Custom Policy Check

MetaDefender Endpoint provides Device ID and policy compliance status in Windows registry or macOS p-list file. If you have an agent on endpoints and has admin right, you can simply get device ID and device status by this way. In other case, you can retrieve device compliance information from My OPSWAT Central Management by using oAuth APIs using device's MAC address or Device ID.

While using this approach, you should check and make sure that your license key matches registration key on endpoints. Your license key can be found on My OPSWAT Central Management console on Settings > Global page.

MetaDefender Endpoint offers 2 types of clients: persistent client and on-demand client.

  • The persistent MetaDefender Endpoint is designed to remain running on users' device after installation.
  • By comparison, the on-demand MetaDefender Endpoint is only run when needed. If exited or restarted, the client will not automatically start.

Depend on which MetaDefender Endpoint you deploy on your endpoints, you should look for proper registry keys or p-list values.

Persistent MetaDefender Endpoint

Windows

On Windows endpoints, we provide two paths, one for 32-bit and one for 64-bit, as the registry locations are different in each.

Things you can check against with Windows persistent MetaDefender Endpoint:

  1. Check whether MetaDefender Endpoint is running to ensure that the compliance information stored in the registry is current.

    1. You can look at running Processes ('GearsAgentService.exe');
    2. OR running Services ('OPSWAT GEARS Client’): confirm that process and service are signed by OPSWAT and certificate is valid

  2. Confirm the Registration Key on the endpoint matches your license key:

    1. Registry subkey

      1. Windows 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\GEARS Client\Config
      2. Windows 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\GEARS Client\Config

    2. Name - RegistrationKey

    3. Type - REG_SZ

    4. Value should match your License Key

  3. Check the Compliance status on the endpoint:

    1. Registry subkey

      1. Windows 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\GEARS Client\Status
      2. Windows 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OPSWAT\GEARS Client\Status

    2. Name - Policy

    3. Type - DWORD

    4. Value

  • 0 = NOT in compliance with your policy
  • 1 = in compliance with your policy

The combination of the 2 values, both Policy and RegistrationKey, ensure that the agent installed is assigned to the Account that manages the defined Polices.

macOS

  1. Confirm that the MetaDefender Endpoint is installed and running, look for the Process named opswat-gears-od.
  2. Validate compliance of the endpoint by checking the file
    1. Located at: Applications/OPSWAT GEARS Client/Policies
    2. file named: GEARS_[License Key_][_Policy Value_].txt, where [License Key] will be your account License Key, and [_Policy Value_] would be 1 if the device passes the policy defined in the MetaDefender IT-OT Access console.

This file includes a combination of 2 values, Policy and LicenseKey, to ensure that the client installed is assigned to the Account that manages the defined Polices.

The endpoint compliance parameters are configured on your MetaDefender IT-OT Access account. Once the Policies are configured and the agents installed across all of the endpoints, you can begin using MetaDefender Endpoint as part of the additional security and compliance enforcement.

On-demand MetaDefender Endpoint

Logging

Logs are automatically generated by default on the same directory you store the on-demand client. The file is called gears-ondemand.log and is overwritten on each run. Logging can be disabled via the command-line interface.

Policy Values

Windows

Some values are written to the registry by On-demand MetaDefender Endpoint to allow third-party components with limited access to system resources to read the outcome of a run.

All values are written to the following registry key:

Copy

To indicate whether an endpoint that On-demand MetaDefender Endpoint ran on is compliant with a policy set by a MetaDefender IT-OT Access account that the client reported to, the following value gets written.

Name: Policy Value:

  • 0 - system is not compliant.
  • 1 - system is compliant.

macOS

Some values are written to the file system by On-demand MetaDefender Endpoint to allow third-party components to read the outcome of an On-Demand run.

All values are written to the following user location:

Copy

To indicate whether an endpoint that On-demand MetaDefender Endpoint ran on is compliant with a policy set by a MetaDefender IT-OT Access account that the client reported to, the following value gets written to a filename (NOTE: the value is in the file name, not the contents of the file).

Filename Format: GEARS_[license key_][_Policy Value_].txt

where:

  • license key: your account license key
  • Policy Value would be 1 if the device passes a policy defined in the MetaDefender IT-OT Access console
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
How to work with oAuth APIs
On This Page
Custom Policy CheckPersistent MetaDefender EndpointWindowsmacOSOn-demand MetaDefender EndpointLoggingPolicy ValuesWindowsmacOS