You can scan OVAL vulnerabilities you've created using the OVAL standard and view the scan results within your account. Learn more
Sample 1 - Simple registry check using OVAL
Sample 2 - Simple File Version based OVAL check
Sample 3 - Complex File and Registry based check
The following is a complete and tested version of a registry check based on the 4.2 OVAL schema. This check looks for hosts running Windows 2000.
<?xml version="1.0" encoding="UTF-8"?>
<oval xmlns="http://oval.mitre.org/XMLSchema/oval"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval"
xmlns:windows="http://oval.mitre.org/XMLSchema/oval#windows"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval oval-schema.xsd">
<generator>
<schema_version>4.2</schema_version>
<timestamp>20061114151515</timestamp>
</generator>
<definitions xmlns="http://oval.mitre.org/XMLSchema/oval"
xmlns:windows="http://oval.mitre.org/XMLSchema/oval#windows">
<definition id="OVAL1001" class="vulnerability">
<affected family="windows">
<windows:platform>Microsoft Windows 2000</windows:platform>
<product>Operating System</product>
</affected>
<dates>
<submitted date="2006-11-13-10:30">
<contributor organization="Qualys, Inc.">John Doe</contributor>
</submitted>
<status_change date="2006-11-14-01:33">INTERIM</status_change>
</dates>
<description>
This is an example of a simple registry test to detect Windows 2000
</description>
<reference source="CVE">CVE-2000-9999</reference>
<status>INTERIM</status>
<version>1</version>
<criteria>
<software operation="AND">
<criterion test_ref="wrt-1" comment="Windows 2000 is installed" negate="false"></criterion>
</software>
</criteria>
</definition>
</definitions>
<tests xmlns="http://oval.mitre.org/XMLSchema/oval">
<registry_test id="wrt-1" comment="Windows 2000 is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CurrentVersion</name> </object>
<data operation="AND">
<value operator="equals">5.0</value> </data> </registry_test>
</tests>
</oval>
The following is a simple check that looks for the presence of a particular file on a system. This check looks at Windows 2000 hosts to determine if they are vulnerable to a system crash via a malicious Kerberos message delivered remotely.
<?xml version="1.0" encoding="UTF-8"?>
<oval xmlns="http://oval.mitre.org/XMLSchema/oval"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval"
xmlns:windows="http://oval.mitre.org/XMLSchema/oval#windows"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval oval-schema.xsd">
<generator>
<schema_version>4.2</schema_version>
<timestamp>20061114151516</timestamp>
</generator>
<definitions xmlns="http://oval.mitre.org/XMLSchema/oval"
xmlns:windows="http://oval.mitre.org/XMLSchema/oval#windows">
<definition id="OVAL95" class="vulnerability">
<affected family="windows">
<windows:platform>Microsoft Windows 2000</windows:platform>
<product>Operating System</product>
</affected>
<dates>
<submitted date="2005-08-16-12:00">
<contributor organization="ThreatGuard">Robert L. Hollis</contributor>
</submitted>
<status_change date="2005-09-21-01:33">INTERIM</status_change>
<status_change date="2005-10-12-05:49">ACCEPTED</status_change>
</dates>
<description>
Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers
allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos
message.
</description>
<reference source="CVE">CVE-2005-1981</reference>
<status>ACCEPTED</status>
<version>2</version>
<criteria>
<software operation="AND">
<criterion test_ref="wft-10027" comment="the version of kerberos.dll is less than 5.0.2195.7053"
negate="false"></criterion>
</software>
</criteria>
</definition>
</definitions>
<tests xmlns="http://oval.mitre.org/XMLSchema/oval">
<file_test id="wft-10027" comment="the version of kerberos.dll is less than 5.0.2195.7053" check="at
least one" xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<path datatype="component" operator="equals">
<component type="registry_value">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot</component>
<component type="literal">\system32\kerberos.dll</component>
</path>
</object>
<data operation="AND">
<version datatype="version" operator="less than">
<major>5</major>
<minor>0</minor>
<build>2195</build>
<private>7053</private>
</version>
</data>
</file_test>
</tests>
</oval>
The following is a simple check that looks to see if the system is either a Windows 2003 or Windows XP based system, has the built in firewall turned off and vulnerable to a "Land" based attack.
<?xml version="1.0" encoding="UTF-8"?>
<oval xmlns="http://oval.mitre.org/XMLSchema/oval"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval"
xmlns:windows="http://oval.mitre.org/XMLSchema/oval#windows"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval oval-schema.xsd">
<generator>
<schema_version>4.2</schema_version>
<timestamp>20061114151517</timestamp>
</generator>
<definitions>
<definition id="OVAL4978" class="vulnerability">
<affected family="windows">
<windows:platform>Microsoft Windows Server 2003</windows:platform>
<product>Microsoft Word 2003</product>
</affected>
<dates>
<submitted date="2005-08-18-04:00">
<contributor organization="The MITRE Corporation">Matthew Burton</contributor>
</submitted>
<status_change date="2005-08-25-10:05">DRAFT</status_change>
<status_change date="2005-09-21-01:33">INTERIM</status_change>
<status_change date="2005-10-12-05:49">ACCEPTED</status_change>
</dates>
<description>
Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a
denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination
and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).
</description>
<reference source="CVE">CVE-2005-0688</reference>
<status>ACCEPTED</status>
<version>1</version>
<criteria>
<software operation="AND">
<criterion test_ref="wrt-61" comment="Windows Server 2003 is installed" negate="false" />
<criterion test_ref="cmp-23" comment="32-bit version of Windows or 64-bit (itanium architecture)
version of Windows is installed" negate="false" />
<criterion test_ref="wrt-3" comment="a Win2K/XP/2003 service pack is installed" negate="true" />
<criterion test_ref="wft-600" comment="the version of Tcpip.sys is less than 5.2.3790.336"
negate="false" />
<criterion test_ref="wrt-443" comment="the patch KB893066 is installed" negate="true" />
</software>
<configuration operation="AND">
<criterion test_ref="wrt-448" comment="The SynAttackProtect parameter is set to 2" negate="false" />
</configuration>
</criteria>
</definition>
</definitions>
<tests>
<registry_test id="wrt-448" comment="The SynAttackProtect parameter is set to 2" check="all"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive datatype="string" operator="equals">HKEY_LOCAL_MACHINE</hive>
<key datatype="string"
operator="equals">SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</key>
<name datatype="string" operator="equals">SynAttackProtect</name>
</object>
<data operation="AND">
<value datatype="int" operator="equals">2</value>
</data>
</registry_test>
<registry_test id="wrt-443" comment="the patch KB893066 is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive operator="equals">HKEY_LOCAL_MACHINE</hive>
<key operator="equals">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB893066</key>
<name operator="equals">Installed</name>
</object>
<data operation="AND">
<value datatype="int" operator="equals">1</value>
</data>
</registry_test>
<file_test id="wft-600" comment="the version of Tcpip.sys is less than 5.2.3790.336" check="at least
one" xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<path datatype="component" operator="equals">
<component type="registry_value">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot</component>
<component type="literal">\system32\tcpip.sys</component>
</path>
</object>
<data operation="AND">
<version datatype="version" operator="less than">
<major>5</major>
<minor>2</minor>
<build>3790</build>
<private>336</private>
</version>
</data>
</file_test>
<registry_test id="wrt-3" comment="a Win2K/XP/2003 service pack is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CSDVersion</name>
</object>
</registry_test>
<registry_test id="wrt-70" comment="64-Bit version of Windows is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key>
<name>PROCESSOR_ARCHITECTURE</name>
</object>
<data operation="AND">
<value operator="equals">ia64</value>
</data>
</registry_test>
<registry_test id="wrt-72" comment="32-Bit version of Windows is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key>
<name>PROCESSOR_ARCHITECTURE</name>
</object>
<data operation="AND">
<value operator="equals">x86</value>
</data>
</registry_test>
<compound_test id="cmp-23" comment="32-bit version of Windows or 64-bit (itanium architecture)
version of Windows is installed" operation="OR">
<oval:notes>
<oval:note>This test should fail if the 64-bit (x64 architecture) version of Windows is
installed.</oval:note>
</oval:notes>
<subtest negate="false" test_ref="wrt-72" />
<subtest negate="false" test_ref="wrt-70" />
</compound_test>
<registry_test id="wrt-61" comment="Windows Server 2003 is installed" check="at least one"
xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
<object>
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CurrentVersion</name>
</object>
<data operation="AND">
<value operator="equals">5.2</value>
</data>
</registry_test>
</tests>
</oval>