Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lzm
Collaborator
Jump to solution

Using Compliance blade to check Windows registry for Windows Firewall rules

Hi there checkmates,

 

We are trying to create a Compliance rule to check if a specific Windows Defender Firewall rule is present on the user's laptop.

The registry folder where the rules are located is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules.

The value of each registry is where we look for a certain string to check if the rule we want to check is there, it looks like: v2.30|Action=Allow|Active=TRUE|Dir=Out|Name=Microsoft Solitaire Collection|Desc=Microsoft Solitaire Collection|LUOwn=S-1-5-21-1918626456-2443561179-3960203745-1002|AppPkgId=S-1-15-2-1985198343-3186790915-4047221937-1969271670-3792558349-1325541827-400269725|EmbedCtxt=Microsoft Solitaire Collection|Platform=2:6:2|Platform2=GTEQ|

The challenge is: the 'name' for each registry is randomized, a value like "{0E69F20E-9517-4D89-A9AB-603E27C8891F}". We can't find a way to check all registries because of that, we would need to use wildcard to do that and we aren't able to do that according to our tests.

Screenshot is attached with the configuration, where we would use * on the "Registry value name" field.

We have an open case with TAC for almost two weeks trying to get this answer but it doesn't go anywhere.

Any ideas? Thanks a lot.

 

 

0 Kudos
1 Solution

Accepted Solutions
jcortez
Employee
Employee

@PhoneBoy & @Lzm 

After speaking with our internal resources the only workaround that could work is creating a wildcard test in a script and using our Compliance Blade to run the script periodically.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

Is this with Harmony Connect or Harmony Endpoint managed via the cloud?

0 Kudos
Lzm
Collaborator

It's Harmony Endpoint managed via the cloud

0 Kudos
PhoneBoy
Admin
Admin

@jcortez can you think of a better way to do what's trying to be done here?

0 Kudos
jcortez
Employee
Employee

@PhoneBoy & @Lzm 

That is a very good question. Due to the fact that the Registry Key values a randomized it would be very difficult to achieve this. I honestly cannot think of a good workaround.

 

Let me have some of our internal resources take a look at this and I will reply back.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
jcortez
Employee
Employee

@PhoneBoy & @Lzm 

After speaking with our internal resources the only workaround that could work is creating a wildcard test in a script and using our Compliance Blade to run the script periodically.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
Lzm
Collaborator

Very good idea! Thanks a lot!

We're going to try this way.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events