7 Replies Latest reply: May 24, 2012 5:20 AM by Jason Creech RSS

Compliance Scan result - Item not found

Nitin Gopinathan

Hi,

 

I have created custom controls to check whether the Screensaver on a machine is enabled and whether it is password protected. I have added these controls to a policy which only contains these two controls. Everytime I run a scan against assets which were assigned to the this particular, both the controls fail and the message in the scan reports says "Error Code 2: Item not found".

 

I have verified that these keys do exist in the registry of the target machines. Can someone please tell me where I'm going wrong? I've searched through some websites but nothing has been of help as yet.


  • Compliance Scan result - Item not found
    Jason Creech

    Hi Nitin,

     

    I would need a litle more information on how you built the control to know where the issue might lie.  I have listed some of the more common issues below.

     

    The most common issue I see occurs when UDC for Registry Value Content controls are made and the registry information is entered incorrectly.  The hive is already specified, followed by the registry key, and the registry value goes on the next line.

     

    HKLM

    SYSTEM\CurrentControlSet\services\Symantec AntiVirus

    Start

     

    You would then enter the expected service start type in the controls expected value for the appropriate technology.

     

    The most common error is when customers re-enter HKLM on the second line, or enter beginning and ending backslash which is incorrect.  Occasionally, I will see customers put the registry value, as in "Start" on the second line which is incorrect.  The registry value should go on the third line.

     

    Here is a screen snippet of a registry key entry example.

     

    Registry UDC Construction.jpg

    If you paste the registry key you are trying to check in this thread, I can take a look and paste a screenshot of the correct construction.  Also, I can check and see if the control might already exist in production or if it is in QA.  Let me know which Windows flavors you are trying to audit as well.

     

    Also, which region are you in? Email me your contact information to jcreech@qualys.com as well.

     

    Best regards,

     

    Jason Creech

    Qualys

    jcreech@qualys.com

    • Compliance Scan result - Item not found
      Nitin Gopinathan

      Hi Jason, thanks for your reply. I have taken care not to repeat commonly encountered errors. The following screenshot of the edit control window shows my scan parameter as well the expected value.

       

      editcontrol.JPG

       

      While checking to see if Qualys was able to traverse the full registry path, I created a registry value existence check for the registry path HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows and the scan reported that the particular key did not exist. Could this be a problem with the authentication I am using? I am using a similar technique to check for the value of Antivirus programs installed and that seems to run absolutely fine.

    • Compliance Scan result - Item not found
      Nitin Gopinathan

      On testing for registry value existence, Qualys reports that the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows does not exist.

      On the other hand, HKEY_CURRENT_USER\Software\Policies\Microsoft is found successfuly.

       

      What could be the problem here?

  • Compliance Scan result - Item not found
    Nitin Gopinathan

    Just to update everyone on the issue, it seems most likely to be some kind of access level problem. I was never able to acquire credentials with higher level access due to compliance issues. I will update the thread when I am 100% sure about the cause of the problem.

    • Compliance Scan result - Item not found
      Jason Creech

      On a side note, I have seen where the person's account used to test for the configuration value has access to one configuration value but the credentials used to scan have a different permission level and "see" a different configuration value due to Resultant Set Of Policy (RSOP) encountered with Group Policy use.

       

      This can cause confusion when trying to troubleshoot the issue since the data viewed from the different account permsission levels results in different data being displayed.

       

      Best regards,

       

      Jason Creech

      Qualys