Our detection rules on a software product do not detect a registry "Binary Value".
1. Create or select a Binary Value registry key under any hive. 2. On any software product/package create a detection rule as a "Standard Rule". 3. Select either "Registry Key Value" or "Registry Key Version", we have tried both and neither one detects the binary value. 4. In the detection rule input the exact path, entry and value on the registry entry. 5. Save the rule. 6. Create a Managed Software Delivery policy for the software product/package. 7. Ensure the "Perform software compliance check using:" option is selected and it is using the detection rule configured above. 8. Run the MSD policy on one or more clients. 9. The rule will return a status of "Not detected".
There are no errors or warnings in the logs. There is an informational entry stating that the detection rule did not find the target.
We have tried converting the binary value from hex to decimal and using the decimal value in the detection rule, it made no difference.
I have tested by creating a binary registry key under both HKCU and HKLM. They were simple binary values of "10". The detection rules, either "Registry Key Value" or "Registry Key Version", do not detect either key. Even converting the hex "10" to decimal "2" does not work.
An Enhancement Request has been submitted to our Developers to add the ability to detect a "Binary Value" registry entry in our Detection Rules.
Seen on 7.1 SP2 MP1, 7.5 and 7.5 SP1.
Probably exists on all versions.
Imported Document ID: TECH226003
Subscribing will provide email updates when this Article is updated. Login is required.