Endpoint Protection

I have a few MAC clients managed in my SEP RU6 console.  They run scans when they are supposed to, but no where on the MAC client or the SEPM itself can I tell the number of files scanned, the time the scan duration or the time the scan completed.  Is this information even available for the MAC clients?  Is this all of the information I can even see for the MAC side of the SEP client?  This is what I see:

scan completed on this box?

I think this is what you are looking for..

http://www.symantec.com/business/support/index?page=content&id=TECH92772&locale=en_US

The syntax to use the navx command line tool within the Terminal in Mac OS X is as follows:

navx [OPTION]...[FILE]...

At its most simple, you can use navx along with a path to the file or folder you wish to scan at the command line. There are also a handful of command line options you can use:

-a (report all files scanned)

-c (scan inside compressed files)

-h (report files that were inaccessible for scanning)

-Q (quarantine files that can't be repaired)

-r (do not repair infected files [invalidates -Q])

-v (display the version number)

-o file (append output to file)

Sample usage: to scan files on the Administrator's desktop, report all these files and send the output to a file called report.txt:

navx -a -o report.txt /Users/Administrator/Desktop

@Rafeeq, yes, this client finished the scan the day before I viewed these scan details

@Prachand, While this is nice to know if I need to initiate a scan from the client, I will be issuing on demand scans from the SEPM to these MAC clients in addition to them running their weekly scheduled scans.  I need to be able to view scan details from those scans.  I appreciate your suggestion, but it won't help in my particular situation

What happens when you go to:

Monitors

Logs

Change Log type to Scan

Click Advanced Settings

Filter by either IP address or Computer and click View Log

I would hope you would get all the info you need here as I know you would for Windows clients. But I don't have Mac clients on my network so I'm just taking a shot here

when you perform those steps, you get the line item for the PC that ran the scan and when you click on Details, you get the window in the image I posted above.

So you don't see the below when in the scan log for mac clients:

Well that makes no sense, I've got to believe there has to be some way to see that info for Macs.

I know you can enable debug logging on the client to show you every file scanned but it's not exactly readable-friendly.

This is what I have

Agreed.  And that can't be the method to view scan results for 200 clients.

Sandra G, if you're out there, do you know how to obtain this information?

Hey, sorry, was away / on stay-cation. 

Unfortunately... I see the same information on my own installation.   This is the only information available in reporting right now, and I think it has to do with the fact that there is really no scan log in SEP for Mac that parallels the similar scan log for the PC.

I wrote up this Idea -- please vote vote it up.

Scan results displayed for SEP for Mac clients in SEPM's Reporting needs expansion

Wish I had better news to report.

sandra

Ok.  Thanks for looking into this.  Is there any way to view scan details from the client itself if I can't do it from the SEPM?

As far as number of files scanned, etc?  Not really, unfortunately, not in a log that SEP generates.

There is some information in the SEP GUI under Tools > View History, regarding detections made.

There are two additional areas you can check in the OS.  Unfortunately, I can't promise you'll find anything there. 

1- Messages in Console / All Messages.  When a scan launches an entry is written that will include something like "NVsi", looking something like this:

 May  2 10:50:01 sandra -n[1798]: Try #0, for     , result = 0
May  2 10:50:01 sandra -n[1798]: launch for id = 1      event = NVsi result = 0 

I have in the past seen entries written if there was a problem or detection made.  I'll paste in some text from a test I did once, as an example:

 Scanning...
Archive: /Users/sandra/Desktop/eicarcom2.zip
Compressed File: eicar.com
Scan Result: 1 Infection
Virus Name: EICAR Test String
Repair Attempted: Yes
Repair Result: Deleted
Scanning...
File: /Users/sandra/Desktop/eicarcom2.zip
Scan Result: Contains infected files
Repair Attempted: N/A
Repair Result: All contained files fixed

Scan results:
1 file encountered.
1 file accessible for scanning.
1 archive scanned.
1 archive containing infected files.
1 fully repaired archive.
    2 files inside of archives encountered.
    2 files inside of archives examined.
    1 file inside of archives infected.
Scan started : Fri May  2 10:51:26 2008
Scan finished: Fri May  2 10:51:27 2008 

You'll note the date on that is fairly old.  This was from SAV for Mac.  I have not actually had delve into this since that time.

2- Since a a scheduled scan is essentially a cron job, I have noticed in the past that going into Mail (opening Terminal, typing in the word mail) would show cron-generated mail messages to the local machine with scan results.  I became aware of this when a customer complained about emails being sent from Symantec Scheduler, and this was because their username @ machinename was the same as their domain email address (again, it was a cron thing, not a Symantec Scheduler thing).  However, I have not seen these in some time either.  I don't know if this is due to a change in OS or SEP.

Hope this helps...

sandra

Hi,

(On a semi-related note) Regarding the View History window in the client. Where is the data displayed in the View History window stored? I thought it might be in the CAVMan.log file, but that didn't work. Basically, I have 50+ Macs that are throwing false positives because of a History that was copied during the imaging process. I was hoping to clear the history remotely instead of reimaging all the machines. Any and all ideas are greatly appreciated!

I'm not aware of any log that this info is written to, but I don't think you need anything as drastic as a reimage.  Removing and reinstalling should take care of that history file.  There's an uninstaller included in the SEP_MAC folder, but this Terminal script will work too.

Removing Symantec programs for Macintosh by using the RemoveSymantecMacFiles removal utility
http://www.symantec.com/docs/TECH103489

Then to prepare a master image:

Deploying Symantec Endpoint Protection for Macintosh as part of a drive image
http://www.symantec.com/docs/TECH134676

sandra