Symantec Endpoint Protection Info - Windows - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1Symantec Endpoint Protection Info - Windows12/5/2012 9:47:22 AM
2Symantec Endpoint Protection Info - Windows1/15/2014 8:28:05 AM

Description

<enter a description of the analysis here>

Property Details

ID56
TitleSymantec Endpoint Protection Info - Windows
DomainBESC
KeywordsAntiVirus, AV
Added by on 12/5/2012 9:47:22 AM
Last Modified by on 12/5/2012 9:47:22 AM
Counters 8349 Views / 16 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

SEP Client Version
Period 2 days
 
  * Results in a "string"/number
Show indented relevance
(if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it) whose (exists value "ProductVersion" of it) then ( value "ProductVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of it as string) else "<none>") of native registry
SEP Def Version
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
following text of last "\" of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
SEP Last Scan
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
maximum of times generated of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of (application event log)
SEP Last Scan Result
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
(concatenation of substrings separated by "%0d%0a" of descriptions of it) of items 1 of it whose (time generated of items 1 of it = item 0 of it) of ((maximum of times generated of it) of records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it, records whose (source of it = "Symantec AntiVirus" and description of it contains "Scan Complete") of it) of application event log
SEP PolicyMode
Period 1 hour
 
  * Results in a "string"/number
Show indented relevance
value "PolicyMode" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of native registry
SEP Def Date
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date as string) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)
SEP def days old
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
(current date - (((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string))) as string

Relevance

isWindows (Relevance 1172)
Used in 1155 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 analsis   * Results in a true/false
Show indented relevance
exists key whose (value "DisplayName" of it as string as lowercase contains "Symantec Endpoint Protection" as lowercase AND exists value "DisplayVersion" of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
jgstew -
This is definitely out of date. I also would write the relevance differently today, but it is useful as a guide.
rdshift -
This needs some updating due to Symantec's registry location changes after 12.1.1100: https://support.symantec.com/en_US/article.HOWTO75109.html
jgstew -
I add the relevance 1363 to exclude machines that do not have SEP installed already because in my organization other AV are used in some cases other than SEP. I'm leaving that consideration for an SEP installer fixlet in a sense. If your organization is 100% SEP and you have an SEP installer fixlet, then any machine that is relevant to that would be missing SEP and need remediation there. By including only machines that already have SEP installed, I am simplifying the amount of error checking required by the relevance in the rest of this analysis. Your comment is exactly correct for any analysis for a piece of software that is "required" in your particular organization.
JasonWalker -
Wouldn't the Relevance 1363 in this analysis prevent this from being relevant on any system that does not have Symantec Endpoint Protection installed? I expect we'd want to see that too, with the appropriate "none" entries as in SEP Client Version property.
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as