Symantec Endpoint Protection Info - Windows
0 Votes |
Versioning - This is the latest version.
1 | Symantec Endpoint Protection Info - Windows | 12/5/2012 9:47:22 AM |
2 | Symantec Endpoint Protection Info - Windows | 1/15/2014 8:28:05 AM |
Description
This analysis tracks many different properties of Symantec Endpoint Protection Clients.
The "uninstall password set" property came from here: http://bigfix.me/relevance/details/2998537
The latest version of this analysis can be found here: http://bigfix.me/analysis/details/56
Property Details
2994621 | |
Alpha - Code that was just developed | |
Symantec Endpoint Protection Info - Windows | |
BESC | |
AntiVirus, AV | |
jgstew on 1/15/2014 8:28:05 AM | |
jgstew on 1/15/2014 8:28:05 AM | |
18371 Views / 150 Downloads | |
* Average over 1 rating. ** Log In or Register to add your rating. |
Properties
Client Version
Period
2 days
* Results in a "string"/number |
(
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it
)
whose
(
exists value "ProductVersion" of it
)
then
(
value "ProductVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it as string
)
else "<none>"
)
of native registry
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it
)
whose
(
exists value "ProductVersion" of it
)
then
(
value "ProductVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it as string
)
else "<none>"
)
of native registry
(if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it) whose (exists value "ProductVersion" of it) then ( value "ProductVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it as string) else "<none>") of native registry
VDefs Version
Period
1 day
* Results in a true/false |
following text of last "\" of
(
value "DEFWATCH_10" of
(
(
/* SEP 12+ location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
|
(
/* SEP 11- location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
(
value "DEFWATCH_10" of
(
(
/* SEP 12+ location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
|
(
/* SEP 11- location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
following text of last "\" of (value "DEFWATCH_10" of (( /* SEP 12+ location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) | ( /* SEP 11- location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
Last Scan
Period
1 day
* Results in a "string"/number |
maximum of times generated of records whose
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of
(
application event log
)
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of
(
application event log
)
maximum of times generated of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of (application event log)
Last Scan Result
Period
1 day
* Results in a "string"/number |
(
concatenation of substrings separated by "%0d%0a" of descriptions of it
)
of items 1 of it whose
(
time generated of items 1 of it = item 0 of it
)
of
(
(
maximum of times generated of it
)
of records whose
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of it, records whose
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of it
)
of application event log
concatenation of substrings separated by "%0d%0a" of descriptions of it
)
of items 1 of it whose
(
time generated of items 1 of it = item 0 of it
)
of
(
(
maximum of times generated of it
)
of records whose
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of it, records whose
(
source of it = "Symantec AntiVirus" and description of it contains "Scan Complete"
)
of it
)
of application event log
(concatenation of substrings separated by "%0d%0a" of descriptions of it) of items 1 of it whose (time generated of items 1 of it = item 0 of it) of ((maximum of times generated of it) of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it, records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it) of application event log
PolicyMode
Period
1 day
* Results in a "string"/number |
value "PolicyMode" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of native registry
value "PolicyMode" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of native registry
VDefs Date
Period
1 day
* Results in a "string"/number |
(
(
substring
(
6,2
)
of
(
following text of last "\" of it
)
&
(
substring
(
4,2
)
of
(
following text of last "\" of it
)
as string as integer as month as three letters
)
& first 4 of
(
following text of last "\" of it
)
)
as date as string
)
of
(
value "DEFWATCH_10" of
(
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
then
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
else
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
(
substring
(
6,2
)
of
(
following text of last "\" of it
)
&
(
substring
(
4,2
)
of
(
following text of last "\" of it
)
as string as integer as month as three letters
)
& first 4 of
(
following text of last "\" of it
)
)
as date as string
)
of
(
value "DEFWATCH_10" of
(
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
then
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
else
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date as string) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
VDefs days old
Period
1 day
* Results in a "string"/number |
(
current date -
(
(
(
substring
(
6,2
)
of
(
following text of last "\" of it
)
&
(
substring
(
4,2
)
of
(
following text of last "\" of it
)
as string as integer as month as three letters
)
& first 4 of
(
following text of last "\" of it
)
)
as date
)
of
(
value "DEFWATCH_10" of
(
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
then
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
else
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
)
)
as string
current date -
(
(
(
substring
(
6,2
)
of
(
following text of last "\" of it
)
&
(
substring
(
4,2
)
of
(
following text of last "\" of it
)
as string as integer as month as three letters
)
& first 4 of
(
following text of last "\" of it
)
)
as date
)
of
(
value "DEFWATCH_10" of
(
if exists
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
then
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry
)
else
(
key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry
)
)
as string
)
)
)
as string
(current date - (((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string))) as string
folder location
Period
1 day
* Results in a true/false |
(
value "InstallLocation" of key whose
(
value "DisplayName" of it as string contains "Symantec Endpoint Protection" AND value "DisplayVersion" of it as string as version >= "10.0.1" as version AND exists value "InstallLocation" of it
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry as string
)
value "InstallLocation" of key whose
(
value "DisplayName" of it as string contains "Symantec Endpoint Protection" AND value "DisplayVersion" of it as string as version >= "10.0.1" as version AND exists value "InstallLocation" of it
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry as string
)
(value "InstallLocation" of key whose (value "DisplayName" of it as string contains "Symantec Endpoint Protection" AND value "DisplayVersion" of it as string as version >= "10.0.1" as version AND exists value "InstallLocation" of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry as string)
uninstall password set?
Period
1 day
* Results in a "string"/number |
exists value whose
(
name of it is "SmcInstData"
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of native registry
(
name of it is "SmcInstData"
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of native registry
exists value whose (name of it is "SmcInstData") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of native registry
Relevance
Used in 1 analsis | * Results in a true/false |
exists key whose
(
value "DisplayName" of it as string as lowercase contains "symantec endpoint protection" AND exists value "DisplayVersion" of it
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry
(
value "DisplayName" of it as string as lowercase contains "symantec endpoint protection" AND exists value "DisplayVersion" of it
)
of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry
exists key whose (value "DisplayName" of it as string as lowercase contains "symantec endpoint protection" AND exists value "DisplayVersion" of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry
Sharing
Social Media: |
Comments
|
|
This is definitely out of date. I also would write the relevance differently today, but it is useful as a guide. |
|
|
This needs some updating due to Symantec's registry location changes after 12.1.1100: https://support.symantec.com/en_US/article.HOWTO75109.html |
|
|
I add the relevance 1363 to exclude machines that do not have SEP installed already because in my organization other AV are used in some cases other than SEP. I'm leaving that consideration for an SEP installer fixlet in a sense. If your organization is 100% SEP and you have an SEP installer fixlet, then any machine that is relevant to that would be missing SEP and need remediation there. By including only machines that already have SEP installed, I am simplifying the amount of error checking required by the relevance in the rest of this analysis. Your comment is exactly correct for any analysis for a piece of software that is "required" in your particular organization. |
|
|
Wouldn't the Relevance 1363 in this analysis prevent this from being relevant on any system that does not have Symantec Endpoint Protection installed? I expect we'd want to see that too, with the appropriate "none" entries as in SEP Client Version property. |