Home » KBArticles » List of common Citrix Netscaler session policy expressions

List of common Citrix Netscaler session policy expressions

My (non exhaustive) list of helpful Netscaler session policies expressions for EPA.

SCAN REGISTRY (Advanced free-form)

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE == domain.local

CLIENT.REG(‘HKEY_LOCAL_MACHINE_64\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CHECK FOR FILE EXISTENCE

CLIENT.FILE(‘C:\\WindowsCompany_Laptop.txt’)

CHECK FOR RUNNING PROCESS

CLIENT.APPLICATION.PROCESS(firewall.exe) EXISTS

CHECK OS VERSION (Match any expresssion)

CLIENT.OS(winxp).SP == 2

CLIENT.OS(win7) EXISTS

DETECT (or not) CITRIX RECEIVER (Match any)

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS ‘CitrixReceiver-iPad’

REQ.HTTP.HEADER User-Agent CONTAINS Android

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

CHECK SYMANTEC ENDPOINT PROTECTION, DEF FILE 5 DAYS, SERVICE RUNNING

CLIENT.FILE(‘C:\\ProgramData\\Symantec\\Symantec\ Endpoint\ Protection\\CurrentVersion\\Data\\Definitions\\VirusDefs\\definfo.dat’).TIMESTAMP != 5dy && CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE != domain.local && CLIENT.SVC(SepMasterService) NOTEXISTS

EPA SCAN RESULTS

The results of the EPA scan can be found in the following locations:
Windows XP: C:Documents and SettingsAll UsersApplication DataCitrixAGEEnsepa.txt
Windows Vista and Windows 7: C:UsersAll UsersCitrixAGEEnsepa.txt

2 comments

  1. George Wozniak says:

    James,

    Do you have any experience with creating EPA scans to detect patch management or windows updates? I am using the OPSWAT editor with no success.

    Thank you

    • scanjam says:

      Only suggestion would be to scan for a particular registry entry or file to match against the ‘hotfix’ or update you require? Havent done anything specific.. truly the more you narrow the ‘success criteria’ the more users you quickly annoy! 🙂 – i usualyl keep it generic to Hostname, registry key for laptop image version or the like.
      Good luck

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.