Advanced Endpoint Analysis policy expression reference
This topic describes the format and construction of Advanced Endpoint Analysis expressions. The NetScaler Gateway configuration utility automatically builds the expression elements contained here and does not require manual configuration.
Expression format
An Advanced Endpoint Analysis expression has the following format:
CLIENT.APPLICATION (SCAN-type_ Product-id_ Method-name _ Method-comparator_ Method-param _…)
Where:
SCAN-type is the type of application being analyzed.
Product-id is the product identification for the analyzed application.
Method-name is the product or system attribute being analyzed.
Method-comparator is the chosen comparator for the analysis.
Method-param is the attribute value or values being analyzed.
Example:
client.application(ANTIVIR_2600_RTP_==_TRUE)
Note:
For non-application scan types, the expression prefix is CLIENT.SYSTEM instead of CLIENT.APPLICATION.
Expression strings
Each of the supported scan types in Advanced Endpoint Analysis uses a unique identifier in the expressions. The following table enumerates the strings for each type of scan.
| Scan type | Scan type expression string |
|---|---|
| Anti-phishing | ANTIPHI |
| Antivirus | ANTIVIR |
| Backup Client | BACKUP |
| Citrix Workspace app (macOS) | MAC-CWA |
| Citrix Workspace app (Windows) | WIN-CWA |
| Data Loss Prevention | DATA-PREV |
| Firewall | FIREWALL |
| Health Agent | HEALTH |
| Hard disk Encryption | HD-ENC |
| Instant Messenger | IM |
| Web Browser | BROWSER |
| P2P | P2P |
| Patch Management | PATCH |
| MAC address (expression) | MAC |
| Domain check | DOMAIN |
| Registry Scan | REG |
| Windows Update Scan | WIN-UPDATE |
Note:
For macOS X specific scans, expressions include the prefix MAC- before the method type. Therefore, for antivirus and anti-phishing scans, the methods are MAC-ANTIVIR and MAC-ANTIPHI respectively.
For example:
client.application(MAC-ANTIVIR_2600RTP==_TRUE)
Application scan methods
In configuring Advanced Endpoint Analysis expressions, methods are used to define the parameters of the endpoint scans. These methods include a method name, a comparator, and a value. The following tables enumerate the methods available for use in expressions.
Common Scan Methods:
The following methods are used for multiple types of application scans.
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| VERSION* | Specifies version of the application. | <, <=, >, >=, !=, == | Version string |
| AUTHENTIC** | Check if the application is authentic or not. | == | TRUE |
| ENABLED | Check if the application is enabled. | == | TRUE |
| RUNNING | Check if the application is running. | == | TRUE |
| COMMENT | Comment field (ignored by scan). Delineated by [] within expressions. | == | Any text |
* The VERSION string can specify a decimal string of up to four values, such as 1.2.3.4.
** An AUTHENTIC check verifies the authenticity of the binary files for the application.
Note:
You can select a generic version for application scan types. When generic scans are selected, the product ID is 0.
Gateway provides an option to configure Generic scans for each type of software. Using generic scan, an admin can scan the client machine without restricting the scanning check to any particular product.
For Generic scans, scan methods work only if the product installed on the users system supports that scan method. To know which products support a particular scan method, contact NetScaler support.
Unique Scan Methods:
The following methods are unique to the specified types of scans.
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| ENABLED-FOR | Check whether anti-phishing software is enabled for the selected application. | allof, anyof,noneof |
For Windows: Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Safari. For Mac: Safari, Mozilla Firefox, Google, Chrome, Opera |
Table 2. Antivirus
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| RTP | Check whether the real-time protection is on or not. | == | TRUE |
| SCAN-TIME | How many minutes since a full system scan was performed. | <, <=, >, >=, !=, == | Any positive number |
| VIRDEF-FILE-TIME | How many minutes since virus definition file was updated (that is, Number of minutes between virus definition file stamp and current timestamp). | <, <=, >, >=, !=, == | Any positive number |
| VIRDEF-FILE-VERSION | Version of definition file. | <, <=, >, >=, !=, == | Version string |
| ENGINE-VERSION | Engine version. | <, <=, >, >=, !=, == | Version string |
Table 3. Backup client
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| LAST-BK-ACTIVITY | How many minutes since last backup activity was completed. | <, <=, >, >=, !=, == | Any positive number |
Table 4. Data loss prevention
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| ENABLED | Check whether the application is enabled or not and time protection is on or not on. | == | TRUE |
Table 5. Health check agent
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| SYSTEM-COMPL | Check whether the system is in compliance. | == | TRUE |
Table 6. Hard disk encryption
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| ENC-PATH | PATH for checking encryption status. | NO OPERATOR | Any text |
| ENC-TYPE | Check whether the encryption type for the specified path. | allof, anyof, noneof |
List with the following options: UNENCRYPTED, PARTIAL, ENCRYPTED, VIRTUAL, SUSPENDED, PENDING |
Table 7. Web browser
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| DEFAULT | Check whether set as the default browser. | == | TRUE |
Table 8. Patch management
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| SCAN-TIME | How many minutes since the last scan for the patch was performed. | <, <=, >, >=, !=, == | Any positive number |
| MISSED-PATCH | Client system is not missing patches of these types. | anyof, noneof |
ANY Pre-selected (Pre-selected patches on Patch Manager server) |
Table 9. MAC Address (expression)
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| ADDR | Check whether the client machine MAC addresses are or are not in the given list. | anyof, noneof |
Editable list |
Table 10. Domain membership
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| SUFFIX | Check whether the client machine exists or does not exist in the given list. | anyof, noneof |
Editable list |
Table 11. Numeric registry entry
| Method | Description | Comparator | Possible values |
|---|---|---|---|
| PATH | Path for registry check. In the format: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\EnableAutoUpdate. No escaping of special characters is required. All registry root keys: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USERS, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG | NO OPERATOR | Any text |
| REDIR-64 | Follow 64-bit redirection. If set to TRUE, WOW redirection is followed (that is, Registry path is checked on 32-bit systems but WOW redirected path is checked for 64-bit systems.) If not set, WOW redirection is not followed (that is, the same registry path is checked for 32-bit and 64-bit systems.) For registry entries that are not redirected this setting has no effect. See the following article for the list of registry keys that get redirected on 64-bit systems: http://msdn.microsoft.com/en-us/library/aa384253%28v=vs.85%29.aspx
|
== | TRUE |
| VALUE | Expected value for the above path. This scan works only for registry types of REG_DWORD and REG_QWORD. | <, <=, >, >=, !=, == | Any number |