Mailing List Archive: up-to-date nasl reference manual?

up-to-date nasl reference manual?

Jan 5, 2009, 3:25 PM

Post #1 of 3 (7976 views)

Dear All,

Is there an up-to-date reference manual for nasl ?

I tried to improve the plugin 21725 (Symantec Anti-Virus check) so it
will check that the anti-virus is not disabled while it is running
I added after line 252:

key = "SOFTWARE\Symantec\Symantec Endpoint
Protection\AV\Storages\Filesystem\RealTimeScan\";
item = "OnOff";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if ( ! isnull(key_h) ) {
value = RegQueryValue(handle:key_h, item:item);
RegCloseKey(handle:key_h);
if ( value[1] != 1 ) { running = 0; }
}

key = "SOFTWARE\Symantec\Symantec Endpoint
Protection\AV\Storages\InternetMail\";
item = "OnOff";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if ( ! isnull(key_h) ) {
value = RegQueryValue(handle:key_h, item:item);
RegCloseKey(handle:key_h);
if ( value[1]) != 1 ) { running = 0; }
}

But now I have no result when the plugin is launched. I'm not sure
about the registry functions I use, that's why I'm asking if there is
a document that could details those functions (RegOpenKey,
RegQueryValue etc.)

--
David ROBERT
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: up-to-date nasl reference manual? [ In reply to ]

theall at tenablesecurity

Jan 6, 2009, 5:37 PM

Post #2 of 3 (7563 views)

Permalink

On Jan 5, 2009, at 6:25 PM, David ROBERT wrote:

> I tried to improve the plugin 21725 (Symantec Anti-Virus check) so it
> will check that the anti-virus is not disabled while it is running

Do you mean it's possible for the appropriate service to be enabled
but the AV to still be disabled?

> I added after line 252:
>
> key = "SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Storages\Filesystem\RealTimeScan\";

This doesn't span two lines in the actual plugin, does it?

> item = "OnOff";
> key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
> if ( ! isnull(key_h) ) {
> value = RegQueryValue(handle:key_h, item:item);
> RegCloseKey(handle:key_h);
> if ( value[1] != 1 ) { running = 0; }
> }
>
> key = "SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Storages\InternetMail\";
> item = "OnOff";
> key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
> if ( ! isnull(key_h) ) {
> value = RegQueryValue(handle:key_h, item:item);
> RegCloseKey(handle:key_h);
> if ( value[1]) != 1 ) { running = 0; }
> }

From a NASL perspective, this seems ok as long as "key" doesn't span
more than one line. I don't have an install of SAVCE handy, though, so
I'm not sure whether there's a problem with the actual registry values
you're trying to check.

> But now I have no result when the plugin is launched. I'm not sure
> about the registry functions I use, that's why I'm asking if there is
> a document that could details those functions (RegOpenKey,
> RegQueryValue etc.)

Are you rebuilding the plugins database after you make your changes?

Also, do you realize that the AV plugins don't report actually report
anything if everything is working properly? Instead, they will just
update entries in the KB.

George
--
theall@tenablesecurity.com

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: up-to-date nasl reference manual? [ In reply to ]

david at ombrepixel

Jan 8, 2009, 10:08 AM

Post #3 of 3 (7573 views)

Permalink

> Do you mean it's possible for the appropriate service to be enabled
> but the AV to still be disabled?

Yes, the service can be running but a user (with enough privileges)
could disable the AV rightclicking and choosing disable on the
symantec status icon.

I looked at what registery keys are impacted using a tool from
sysinternals then modified the script

>> key = "SOFTWARE\Symantec\Symantec Endpoint
>> Protection\AV\Storages\Filesystem\RealTimeScan\";
>
> This doesn't span two lines in the actual plugin, does it?

Non it doesn't span on the actual script

> I'm not sure whether there's a problem with the actual registry values
> you're trying to check.

I don't think so

> Are you rebuilding the plugins database after you make your changes?

I do a build.exe

> Also, do you realize that the AV plugins don't report actually report
> anything if everything is working properly? Instead, they will just
> update entries in the KB.

I did my test with the Anti Virus check plugin (16193) that reports
(see at the end of this email) when the scripts is not modified. With
my modifications, the plugin (16193) don't report anymore. I know I'm
doing something wrong somewhere.

Synopsis :

An antivirus is installed on the remote host.

Description :

The remote host has an antivirus installed and running.
The remote antivirus engine and virus definitions are
up to date.

See also :

http://blog.tenablesecurity.com/2008/07/auditing-anti-v.html
http://blog.tenablesecurity.com/2007/02/auditing_antivi.html

Risk factor :

None

Plugin output :

The remote host has the Symantec Antivirus Corporate installed. It has
been fingerprinted as :

Symantec Antivirus Corporate 11.2.2000.57
DAT version : 20090105
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers