How can I do a custom check on endpoints?

As of January 09, 2018, MetaAccess provides administrators a way to do a custom check which OPSWAT does not offer in OPSWAT's granular policy, for example: whether a specific registry key/file exists, whether a specific process is running.

How does it work?

Administrators can write 189104195 to do a custom check on a device and apply it to a policy on their MetaAccess account. When a policy enables the custom check, MetaAccess will push a script, which uploaded to the policy, to devices which associated to that policy. The agent will invoke the script with configured privilege frequently.

To enable custom check,

  • Log into MetaAccess console

  • Navigate to Policies

  • Then select a policy you wish to enable the custom check

  • In a specific policy, navigate to Security Requirements > Posture check > Custom Check

  • Select an operating system, you want to enable custom check

  • Check on Script returns FALSE

  • Check on Run the powershell/Shell script... and select a privilege you would like OPSWAT Client run the script with. Notes

    • With the persistent client version 7.6.324/10.4.284 or earlier, OPSWAT Client will run the script with system/root privilege

    • With the on-demand client version 7.3.503.0/10.5.213.0 or earlier, OPSWAT Client will run the script with current user privilege.

  • Hit SAVE and enter your PIN to confirm the change.

images/download/attachments/4344904/image2020-8-14_17-20-28.png

  • Navigate to Settings > Global Settings > Device Agents

  • Set how often you would like the OPSWAT Client run the script in the Compliance Report section

images/download/attachments/4344904/image2020-8-17_10-14-11.png

Whenever an agent executes the script, it will report the script result to the MetaAccess cloud along with the compliance check report. If the script failed to run or timed out, the MetaAccess cloud will consider custom check on the device as PASSED. Administrators can view the script result on a device details page

images/download/attachments/4344904/image2018-6-13_9-54-45.png

and also able to filter devices which the script returns FALSE on Devices page

images/download/attachments/4344904/image2018-1-8_16-40-49.png

What permission can we execute the script?

MetaAccess supports the script can be run as System/Administrator/Current User permission.

Run as

Windows

macOS

System

SUPPORTED

SUPPORTED

Administrator

SUPPORTED

NOT SUPPORTED

Current User

SUPPORTED

SUPPORTED


Note:
This setting only apply for Persistent agent. Not apply for On-demand agent

What scripts does MetaAccess support?

MetaAccess only supports PowerShell script for Windows devices and shell script for macOS devices. MetaAccess doesn't support inputs when executing a script.

Scripts MUST return an output as the below format. If the script returns wrong format or invalid value for "result" or "msg" parameter, the agent will treat it as failed to execute and MetaAccess cloud will consider the device pass the check.

[output]

result=0

msg=This is a script log

in which:

  • result only accepts 0/1: 0 is FALSE, 1 is TRUE

  • msg limits 2048 bytes

Sample scripts

 

Windows

macOS

Whether a specific registry key exists

Win-CheckExistingRegistryKeyScript.ps1

 

Whether a specific registry key value contains certain regex string

Win-CheckRegistryKeyValueScript.ps1

 

Whether a specific process is running on the system

Win-CheckRunningProcessScript.ps1

MacOS-CheckRunningProcessScript.sh

Whether a specific service is running on the system

Win-CheckRunningServiceScript.ps1

MacOS-CheckRunningServiceScript.sh

Whether a specific file exists on a specific path in the system

Win-CheckExistingFileScript.ps1

MacOS-CheckExistingFileScript.sh

Note that only agent version listed below is able to execute a custom script.

  • Windows agent: 7.6.136.0+

  • macOS agent: 10.4.162.0+

This article was last updated on 2020-08-18
TT