I am using a property to check for a specific value in a string that it has converted from hex. I like to use the IF/THEN/ELSE in case I want to expand the property down the line. My relevance isn’t working, stating This expression could not be parsed.
Here’s my code (with some alternate value names):
IF NOT exists (value “Value1” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SomeKey” of registry) THEN “No Key” ELSE IF (exists (hexadecimal strings of it) of unique values of (it as string) of values “Value1” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SomeKey”) whose (exists value “Value1” whose (it as hexadecimal strings contains “StingValue1” of it) AND (exists value “Value1” whose (it as hexadecimal strings contains “StingValue2” of it)of (x64 registries; x32 registries) THEN “Response1”)
It looks like you are checking a “hexadacimal string” for values. I presume those values are only HEX values.
Secondly as you are going through both registries (x64 registries; x32 registries) you should not be specifying the Wow6432Node in the path. Just use HKLM\Software\SomeKey as the x32 registry will look through the Wow6432Node and the x64 will not.
I think you are taking the wrong message. You can check both registries, you just have to do it with the correct path.
I generally always check both registries just to be in the habit of doing so. If the other registry doesn’t have the value, then there is no harm and no significant delay.
I’m a little confused as to why you are using so much IF/THEN/ELSE. If you use plural relevance, you don’t need that, even if you do expand the property later.
Also, I find your relevance hard to follow. I’m not certain it all works correctly.
Also, could you provide the link to the original forum post for this relevance?
exists (hexadecimal strings it) whose(it contains "StringValue2" OR it contains "StringValue1") of unique values of (it as string) of values "AccessProtectionUserRules" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking" of (x64 registries; x32 registries)
If you wanted to assert both, then you could do this:
2 <= number of (hexadecimal strings it) whose(it contains "StringValue2" OR it contains "StringValue1") of unique values of (it as string) of values "AccessProtectionUserRules" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking" of (x64 registries; x32 registries)
My experience with plurals is lacking, so I didn’t consider that an option. I’d be glad to take any recommended trainings you can suggest. I typically use the IF/THEN/ELSE to provide custom results (e.g. If a relevance equates to true I may want the result to say “Compliant” instead of simply “True”)
The post you shared was the first part of the same property when I was trying to break down the result in to separate lines. Now I’m trying to see if the string has specific text.
You can use IF/THEN/ELSE to provide custom results, but you should still write plural relevance that returns the real and complete results. Once you have the complete results, then you can filter using a whose statement so you can check for specific results. Then you can assert with a TRUE/FALSE that those results exist if that is what you want to do. Only then should you use an IF/THEN/ELSE to provide different values rather than TRUE/FALSE, but, you should keep in mind that IF/THEN/ELSE is going to be less efficient than using the plural relevance alone.
I wanted to add to my reply above, after thinking about this more.
If you really want to know why something failed, rather than using many IF/THEN/ELSE statements, you should instead create separate plural analysis properties for each condition.
This could be one check:
values "Value1" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\SomeKey" of (x32 registries; x64 registries)
Then this would be another:
(hexadecimal strings it) of unique values of (it as string) of values "Value1" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\SomeKey" of (x64 registries; x32 registries)
You can create a plural relevance statement that will examine the general case at each step of the way you wish to validate.
You can have another statement that returns a TRUE/FALSE for the complete compliance, but for debugging and auditing purposes, you really need the general statements, and that is how you should start. Write the general case, and get progressively more specific from there.
unique values of following texts of lasts "%00%00%00" of preceding texts of lasts "%00%00%00%00" of (hexadecimal strings it) of unique values of (it as string) of values "WinHttpSettings" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" of (x64 registries; x32 registries)