theall at tenablesecurity
Jan 6, 2009, 5:37 PM
Post #2 of 3
(3314 views)
Permalink
|
On Jan 5, 2009, at 6:25 PM, David ROBERT wrote:
> I tried to improve the plugin 21725 (Symantec Anti-Virus check) so it
> will check that the anti-virus is not disabled while it is running
Do you mean it's possible for the appropriate service to be enabled
but the AV to still be disabled?
> I added after line 252:
>
> key = "SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Storages\Filesystem\RealTimeScan\";
This doesn't span two lines in the actual plugin, does it?
> item = "OnOff";
> key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
> if ( ! isnull(key_h) ) {
> value = RegQueryValue(handle:key_h, item:item);
> RegCloseKey(handle:key_h);
> if ( value[1] != 1 ) { running = 0; }
> }
>
> key = "SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Storages\InternetMail\";
> item = "OnOff";
> key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
> if ( ! isnull(key_h) ) {
> value = RegQueryValue(handle:key_h, item:item);
> RegCloseKey(handle:key_h);
> if ( value[1]) != 1 ) { running = 0; }
> }
From a NASL perspective, this seems ok as long as "key" doesn't span
more than one line. I don't have an install of SAVCE handy, though, so
I'm not sure whether there's a problem with the actual registry values
you're trying to check.
> But now I have no result when the plugin is launched. I'm not sure
> about the registry functions I use, that's why I'm asking if there is
> a document that could details those functions (RegOpenKey,
> RegQueryValue etc.)
Are you rebuilding the plugins database after you make your changes?
Also, do you realize that the AV plugins don't report actually report
anything if everything is working properly? Instead, they will just
update entries in the KB.
George
--
theall [at] tenablesecurity
_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers
|
