Gateway

Advanced Endpoint Analysis policy expression reference

This topic describes the format and construction of Advanced Endpoint Analysis expressions. The NetScaler Gateway configuration utility automatically builds the expression elements contained here and does not require manual configuration.

Expression format

An Advanced Endpoint Analysis expression has the following format:

CLIENT.APPLICATION (SCAN-type_ Product-id_ Method-name _ Method-comparator_ Method-param _…)

Where:

SCAN-type is the type of application being analyzed.

Product-id is the product identification for the analyzed application.

Method-name is the product or system attribute being analyzed.

Method-comparator is the chosen comparator for the analysis.

Method-param is the attribute value or values being analyzed.

Example:

client.application(ANTIVIR_2600_RTP_==_TRUE)

Note:

For non-application scan types, the expression prefix is CLIENT.SYSTEM instead of CLIENT.APPLICATION.

Expression strings

Each of the supported scan types in Advanced Endpoint Analysis uses a unique identifier in the expressions. The following table enumerates the strings for each type of scan.

Scan type Scan type expression string
Anti-phishing ANTIPHI
Antivirus ANTIVIR
Backup Client BACKUP
Citrix Workspace app (macOS) MAC-CWA
Citrix Workspace app (Windows) WIN-CWA
Data Loss Prevention DATA-PREV
Firewall FIREWALL
Health Agent HEALTH
Hard disk Encryption HD-ENC
Instant Messenger IM
Web Browser BROWSER
P2P P2P
Patch Management PATCH
MAC address (expression) MAC
Domain check DOMAIN
Registry Scan REG
Windows Update Scan WIN-UPDATE

Note:

For macOS X specific scans, expressions include the prefix MAC- before the method type. Therefore, for antivirus and anti-phishing scans, the methods are MAC-ANTIVIR and MAC-ANTIPHI respectively.

For example:

client.application(MAC-ANTIVIR_2600RTP==_TRUE)

Application scan methods

In configuring Advanced Endpoint Analysis expressions, methods are used to define the parameters of the endpoint scans. These methods include a method name, a comparator, and a value. The following tables enumerate the methods available for use in expressions.

Common Scan Methods:

The following methods are used for multiple types of application scans.

Method Description Comparator Possible values
VERSION* Specifies version of the application. <, <=, >, >=, !=, == Version string
AUTHENTIC** Check if the application is authentic or not. == TRUE
ENABLED Check if the application is enabled. == TRUE
RUNNING Check if the application is running. == TRUE
COMMENT Comment field (ignored by scan). Delineated by [] within expressions. == Any text

* The VERSION string can specify a decimal string of up to four values, such as 1.2.3.4.

** An AUTHENTIC check verifies the authenticity of the binary files for the application.

Note:

You can select a generic version for application scan types. When generic scans are selected, the product ID is 0.

Gateway provides an option to configure Generic scans for each type of software. Using generic scan, an admin can scan the client machine without restricting the scanning check to any particular product.

For Generic scans, scan methods work only if the product installed on the users system supports that scan method. To know which products support a particular scan method, contact NetScaler support.

Unique Scan Methods:

The following methods are unique to the specified types of scans.

Method Description Comparator Possible values
ENABLED-FOR Check whether anti-phishing software is enabled for the selected application. allof, anyof,noneof For Windows: Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Safari. For Mac: Safari, Mozilla Firefox, Google, Chrome, Opera

Table 2. Antivirus

Method Description Comparator Possible values
RTP Check whether the real-time protection is on or not. == TRUE
SCAN-TIME How many minutes since a full system scan was performed. <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-TIME How many minutes since virus definition file was updated (that is, Number of minutes between virus definition file stamp and current timestamp). <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-VERSION Version of definition file. <, <=, >, >=, !=, == Version string
ENGINE-VERSION Engine version. <, <=, >, >=, !=, == Version string

Table 3. Backup client

Method Description Comparator Possible values
LAST-BK-ACTIVITY How many minutes since last backup activity was completed. <, <=, >, >=, !=, == Any positive number

Table 4. Data loss prevention

Method Description Comparator Possible values
ENABLED Check whether the application is enabled or not and time protection is on or not on. == TRUE

Table 5. Health check agent

Method Description Comparator Possible values
SYSTEM-COMPL Check whether the system is in compliance. == TRUE

Table 6. Hard disk encryption

Method Description Comparator Possible values
ENC-PATH PATH for checking encryption status. NO OPERATOR Any text
ENC-TYPE Check whether the encryption type for the specified path. allof, anyof, noneof List with the following options: UNENCRYPTED, PARTIAL, ENCRYPTED, VIRTUAL, SUSPENDED, PENDING

Table 7. Web browser

Method Description Comparator Possible values
DEFAULT Check whether set as the default browser. == TRUE

Table 8. Patch management </caption>

Method Description Comparator Possible values
SCAN-TIME How many minutes since the last scan for the patch was performed. <, <=, >, >=, !=, == Any positive number
MISSED-PATCH Client system is not missing patches of these types. anyof, noneof ANY Pre-selected (Pre-selected patches on Patch Manager server)
NON      

Table 9. MAC Address (expression)

Method Description Comparator Possible values
ADDR Check whether the client machine MAC addresses are or are not in the given list. anyof, noneof Editable list

Table 10. Domain membership

Method Description Comparator Possible values
SUFFIX Check whether the client machine exists or does not exist in the given list. anyof, noneof Editable list

Table 11. Numeric registry entry

Method Description Comparator Possible values
PATH Path for registry check. In the format: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\EnableAutoUpdate. No escaping of special characters is required. All registry root keys: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USERS, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG NO OPERATOR Any text
REDIR-64 Follow 64-bit redirection. If set to TRUE, WOW redirection is followed (that is, Registry path is checked on 32-bit systems but WOW redirected path is checked for 64-bit systems.) If not set, WOW redirection is not followed (that is, the same registry path is checked for 32-bit and 64-bit systems.) For registry entries that are not redirected this setting has no effect. See the following article for the list of registry keys that get redirected on 64-bit systems: http://msdn.microsoft.com/en-us/library/aa384253%28v=vs.85%29.aspx == TRUE
VALUE Expected value for the above path. This scan works only for registry types of REG_DWORD and REG_QWORD. <, <=, >, >=, !=, == Any number
Advanced Endpoint Analysis policy expression reference