Symantec Endpoint Protection Info - Windows
Log In or Register to download the BES file, and more.

0 Votes


This analysis tracks many different properties of Symantec Endpoint Protection Clients.

 

The "uninstall password set" property came from here:  http://bigfix.me/relevance/details/2998537

The latest version of this analysis can be found here:  http://bigfix.me/analysis/details/56


ID2994621
StatusAlpha - Code that was just developed
TitleSymantec Endpoint Protection Info - Windows
DomainBESC
KeywordsAntiVirus, AV
Added by on 1/15/2014 8:28:05 AM
Last Modified by on 1/15/2014 8:28:05 AM
Counters 18371 Views / 150 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Client Version
Period 2 days
 
  * Results in a "string"/number
Show indented relevance
(if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it) whose (exists value "ProductVersion" of it) then ( value "ProductVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it as string) else "<none>") of native registry
VDefs Version
Period 1 day
 
  * Results in a true/false
Show indented relevance
following text of last "\" of (value "DEFWATCH_10" of (( /* SEP 12+ location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) | ( /* SEP 11- location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
Last Scan
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
maximum of times generated of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of (application event log)
Last Scan Result
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
(concatenation of substrings separated by "%0d%0a" of descriptions of it) of items 1 of it whose (time generated of items 1 of it = item 0 of it) of ((maximum of times generated of it) of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it, records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it) of application event log
PolicyMode
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
value "PolicyMode" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of native registry
VDefs Date
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date as string) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
VDefs days old
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
(current date - (((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string))) as string
folder location
Period 1 day
 
  * Results in a true/false
Show indented relevance
(value "InstallLocation" of key whose (value "DisplayName" of it as string contains "Symantec Endpoint Protection" AND value "DisplayVersion" of it as string as version >= "10.0.1" as version AND exists value "InstallLocation" of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry as string)
uninstall password set?
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
exists value whose (name of it is "SmcInstData") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of native registry

isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 analsis   * Results in a true/false
Show indented relevance
exists key whose (value "DisplayName" of it as string as lowercase contains "symantec endpoint protection" AND exists value "DisplayVersion" of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry


Log In or Register to leave comments!
jgstew -
This is definitely out of date. I also would write the relevance differently today, but it is useful as a guide.
rdshift -
This needs some updating due to Symantec's registry location changes after 12.1.1100: https://support.symantec.com/en_US/article.HOWTO75109.html
jgstew -
I add the relevance 1363 to exclude machines that do not have SEP installed already because in my organization other AV are used in some cases other than SEP. I'm leaving that consideration for an SEP installer fixlet in a sense. If your organization is 100% SEP and you have an SEP installer fixlet, then any machine that is relevant to that would be missing SEP and need remediation there. By including only machines that already have SEP installed, I am simplifying the amount of error checking required by the relevance in the rest of this analysis. Your comment is exactly correct for any analysis for a piece of software that is "required" in your particular organization.
JasonWalker -
Wouldn't the Relevance 1363 in this analysis prevent this from being relevant on any system that does not have Symantec Endpoint Protection installed? I expect we'd want to see that too, with the appropriate "none" entries as in SEP Client Version property.
Searching...
please wait!