Symantec definitions

system 2009-02-12 18:43:05 UTC #1

(imported topic written by BenUK77791)

Hello,

I’d like to be able to identify machines that have virus definitions older than a day.

I’ve found the corresponding registry key which contains a date. However I’m not quite sure how to convert the output into a date format and then compile some relevance around being less than a day. Any assistance appreciated.

q: if exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs” whose (exists value “NAVCORP_70” of it)of registry then following text of last “” of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs” of registry as string) else (“Not present”)

A: 20090211.048

Thanks,

Ben.

system 2009-02-15 00:08:50 UTC #2

(imported comment written by jessewk)

(date (( last 2 of it & " " & first 3 of (month (last 2 of first 6 of it as integer) as string) & " " & first 4 of it) of preceding text of last “.” of it)) of “20090211.048” < current date - 1 * day

system 2009-02-16 13:10:01 UTC #3

(imported comment written by BenUK77791)

Hi Jesse,

Thanks for that. Is there an easy way to tie that into my relevance. So for example how do I pass the registry value to your relevance to then output?.

Thanks,

Ben.

system 2009-02-17 00:03:56 UTC #4

(imported comment written by jessewk)

if exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs” whose (exists value “NAVCORP_70” of it)of registry then ((date (( last 2 of it & " " & first 3 of (month (last 2 of first 6 of it as integer) as string) & " " & first 4 of it) of preceding text of last “.” of it)) of following text of last “” of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs” of registry as string) < current date - 1 * day) as string else (“Not present”)

system 2009-02-17 17:14:00 UTC #5

(imported comment written by BenUK77791)

Perfect ! - Thanks very much.

system 2009-03-27 19:08:49 UTC #6

(imported comment written by SystemAdmin)

For 30 day old definitions: