Product Documentation

Advanced Endpoint Analysis Policy Expression Reference

This reference describes the format and construction of Advanced Endpoint Analysis expressions. The expression elements contained here are built by the Citrix Gateway configuration utility automatically and do not require manual configuration.

Expression format

An Advanced Endpoint Analysis expression has the following format:

CLIENT.APPLICATION (SCAN-type_ Product-id_ Method-name _ Method-comparator_ Method-param _…)

Where:

SCAN-type is the type of application being analyzed.

Product-id is the product identification for the analyzed application.

Method-name is the product or system attribute being analyzed.

Method-comparator is the chosen comparator for the analysis.

Method-param is the attribute value or values being analyzed.

For example:

client.application(ANTIVIR_2600_RTP_==_TRUE)

Note: For non-application scan types, the expression prefix is CLIENT.SYSTEM instead of CLIENT.APPLICATION.

Expression strings

Each of the supported scan types in Advanced Endpoint Analysis uses an unique identifier in expressions. The following table enumerates the strings for each type of scan.

| Scan type | Scan type expression string | | ————————- | ————————— | | Anti-phishing | ANTIPHI | | Antispyware | ANTISPY | | Antivirus | ANTIVIR | | Backup Client | BACKUP | | Device Access Control | DEV-CONT | | Data Loss Prevention | DATA-PREV | | Desktop Sharing | DESK-SHARE | | Firewall | FIREWALL | | Health Agent | HEALTH | | Hard disk Encryption | HD-ENC | | Instant Messenger | IM | | Web Browser | BROWSER | | P2P | P2P | | Patch Management | PATCH | | URL Filtering | URL-FILT | | MAC address | MAC | | Domain check | DOMAIN | | Numeric Registry Scan | REG-NUM | | Non-Numeric Registry Scan | REG-NON-NUM |

Note: For Mac OS X specific scans, expressions include the prefix MAC- before the method type. Therefore, for antivirus and anti-phishing scans, the methods are MAC-ANTIVIR and MAC-ANTIPHI respectively. For example: pre codeblock client.application(MAC-ANTIVIR_2600RTP==_TRUE)

Application Scan Methods

In configuring Advanced Endpoint Analysis expressions, methods are used to define the parameters of the endpoint scans. These methods include a method name, a comparator, and a value. The following tables enumerate all of the methods available for use in expressions.

Common Scan Methods

The following methods are used for multiple types of application scans.

Method Description Comparator Possible values
VERSION* Specifies version of application. <, <=, >, >=, !=, == Version string
AUTHENTIC** Check if given application is authentic or not. == TRUE
ENABLED Check if application is enabled. == TRUE
RUNNING Check if application is running. == TRUE
COMMENT Comment field (ignored by scan). Delineated by [] within expressions. == Any text

* The VERSION string can specify a decimal string of up to four values, such as 1.2.3.4.

** An AUTHENTIC check verifies the authenticity of the binary files for the application.

Note: You can select a generic version for application scan types. When generic scans are selected, the product ID will be 0.

Gateway provides an option to configure Generic scans for each type of software. Using generic scan, admin can scan the client machine without restricting the scanning check to any particular product.

For Generic scans, scan methods will work only if the product installed on users system supports that scan method. To know which products support particular scan method, please contact Citrix support.

Unique Scan Methods

The following methods are unique to the specified types of scans.

Table 1. Antiphishing </caption>
Method Description Comparator Possible values
ENABLED-FOR Check whether anti-phishing software is enabled for selected application.

allof

anyof

noneof

For Windows:

Internet Explorer

Mozilla Firefox

Google Chrome

Opera

Safari

For Mac:

Safari

Mozilla Firefox

Google Chrome

Opera

Table 2. Antispyware and Antivirus

Method Description Comparator Possible values
RTP Check whether real time protection is on or not. == TRUE
SCAN-TIME How many minutes since a full system scan was performed. <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-TIME How many minutes since virus definition file was updated (i.e. Number of minutes between virus definition file stamp and current timestamp). <, <=, >, >=, !=, == Any positive number
VIRDEF-FILE-VERSION Version of definition file. <, <=, >, >=, !=, == Version string
ENGINE-VERSION Engine version. <, <=, >, >=, !=, == Version string

Table 3. Backup client

Method Description Comparator Possible values
LAST-BK-ACTIVITY How many minutes since last backup activity was completed. <, <=, >, >=, !=, == Any positive number

Table 4. Data loss prevention

Method Description Comparator Possible values
ENABLED Check whether application is enabled or not and time protection is on or not on. == TRUE

Table 5. Health check agent

Method Description Comparator Possible values
SYSTEM-COMPL Check whether system is in compliance. == TRUE

Table 6. Hard disk encryption

</caption>
Method Description Comparator Possible values
ENC-PATH PATH for checking encryption status. NO OPERATOR Any text
ENC-TYPE Check whether encryption type for specified path.

allof

anyof

noneof

List with following options:

UNENCRYPTED

PARTIAL

ENCRYPTED

VIRTUAL

SUSPENDED

PENDING

Table 7. Web browser

Method Description Comparator Possible values
DEFAULT Check whether set as default browser. == TRUE
Table 8. Patch management </caption>
Method Description Comparator Possible values
SCAN-TIME How many minutes since last scan for patch was performed. <, <=, >, >=, !=, == Any positive number
MISSED-PATCH Client system is not missing patches of these types.

anyof

noneof

ANY

Pre-selected (Pre-selected patches on Patch Manager server)

NON

Table 9. MAC Address </caption>
Method Description Comparator Possible values
ADDR Check whether client machine MAC addresses are or are not in given list.

anyof

noneof

Editable list
Table 10. Domain membership </caption>
Method Description Comparator Possible values
SUFFIX Check whether client machine exists or does not exist in given list.

anyof

noneof

Editable list
Table 11. Numeric registry entry </caption>
Method Description Comparator Possible values
PATH

Path for registry check. In the format:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\EnableAutoUpdate

No escaping of special characters is required.

All registry root keys:

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

NO OPERATOR Any text
REDIR-64

Follow 64-bit redirection.

If set to TRUE, WOW redirection will be followed

(i.e. Registry path will be checked on 32-bit systems but WOW redirected path will be checked for 64-bit systems.)

If not set, WOW redirection will not be followed

(i.e. Same registry path will be checked for 32- and 64-bit systems.)

For registry entries that are not redirected this setting will have no effect.

See the following article for the list of registry keys that get redirected on 64-bit systems:

http://msdn.microsoft.com/en-us/library/aa384253%28v=vs.85%29.aspx

== TRUE
VALUE

Expected value for above path.

This scan works only for registry types of REG_DWORD and REG_QWORD.

<, <=, >, >=, !=, == Any number
Table 12. Non-numeric registry entry </caption>
Method Description Comparator Possible values
PATH

Path for registry check.

Check Registry scan for Numeric type.

NO OPERATOR Any text
REDIR-64

Follow 64-bit redirection

Check registry scan for Numeric type.

== TRUE
VALUE

Expected value for above path.

For string type registry entries, the registry value is directly compared against the expected value.

For REG_BINARY registry entry type, the registry value is converted into an uppercase hex string, and this string is compared against the expected value.

==, != Any text

Advanced Endpoint Analysis Policy Expression Reference