Home » scanning

Tag: scanning

List of common Citrix Netscaler session policy expressions

My (non exhaustive) list of helpful Netscaler session policies expressions for EPA.

SCAN REGISTRY (Advanced free-form)

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE == domain.local

CLIENT.REG(‘HKEY_LOCAL_MACHINE_64\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\AVEngine_AVDatVersion’).VALUE == 6198.

CHECK FOR FILE EXISTENCE

CLIENT.FILE(‘C:\\WindowsCompany_Laptop.txt’)

CHECK FOR RUNNING PROCESS

CLIENT.APPLICATION.PROCESS(firewall.exe) EXISTS

CHECK OS VERSION (Match any expresssion)

CLIENT.OS(winxp).SP == 2

CLIENT.OS(win7) EXISTS

DETECT (or not) CITRIX RECEIVER (Match any)

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS ‘CitrixReceiver-iPad’

REQ.HTTP.HEADER User-Agent CONTAINS Android

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

CHECK SYMANTEC ENDPOINT PROTECTION, DEF FILE 5 DAYS, SERVICE RUNNING

CLIENT.FILE(‘C:\\ProgramData\\Symantec\\Symantec\ Endpoint\ Protection\\CurrentVersion\\Data\\Definitions\\VirusDefs\\definfo.dat’).TIMESTAMP != 5dy && CLIENT.REG(‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters_Domain’).VALUE != domain.local && CLIENT.SVC(SepMasterService) NOTEXISTS

EPA SCAN RESULTS

The results of the EPA scan can be found in the following locations:
Windows XP: C:Documents and SettingsAll UsersApplication DataCitrixAGEEnsepa.txt
Windows Vista and Windows 7: C:UsersAll UsersCitrixAGEEnsepa.txt