I am trying to create a relevance query to determine if NTP is enabled in SEP. Symantec state that NTP is enabled if the value “smc_engine_status” in Key “HKLM\Software\Symantec\Symantec Endpoint Protection\SMC” is equal to 1. My problem is that when I run relevance to check if the key value exists I get false, even though I can view it in the registry.
My relevance;
exists key “HKLM\Software\Symantec\Symantec Endpoint Protection\SMC” whose ( exists value “smc_engine_status” of it ) of registry
When I run relevance to get all values for that key it only identifies one “ProductVersion”, even though their are various values for that key.
Relevance to return values of a key;
(names of it, it) of values of key “HKLM\Software\Symantec\Symantec Endpoint Protection\SMC” of registry
Has anyone encountered this before or a similar problem?
(name of it, it) of value whose (name of it is "smc_engine_status") of key "HKLM\Software\Symantec\Symantec Endpoint Protection\SMC" of native registry
Since 64-bit systems have both versions of the registry the relevance needs to know which registry you’re looking at. In this case the value is located in the 64-bit registry so you can use either x64 registry or native registry.
EDIT: The inspector site is extremely useful when telling your inspectors what to look at. Bookmark it because it’s awesome.
Another useful tip if you’re in Fixlet Debugger and on the endpoint and don’t want to bother opening up another web browser is just to use this query:
property whose (it as string contains “”)
For example, if you use this variation on a Windows endpoint:
Q: properties whose (it as string contains "registry")
A: current user key <logged on user> of <registry>: registry key
A: current user key of <registry>: registry key
A: user key of <logged on user>: registry key
A: driver key of <registry key>: registry key
A: driver key of <active device>: registry key
A: application <string> of <registry>: application
A: application folder <string> of <registry>: folder
A: application of <registry key>: application
A: application <string> of <registry key>: application
A: application folder of <registry key>: folder
A: application folder <string> of <registry key>: folder
A: applications of <registry>: application
A: security descriptor of <registry key>: security descriptor
A: registry: registry
A: native registry: registry
A: x32 registry: registry
A: x64 registry: registry
A: key <string> of <registry>: registry key
A: file extension <string> of <registry>: registry key
A: file type <string> of <registry>: registry key
A: key <string> of <registry key>: registry key
A: default value of <registry key>: registry key value
A: name of <registry key>: string
A: last write time of <registry key>: time
A: value <string> of <registry key>: registry key value
A: pathname of <registry key>: string
A: parent key of <registry key>: registry key
A: parent key of <registry key value>: registry key
A: wow64 of <registry key>: boolean
A: keys of <registry key>: registry key
A: values of <registry key>: registry key value
A: name of <registry key value>: string
A: type of <registry key value>: registry key value type
A: size of <registry key value>: integer
T: 3.159 ms
Often you can string these together to find exactly what you’re looking for. I’ve used this trick countless countless times.