not redirected this setting has no effect. See the following article for the list of registry keys that get redirected on 64-bit systems: http://msdn.microsoft.com/en-us/library/aa384253%28v=vs.85%29.aspx == TRUE
VALUE Expected value for above path. This scan works only for registry types of REG_DWORD and REG_QWORD. <, <=, >, >=, !=, == Any number
Method Description Comparator Possible values
PATH Path for registry check.    
Check Registry scan for Numeric type. NO OPERATOR Any text  
REDIR-64 Follow 64-bit redirection    
Check registry scan for Numeric type. == TRUE  
VALUE Expected value for above path. For string type registry entries, the registry value is directly compared against the expected value. For REG_BINARY registry entry type, the registry value is converted into an uppercase hex string, and this string is compared against the expected value. ==, != Any text

End

Advanced Endpoint Analysis Policy Expression Reference