Custom compliance check for antivirus on MacOS

Pglopez · January 5, 2022, 10:14pm

Hi,
I’ve been testing the compliance scanning on newer MacOSs and I’ve tried creating custom compliance scans. I’m having a difficult time creating a compliance scan to detect Sophos Intercept X on Mac OS. I’ve also looked at the compliance documentation. Does anyone have any suggestions or pointers?

DeeAnn · January 7, 2022, 10:35am

Hi @Pglopez and welcome to the forum

I’ve moved your post to the Vulnerability Tests category for now (there is more activity with custom scans here, so hopefully more people see it).

If I understand correctly, other things are working, just the single item of Sophos Intercept X isn’t detected? If it’s not that please describe what kind of problem you are running into.

Edit to add- which software version and edition are you using?

Pglopez · January 11, 2022, 11:00pm

Hi, Thank you for you assistance. Yes, the single item of Sophos Intercept X isn’t detected. I’m using GOS Version: 20.08.13 the community edition.
Here are the instructions I follow to create a compliance policy 12 Performing Compliance Scans and Special Scans — Greenbone Security Manager (GSM) 20.08.13 documentation
All the compliance audits work. I just don’t know how to customize it for just checking if Sophos Intercept X is installed or running on port 80 (HTTP)
443 (HTTPS) domains are * *.sophos.com

*.sophosupd.com
*.sophosupd.net
*.sophosxl.net and on a Apple Mac machine it is installed on

Pglopez · January 18, 2022, 9:51pm

I tried adding a custom Compliance => Compliance Policies (Network Vulnerability Test Preferences (1114))
and ran a scan in Compliance => Compliance Audits however I’m only getting four results.
|CPE Policy Check|Single CPE|

cpe:/a:sophos:intercept_x

CPE Policy Check

CPE List

cpe:/a:sophos:intercept_x cpe:/a:sophos:intercept_x:-::~~central~macos~~ cpe:/a:sophos:intercept_x_endpoint:-:::::::* cpe:2.3:a:sophos:intercept_x_endpoint:-:::::::* cpe:2.3:a:sophos:intercept_x:10.0.3::::central:macos::* cpe:2.3:a:sophos:intercept_x_endpoint cpe:2.3:a:sophos:endpoint_protection:-:::::::* cpe:2.3:a:sophos:intercept_x:-::::central:macos::* cpe:2.3:a:sophos:mobile:-:::::::* cpe:/a:sophos:mobile

Am I missing something?

cfi · January 19, 2022, 7:57am

Unfortunately this is currently not possible “out of box” / without writing own .nasl scripts. Policy / compliance checks are currently quite static, doesn’t allow to define such own constraints and this:

currently would required the following:

Writing a new “Detection VT” for Sophos Intercept X similar to other VTs from the “Product detection” family (no detection for this product exists yet but would be required for GVM to know the related CPE)
A new compliance VT similar to the ones in e.g. scripts/Policy/Linux, scripts/Policy/GaussDB and similar which allows to define such constraints (e.g. Product xyz needs to exist and running on a specific port)