Deep Security 11.3 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
InstalledSoftwareSet
Represents a set of installed software. The "key" used to uniquely identify an installed application is platform-specific, but it is often a shorthand version of the application name or a unique numeric value.
On Windows, the key can be something readable like "FogBugz Screenshot_is1" or it can be a GUID like
"{90110409-6000-11D3-8CFE-0150048383C9}". You can examine these by looking at the sub-keys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
On Linux the key is the RPM package name, as shown by the command:
rpm -qa --qf "%{NAME}\n"
On Solaris the key is the package name as shown by the pkginfo command.
On HPUX the key is the application name as shown by the command:
/usr/sbin/swlist -a name
Tag Attributes
These are XML attributes of the tag itself, as opposed to the attributes of the computer where Integrity Monitoring is enabled.
Attribute | Description | Required | Default Value | Allowed Values |
onChange | Will be monitored in real time | No | false | true, false |
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules. Presence of the attributes is dependent on both the platform and the application itself - installation programs do not necessarily populate all of the attributes.
- Manufacturer: The publisher or manufacturer of the application
- Name: The friendly name or display name of the application. (Not available on Linux.)
- InstalledDate: Date of installation. This is normally returned as YYYY-MM-DD [HH:MM:SS], but many installers on Windows format the date string in a different manner so this format is not guaranteed.
- InstallLocation: The directory where the application is installed. (Only available on Windows)
- Parent: For patches and updates, this gives the key name of this item's parent. Only available on Windows.
- Size: The estimated size of the application, if available. On Windows this attribute is read from the "EstimatedSize" registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*. The value in that location is expressed in KB, so the Agent multiplies it by 1024 before returning the value. Note that not all Windows applications populate the EstimatedSize field in the registry.
- Version: The version of the installed application. On Windows this comes from the "DisplayVersion" registry value.
Short Hand Attributes
These are the short hand attributes of the Entity and the attributes to which they resolve
- STANDARD: InstalledDate, Name, Version
Meaning of "Key"
The key is the name of the installed software. This is not a hierarchical key, so the ** pattern does not apply. On Windows the key is often a GUID, especially for anything installed via the Windows Installer (aka MSI). Use the name="XXX" feature if you need to include or exclude based on the display name rather than the GUID.
The following example would monitor for the addition and deletion of new software.
<InstalledSoftwareSet>
<include key="*"/>
<attributes/>
</InstalledSoftwareSet>
Sub Elements
- Include
- Exclude
See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.
Special attributes of Include and Exclude for InstalledSoftwareSets:
name (Windows only)
Allows wildcard matching using ? and * on the display name of the application (the "name" attribute of the Entity). For example:
<InstalledSoftwareSet>
<include name="Microsoft*"/>
<InstalledSoftwareSet>
will match all installed applications whose display name (as shown by the Control Panel) starts with "Microsoft".
manufacturer
Allows wildcard matching using ? and * on the publisher or manufacturer of the application. For example:
<InstalledSoftwareSet>
<include manufacturer="* Company "/>
<InstalledSoftwareSet>
will match all installed applications whose manufacturer ends with " Company ".