Custom compliance check for antivirus on MacOS

I’ve been testing the compliance scanning on newer MacOSs and I’ve tried creating custom compliance scans. I’m having a difficult time creating a compliance scan to detect Sophos Intercept X on Mac OS. I’ve also looked at the compliance documentation. Does anyone have any suggestions or pointers?

Hi @Pglopez and welcome to the forum :slight_smile:

I’ve moved your post to the Vulnerability Tests category for now (there is more activity with custom scans here, so hopefully more people see it).

If I understand correctly, other things are working, just the single item of Sophos Intercept X isn’t detected? If it’s not that please describe what kind of problem you are running into.

Edit to add- which software version and edition are you using?

Hi, Thank you for you assistance. Yes, the single item of Sophos Intercept X isn’t detected. I’m using GOS Version: 20.08.13 the community edition.
Here are the instructions I follow to create a compliance policy 12 Performing Compliance Scans and Special Scans — Greenbone Security Manager (GSM) 20.08.13 documentation
All the compliance audits work. I just don’t know how to customize it for just checking if Sophos Intercept X is installed or running on port 80 (HTTP)
443 (HTTPS) domains are * *

  • *
  • *
  • * and on a Apple Mac machine it is installed on

I tried adding a custom Compliance => Compliance Policies (Network Vulnerability Test Preferences (1114))
and ran a scan in Compliance => Compliance Audits however I’m only getting four results.
|CPE Policy Check|Single CPE|

CPE Policy Check CPE List
cpe:/a:sophos:intercept_x cpe:/a:sophos:intercept_x:-::central~macos cpe:/a:sophos:intercept_x_endpoint:-:::::::* cpe:2.3:a:sophos:intercept_x_endpoint:-:::::::* cpe:2.3:a:sophos:intercept_x:10.0.3::::central:macos::* cpe:2.3:a:sophos:intercept_x_endpoint cpe:2.3:a:sophos:endpoint_protection:-:::::::* cpe:2.3:a:sophos:intercept_x:-::::central:macos::* cpe:2.3:a:sophos:mobile:-:::::::* cpe:/a:sophos:mobile

Am I missing something?

Unfortunately this is currently not possible “out of box” / without writing own .nasl scripts. Policy / compliance checks are currently quite static, doesn’t allow to define such own constraints and this:

currently would required the following:

  1. Writing a new “Detection VT” for Sophos Intercept X similar to other VTs from the “Product detection” family (no detection for this product exists yet but would be required for GVM to know the related CPE)
  2. A new compliance VT similar to the ones in e.g. scripts/Policy/Linux, scripts/Policy/GaussDB and similar which allows to define such constraints (e.g. Product xyz needs to exist and running on a specific port)