I'm attempting to write a LUA script to help fill in the blanks when Host Scan can't properly detect an AV or FW package. This seems to happen with newer packages because of the delay getting the updated OPSWAT DLLs integrated with CSD.
Below is a FW check I put together (based on the DAP Advanced Functions Deployment Guide). The idea is to first do all OPSWAT-based FW checks, then if they all fail, check the results of Host Check processes checks. The Host Check process checks would be named "fw_$fw_name" as in "fw_Symantec" or "fw_McAfee". These process checks would be added after an administrator verifies a user complaint that their new FW version is not being detected.
DAP record [ Windows_FW_Check ]:
or (EVAL(endpoint.os.version,"EQ","Windows Vista","string"))
or (EVAL(endpoint.os.version,"EQ","Windows XP","string")))
local no_fw = true
for k,v in pairs(endpoint.fw) do -- OPSWAT fw checks
if (EVAL(v.exists, "EQ", "true", "string")) then
no_fw = false
if no_fw = true then –- custom fw process checks if required
> for k,v in pairs(endpoint.process.fw_.*$) do -- This doesn't appear to work. Can't I do regex based string expansion on table keys?
> for k,v in pairs(endpoint.process) do -- This doesn't work either. Isn't there a Lua table for Host Scan processes?
if (EVAL(v.exists, “EQ”, “true”, “string”)) then
no_fw = false
The problem I'm having is that while I can iterate on the Cisco predefined Lua tables such as endpoint.fw, endpoint.av, and endpoint.as, I can't seem to iterate on an endpoint.process Lua table. Maybe I'm doing something wrong or have some incorrect syntax. Does Host Scan create an endpoint.process Lua table? When a client connects, Host Scan checks for known processes and the status shows up in "debug dap trace". These processes can be checked using simple
That simple syntax doesn't help me. I'm trying to create a DAP framework that can remain static, while giving the administrators the flexibility to add or remove custom fw_$FWNAME and av_$AVNAME Host Scan process checks to fill the gap between when a package is updated and CSD is updated.
Thanks for any help,