With Symantec Network Access Control (SNAC) is there a way to create a Host Integrity script with a "grace" period, or a script that needs to fail twice in a row before assigning the client to the quarantine network?
It is possible to create a Host Integrity script that does not assign the client to the quarantine on a single once-off failure, by using a temporary flag in the registry to "remember" the previous status. This can be useful for example when checking the antivirus-definition age, to give the client a number of extra minutes to finish downloading the update before being assigned to the quarantine network.
The following is an example script:
An exported example policy is attached (the policy uses a check for calc.exe as example).