Max,

Registry keys are good, but you should also check for the running  
process if you can.
As to your second question, there really isn't a good way to create  
those rules without buying or demoing each product that you want to  
support and testing it thoroughly.
Depending on the brand/version, it's possible someone here has  
already built a rule for it that they would be willing to share.

Good luck,

Michael Grinnell
Network Security Administrator
The American University

On Jan 22, 2007, at 9:37 AM, Caines, Max wrote:

> Hi
>
> I'm new to CCA, so my apologies if this is a silly question. The
> security checking software we are moving from checked that Windows
> systems (>= 2000) had a personal firewall installed and enabled. I'd
> like to check this in CCA, but as there's no built-in rules for this,
> I'll need to construct some. The only way I can think to do it is to
> check Registry keys for installed software that either is or  
> includes a
> firewall. However, my knowledge of this sort of software is not
> comprehensive, and I can't think of any practical way to find out the
> Registry keys created by a load of products I've never installed.
>
> Is what I'm doing feasible? Does anyone have any ideas that might  
> help?
>
> Thanks
>
> ----------------------------------------
> Max Caines
> IT Services, University of Wolverhampton
> Wolverhampton, West Midlands WV1 1SB
> Tel: 01902 322245 Fax: 01902 322699