Extended signature operators

Available from 9.2.2. The scan operations during which extended XML signature definitions are used are performed based on the processing instructions that are contained in the signature catalog. In computer languages, expressions consist of two types of components: operands and operators. Operands are the objects that are manipulated and operators are the symbols that represent specific actions. Operands and operators can be either scalar or vector.

The following definitions apply to operators and operands in the context of the signature catalog:
scalar operand
Returns a value in string format. An operand cannot have children. For example, the RegKeyValue scalar operand returns the value of the specified registry key.
scalar operator
Performs an operation on other operators and operands and returns results in string format. An operator can have children. For example, the AND operator, returns true or false as a result.
vector operand
Returns results as a set of strings. An operand cannot have children. For example, the FindFilePathEx operand, returns a set of file paths.
vector operator
Performs an operation on other operators and operands and returns results as a set of strings. An operator can have children. For example, the Vector operator, returns a set of strings that contain the results of all its children.

Contents

The structure of the signature catalog

Table 1. The structure of the signature catalog
Operands and operators Function and supported attributes
Action
Specifies the action to be performed depending on the result of the Condition element.
Attributes:
onValue
The value that causes the action to be performed. This attribute is required.
do
Specifies the operation to be performed. This attribute is required. The supported value is SKIP, which interrupts the signature or the iterator instance evaluation and prevents it from being returned in the output.
Condition
Verifies if the specified condition is met. It contains one or more Action elements, which specify the action to be performed depending on the result of the Condition element.
Attributes:
withVariable
Specifies the name of the variable whose condition is to be verified. This attribute is required.
MultipleInstance
Groups information to identify a software product that might be installed in several instances on the same workstation. It contains 1 Iterator and 1 Instance element.
Attributes:
None
Multiple instance - iterator on INSTALL_PATH
<MultipleInstance>
  <Iterator name="INSTALL_PATH">
    <FindFilePathEx name=""/>
  </Iterator>
  <Instance> 
    <Variable name="IS_INSTALLED"><!-- RULE --> 
    </Variable>
    <Condition withVariable="IS_INSTALLED">
      <Action onValue="false" do="SKIP"/>
    </Condition>
  </Instance>
</MultipleInstance>
Multiple instance - iterator on a vector with calculation (options) of INSTALL PATH later on
<MultipleInstance>
  <Iterator name="ITER_VAR">
  </Iterator>
  <Instance> 
    <Variable name="IS_INSTALLED"><!-- RULE --> </Variable>
    <Variable name="INSTALL_PATH"><!-- RULE --> </Variable>
    <Condition withVariable="IS_INSTALLED">
      <Action onValue="false" do="SKIP"/>
    </Condition>
  </Instance>
</MultipleInstance> 
Variable
Is a container for a single value that is expressed as a string whose return value is given by the result of a set of operators and operands.
Attributes:
name
Specifies the name of the variable. It is unique in the containing signature scope. This attribute is required.
export
Specifies if the output of the variable is to be exported. Supported values are true and false. The default value is true. This attribute is optional.

Core expressions

Operands and operators Function and supported attributes
And

Performs a logical AND operation between the results of all its children. If one of the operations returns false, the whole operation is set to false without performing further evaluation on the remaining children. At least one child is required.

Properties:
  • Result type: scalar [true | false]
  • Expression type: operator
Example:
<And>
	....scalar operators and operands returning a Boolean value
</And>
Clip

Returns a substring that is a range of consecutive characters from a string, starting with the character whose index is specified as startIndex and ending with the character whose index is specified as endIndex.

Properties:
  • Result type: scalar
  • Expression type: operand
Example:
For example: the substring 234 is returned when:
<Clip inputString="123456789" startIndex="1" endIndex="3"/>
Attributes:
inputString
Specifies the string to be cropped.
startIndex
Specifies the index of the character in the input string that the substring should start with. An index of 0 refers to the first character of the input string.
endIndex
Specifies the index of the character in the input string that the substring should end with. An index of 0 refers to the last character of the input string.
Note: It is recommended to use the new operator StringSlice whose range is wider than that of Clip because StringSlice supports negative indexes in Python syntax.
Compare

Compares two expressions based on the value of the relation attribute. The result is true if the expression is satisfied, false if the expression is not satisfied.

Properties:
  • Result type: scalar
  • Expression type: operator
Example:
<Compare relation="relation" type="type" >
  <Expression 1/>
  <Expression 2/>
</Compare>
Attributes:
relation
Specifies the relation to be evaluated. The supported values are as follows:
  • eq - equal to
  • ne - not equal to
  • gt - greater than
  • ge - greater than or equal to
  • lt - less than
  • le - less than or equal to
type
Specifies the format of the expressions to be compared. The supported values are as follows:
  • version - Compares two versions. The version is expressed by no more than four numbers that are separated by periods or commas.
  • integer - Compares two integers.
  • string - Compares two strings.
  • cistring - Compares two case-insensitive strings.
  • boolean - The comparison is to be performed between two Boolean values.
  • hex - Compares two unsigned 4-byte hexadecimal integers. The 0x prefix is optional.
Concat
Returns a concatenation of the expressions.
Properties:
  • Result type: scalar
  • Expression type: operator
Example:
<Concat [separator="separator"] [ifEmpty="{add|skip}"] >
  <Expression 1/>
  <Expression 2/>
...
</Concat>
Attributes:
separator
Specifies the separator to insert between two expressions. This attribute is optional. The default value is an empty string.
ifEmpty
Specifies if the separator must be added if the expression to concatenate is empty. This attribute is optional. Supported values are as follows:
skip
If the string is empty, the separator is not added. This is the default value.
add
If the string is empty, the separator is added.
Contains
Checks if the string contains a string.
Properties:
  • Result type: scalar [{true|false}]
  • Expression type: operand
Example:
<Contains inputString="example_string" searchedString=
"example_string_to_search" position = ["start" | "end" |
 "contains"]/>
Attributes:
inputString
Specifies string to search in.
searchedString
Specifies string to search.
position
Specifies where to search.
start
Checks if the searched string is at the beginning.
end
Checks if searched string is at the end.
contains
Checks if searched string is somewhere in the original string.
FileInfoCompare
Returns the information that is specified in the field attribute.
Properties:
  • Result type: scalar [{true|false}]
  • Expression type: operand
Example:
<FileInfoCompare
	absolutePath="absolute_path"
	field="field"
	value="value"
	relation="relation"
	[mustExist="{true|false}"]
/>
Attributes:
absolutePath
Specifies the absolute path to the file to evaluate.
field
Compares two files by one of the values that are supported, which are as follows:
  • size
  • inode (UNIX only)
  • atime - the date the file was accessed in UNIX time stamp format.
  • ctime - the date the file was created in UNIX time stamp format.
  • mtime - the date the file was modified in UNIX time stamp format.
relation
Specifies the relation to be evaluated.
value
Specifies the value to compare with.
mustExist
Indicates that the specified file must exist. This attribute is optional. The default value is false. If this attribute is set to true and the specified file does not exist, the current signature is not evaluated.
FileExists

Returns a Boolean value that indicates if the specified file exists.

Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
Example:
<FileExists absolutePath="absolute_path" />
Attributes:
absolutePath
Specifies the absolute path to the file to be searched.
Not
Performs a logical NOT operation on the result of its one child. Only one child is allowed.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operator
Example:
<Not>
	.... a single scalar operator or operand returning a Boolean value
</Not>
PathExists
Returns a Boolean value that indicates if the specified path exists.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<PathExists absolutePath="absolute_path" />
Attributes:
absolutePath
Specifies the absolute path to be searched.
Or

Performs a logical OR operation between the results of all its children. If one of the operations returns "true", the whole operation is set to "true" without performing further evaluation on the remaining children. At least one child is required.

Substring

Searches through a string that contains multiple lines of text and returns the lines of a string that contain the search text.

Properties:
  • Result type: vector
  • Expression type: operand
Example:
<Substring inputString="input_string_to_search" searchedString=
"string_to_search_for"/>
Attributes:
inputString
Input string that contains multiple lines.
searchedString
The string that is searched for.
Vector
Returns a vector that contains the union of all its children, duplicates are included. If you specify a filter, the result contains only the strings that match the pattern.
  • filter: Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported.
VectorAt
Returns the vector element for the specified position.
Properties:
  • Result type: scalar
  • Expression type: operator
Example:
<VectorAt index="index_number">
	... any number of scalar/vector operator/operand
</VectorAt>
Attributes:
index
Specifies the wanted vector position. The first vector element has position "1".
VectorToScalar

Converts a vector to its scalar representation. You must convert a vector to scalar because only scalars can be compared.

File system expressions

Operands and operators Function and supported attributes
FindFilePathEx

Searches for the specified file in the specified locations. The result is a vector of all the paths where at least one entry that matches the specified file is found.

The operand searches either the cache or the file system depending on the settings that are defined for the file system scanner. To have the operand search the file system, set the maxDataAge attribute to zero in the configuration file. An extra filter can be set to refine the file search. Such a filter can contain a file system scanner query, which is applied to the found file. If the filter returns a true condition, the directory for the file is returned, otherwise it is not returned.

Properties:
  • Result type: vector
  • Expression type: operand
Example:
< FindFilePathEx name="file_name"[filter="query_filter"] [recursive="{true|false}"] [appendFileName="{true|false}"]/> 
Attributes:
name
Specifies the file mask to be searched. This attribute is required.
appendFileName
Specifies if the results contain the file name. This attribute is optional. The supported values are as follows:
  • true
  • false
filter
Specifies a file system query.
FileInfoMatch
Searches for a file with the specified name and attributes in the specified locations. The result is true if at least one matching file is found.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<FileInfoMatch 
	[rootPath="root_path"]
	[recursive="{true|false}"]
	name="file_name"
	field="field"
	values="values"
/>
Attributes:
rootPath
Specifies the path where the search is to be performed. The default value is /. Wildcards (*) (?) are supported. The path is indicated according to the following syntax:
media_type::]drive:path
where
media_type
Specifies the media type and can assume the following values:
$local
Includes local disks. This is the default value.
$remote
Includes remote disks
$other
On Windows systems, includes other disk types, such as CDROM, DVD. On UNIX systems, this value is not supported and is expressed with the $local value.
$all
Includes all disks that are listed above.
If the media_type variable is not specified, the $local value is assumed, therefore, if you want to scan disks other than local, specify a value for the media_type variable.
drive
Specifies the drives to be excluded. You can indicate one or more specific drives or you can use the $local, $remote, $other, and $all values. In this case, all drives in the specified category are excluded from the search. This variable is optional on UNIX operating systems.
path
Specifies the path to be excluded. Wildcards (*) and (?) are supported.
This attribute is optional.
recursive
Specifies if the search is to be performed in the specified path and in all its subdirectories. Supported values are true and false. The default value is true. This attribute is optional.
name
Specifies the file name to be searched. This attribute is required. Wildcards (*) and (?) are supported.
field
Compares two files by one of the values that are supported, which are as follows:
  • size
  • inode (UNIX only)
  • atime - the date the file was accessed in UNIX time stamp format.
  • ctime - the date the file was created in UNIX time stamp format.
  • mtime - the date the file was modified in UNIX time stamp format.
values
Specifies one or more values for the attribute that is specified in the field attribute. If more than one value is specified, the items are concatenated by using the Unicode control character "Private Use 1" with ASCII code 0x0091.
date
Returns the creation, access, and modification dates of the file.
ReadFile
Returns in string form the text from a file on the system.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<ReadFile path="path_to_file" [trim="{true|false}"][fileType="{native|utf8}"]/>
Attributes:
Path
Specifies the path to the file.
trim
Indicates if new line special characters must be removed from the content of the file. The default is false.
fileType
Indicates the type of file. The default is native.

Native registry expressions

Operands and operators Function and supported attributes
AixProductInfo
Returns any information about the supported AIX® operating systems.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<AixProductInfo code="product_code" field="{name|version|vendor|description|installDir}" 
[mustExist="{true|false}"] />
Attributes:
code
Specifies the product code that uniquely identifies an AIX® ODM package. The product code can be retrieved only by using the AixProductList operand. For more information about this operand, see AixProductList.
field
Specifies the information to be retrieved. Supported values are as follows:
  • name
  • version - The version is expressed by no more than four numbers that are separated by periods or commas.
  • vendor
  • description
  • installDir
mustExist
Specifies whether to stop the operand evaluation if the specified file does not exist. Supported values are true and false. The default value is false. This attribute is optional. If this attribute is set to true and the specified file does not exist, the current signature is not evaluated. If the attribute is false and the specified file does not exist, the return value is an empty string.
AixProductList
Returns the set of AIX® ODM package codes. The codes that are returned can be used with the AixProductExists and AixProductInfo operands.
Properties:
  • Result type: vector
  • Expression type: operand
Example:
<AixProductList [filter="filter_expression"]
  [type="type"] />
Attributes:
type
Applies a filter based on the product type. This attribute is optional. Supported values are as follows:
any
Returns both products and any subproducts. This is the default value.
product
Returns only products.
filter
Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
HpProductInfo
Returns the requested information, if available.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<HpProductInfo code="product_code" field="{name|version|
vendor|installDir}"/>
Attributes:
code
Specifies the product and subproduct code that uniquely identifies an HP-UX package. The product and subproduct code can be retrieved only by using the HpProductList operand. For more information about this operand, see HpProductList. This attribute is optional.
field
Specifies the information to be retrieved. Supported values are as follows:
  • name
  • version - The version is expressed by no more than four numbers that are separated by periods or commas.
  • vendor
  • installDir
HpProductList
Returns the set of HP-UX package codes. The codes that are returned can be used with the HpProductExists and HpProductInfo operands.
Properties:
  • Result type: vector
  • Expression type: operand
Example:
<HpProductList [filter="filter_expression"]
  [type="type"] />
Attributes:
type
Applies a filter based on the product type. This attribute is optional. Supported values are as follows:
any
Returns both products and any subproducts. This is the default value.
product
Returns only products.
subproduct
Returns only subproducts.
filter
Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
RpmProductExists
Indicates if the specified package is installed.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
  • Operating system: supported on Linux and AIX
Example:
<RpmProductExists code="product_code" />
Attributes:
code
Specifies the product code that uniquely identifies an RPM package. The product code can be retrieved by using the RPMProductList operand. For more information about this operand, see RpmProductList.
The product code can also be listed with the rpm -qa command. The command returns all available codes that identify RPM packages. The codes can either define the package architecture or not; for example: kernel-2.6.32-358.el6.x86_64 or kernel-2.6.32-358.el6.
RpmProductList
Returns the set of RPM package codes. The codes that are returned can be used with the RpmProductExists and RpmProductInfo operands.
Properties:
  • Result type: vector
  • Expression type: operand
  • Operating system: supported on Linux and AIX
Example:
<RpmProductList [filter="filter_expression"]
 [type="type"] />
Attributes:
filter
Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
type
Applies a filter based on the product type. This attribute is optional. Supported values are as follows:
any
Returns both products and any subproducts. This is the default value.
product
Returns only products.
SunProductInfo
Returns the requested information, if available.
Properties:
  • Result type: scalar
  • Expression type: operand
  • Operating system: supported Oracle Solaris operating environments
Example:
<SunProductInfo code="produt_code" field="{name|version|displayVersion|vendor|installDir}"/>
Attributes:
code
Specifies the product code that uniquely identifies an Oracle Solaris package. The product code can be retrieved only by using the SunProductList operand. For more information about this operand, see SunProductList.
field
Specifies the information to be retrieved. Supported values are as follows:
name
Returns the name of the product.
version
Returns the product version and revision number, for example 3.7.2101.
displayVersion
Returns the product version and revision number, for example 3.7.2101, REV=0.98.08.26.
vendor
Returns the name of the vendor.
installDir
Returns the topmost installation directories.
SunProductList
Returns the set of Sun Solaris package codes. The codes that are returned can be used with the SunProductExists and operands.
Properties:
  • Result type: vector
  • Expression type: operand
  • Operating system: supported Sun Solaris operating environments
Example:
<SunProductList [filter="filter_expression"]
  [type="type"] />
Attributes:
type
Applies a filter based on the product type. This attribute is optional. Supported values are as follows:
any
Returns both products and any subproducts. This is the default value.
product
Returns only products.
filter
Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
Win32ProgramInfo
Returns the requested information, if available.
Properties:
  • Result type: scalar
  • Expression type: operand
  • Operating systems: all supported Windows operating systems
Example:
<Win32ProgramInfo code="product_code"
	field="{name|description|version|vendor|installDir|uninstData}"/>
Attributes:
code
Specifies the product code that uniquely identifies a Win32 program. The program code can be retrieved only by using the Win32ProgramList operand. For more information about this operand, see Win32ProgramList.
field
Specifies the information to be retrieved. Supported values are as follows:
name
Returns the patch name.
description
Returns the patch description.
version
Returns the product version. The version is expressed by no more than four numbers that are separated by periods or commas.
vendor
Returns the product vendor.
installDir
Returns the product installation directory.
uninstData
Returns the product uninstallation command.
Win32ProgramList
Returns the set of packages installed. The codes that are returned can be used with the Win32ProgramExists and Win32ProgramInfo operands.
Properties:
  • Result type: vector
  • Expression type: operand
  • Operating systems: all supported Windows operating systems
Example:
<Win32ProgramList [filter="filter_expression"] [type="type"] />
Attributes:
type
Applies a filter based on the product type. This attribute is optional. Supported values are as follows:
any
Returns both products and any subproducts. This is the default value.
product
Returns only products.
filter
Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.

Registry operands

Operands and operators Function and supported attributes
PackageInfoEqual
Returns true if an item with the same name, version, and vendor exists in the specified registry.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
Example:
<PackageInfoEqual 
	provider="{any | ismp | os}"
	code="product_code"
	value="name_version_vendor" 
/>
Attributes:
provider
Specifies the installation database to be searched. Supported values are as follows:
any
Specifies that the search is performed on the operating system installation database and then on the ISMP installation database.
os
Specifies that the search is performed on the operating system installation database.
ismp
Specifies that the search is performed on the ISMP installation database.
code
Specifies the product code that uniquely identifies the product.
value
Comprises the concatenation of the name, version, and vendor strings for the product. Separate each string with a blank space; empty strings can be omitted.
PackageInfoMatch
Returns true if an item with the same name, version, and vendor exists in any registry.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
  • Operating systems: all supported operating systems
Example:
<PackageInfoMatch
vendor="product vendor"
name="product name"
version="product version"
/>
Attributes:
vendor
Specifies the product vendor.
name
Specifies the name of the product.
version
Specifies the product version number.

The wildcard (*) is supported.

Windows registry expressions

Operands and operators Function and supported attributes
RegKeyExists
Indicates whether the specified key exists.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
Example:
<RegKeyExists key="key" [section="{32|64|32or64|64or32}"]/>
Attributes:
key
Specifies the full registry key name in registry_key\registry_subkey format.
section
Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner functions correctly on 64-bit systems. Its values are:
32
The search is only performed on the 32-bit part of the registry.
64
The search is only performed on the 64-bit part of the registry.
32or64
The search is performed on the 32-bit part first, then on the 64-bit part of the registry.
64or32
The search is performed on the 64-bit part first, then on the 32-bit part of the registry.
Default value is 32.
RegKeyList
Searches the Windows registry under the key that is specified in the root attribute, and returns a list of keys that are in the registry under the root key. If the subKeys attribute is set to false, only the values in the root key are returned.
Properties:
  • Result type: vector
  • Expression type: operand
Example:
<RegKeyList 
	root="root_key"
	[section="{32|64|32or64|64or32}"]
	[subKeys="{true|false}"]/>
Attributes:
root
Specifies the full registry key name in registry_key\registry_subkey format.
section
Specifies the attribute that indicates which section of the registry the search is to be performed on. (This is the parameter introduced to make sure that the scanner runs correctly under 64-bit systems. Its values are:
32
The search is only performed on the 32-bit part of the registry.
64
The search is only performed on the 32-bit part of the registry.
32or64
The search is performed on the 32-bit part first, then on the 64-bit part of the registry.
64or32
The search is performed on the 64-bit part first, then on the 32-bit part of the registry.
Default value is 32.
subKeys
Specifies if subkeys must be returned. The default value is false.
RegKeyValue
Returns the current value for the specified registry key. When the registry key is a REG_DWORD entry, the key attribute returns a decimal value.
Properties:
  • Result type: scalar
  • Expression type: operand
Example:
<RegKeyValue entry="entry" key="key"
[section="{32|64|32or64|64or32}"]
 [mustExist="{true|false}"]/>
Attributes:
key
Specifies the full registry key name in registry_key\registry_subkey format.
entry
Specifies the name of the value that is contained in the key. To retrieve the value of registry entries that are named "(Default)", you must specify a null value for the entry attribute, for example entry="".
section
Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are:
32
The search is only performed on the 32-bit part of the registry.
64
The search is only performed on the 32-bit part of the registry.
32or64
The search is performed on the 32-bit part first, then on the 64-bit part of the registry.
64or32
The search is performed on the 64-bit part first, then on the 32-bit part of the registry.
Default value is 32.
mustExist
Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are true and false. The default value is false. This attribute is optional. If this attribute is set to true and the specified key does not exist, the current signature is not evaluated. If this attribute is set to false and the specified key does not exist, an empty string is returned.
RegKeyValueContains
Specifies whether the specified registry key contains the specified value.
Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
Example:
<RegKeyValueContains
	entry="entry"
	key="key"
	value="value"
[section="{32|64|32or64|64or32}"]
	[mustExist="{true|false}"]/>
Attributes:
key
Specifies the full registry key name in registry_key\registry_subkey format.
entry
Specifies the name of the value that is contained in the key.
value
Specifies the value that must be contained in the entry.
section
Specifies the attribute indicating which section of the registry the search should be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are:
32
The search is only performed on the 32-bit part of the registry.
64
The search is only performed on the 32-bit part of the registry.
32or64
The search is performed on the 32-bit part first, then on the 64-bit part of the registry.
64or32
The search is performed on the 64-bit part first, then on the 32-bit part of the registry.
Default value is 32.
mustExist
Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are true and false. The default value is false. This attribute is optional. If this attribute is set to true and the specified key does not exist, the current signature is not evaluated. If this attribute is set to false and the specified key does not exist, an empty string is returned.
RegKeyValueEqual
Indicates if the specified registry key value is equal to the specified key.
key
Specifies the full registry key name in registry_key/registry_subkey format.
entry
Specifies the name of the value that is contained in the key.
value
Specifies the value to be compared. When the registry key that is specified in the entry attribute is a REG_DWORD entry, enter a decimal value in the value attribute.
RegKeyVersionCompare

Compares the specified registry key value with the specified version based on the value of the relation attribute.

Properties:
  • Result type: scalar [true | false]
  • Expression type: operand
Example:
<RegKeyVersionCompare 
	key="key"
	entry="entry"
	relation="relation"
	value="value"
 [section="{32|64|32or64|64or32}"]
	[mustExist="{true|false}"]/>
Attributes:
key
Specifies the full registry key name in registry_key\registry_subkey format.
entry
Specifies the name of the value that is contained in the key.
relation
Specifies the relation to be evaluated. Supported values are as follows:
  • eq - equal to
  • ne - not equal to
  • gt - greater than
  • ge - greater than or equal to
  • lt - less than
  • le - less than or equal to
value
Specifies the version to be compared.
Note: When the registry key that is specified in the entry attribute is a REG_DWORD entry, enter a decimal value in the value attribute. The supported value is version. The version is expressed by up to four numbers that are separated by periods or commas.
Note: When the registry key that is specified in the entry attribute is a REG_BINARY entry in the value field, enter a string that looks exactly like the "data" field when you are viewing the field in the registry editor. This string must be of a series of two-digit numbers that are separated by spaces, for example, "01 01" "10 11 10".
section
Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are:
32
The search is only performed on the 32-bit part of the registry.
64
The search is only performed on the 64-bit part of the registry.
32or64
The search is performed on the 32-bit part first, then on the 64-bit part of the registry.
64or32
The search is performed on the 64-bit part first, then on the 32-bit part of the registry.
The default value is 32.
mustExist
Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are true and false. The default value is false. This attribute is optional. If this attribute is set to true and the specified key does not exist, the current signature is not evaluated.