Endpoint Protection

Hi,

Can anyone help me to prepare a script to pull the virus dat information from my clients. Currently I have a very big setup of all most 2000 servers and all are running with SEP 11 and few are running SAV 10. So its not possible to validate the virus update everyday on all machines without getting a report generated which machine has not update with latest dat or virus definations.

I have a script which pulls the info about SAV10 but cant pull the info of the clients which are recently upgraded to SEP11. Any help would be appriciated.

Thanks.!

Deb.

does not the computer status report from SEPM helps to collect the required information?

Hello,

Why Create special Script for SEP 11 and SAV 10??

Why not fetch a Log from the SEPM 11.0?

Check these Articles:

I understand your concer, But it is not possible for me to loginto individual machine everyday and check for the definition, as the machine list is huge.

So if I get a script in place, Probably it will do my job on all servers and which are failed for the update, I can take alook at them and fix them.

Hope you all understand the situations.

Thanks.

Hello,

I believe you haven't read the above comment properly.

I suggested you to fetch the Logs from the Symantec Endpoint Protection Manager (Console) which would fetch all the logs for you and you would not have to visit the SEP / SAV machines at all.

Our security guys have access to SEPM console but not me.

However as a proactive measure, I need to start monitoring all my servers as very recently we experianced a virus bug in one our machine. Which needed a step forward from my end.

If you have access to SEPM database and IIS, you can use the SEP Content Distribution Monitor tool to get some informations about clients. These infos include clients which are not up-to-date. However, it's necessary to reconfigure the SEPM IIS settings for this. Here is the link:

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

If you don't have access or the tool doesn't fit your needs, you could search for the content cache files on the clients. By default, every SEP client saves 3 content cache files. The folders for the AV/AS content look like this (since SEP 11 MR2):

 %COMMONPROGRAMFILES%\Symantec Shared\VirusDefs\YYYYMMDD.NNN (32-bit)

 %COMMONPROGRAMFILES(x86)%\Symantec Shared\VirusDefs\YYYYMMDD.NNN (64-bit)

NNN = content revision number

Your script has to collect the content folder names (YYYYMMDD.NNN) and pick the youngest of the three (if your clients are saving three revisions) for every single SEP client.

Just an idea, I am sure there are more elegant ways (registry?).

See this KB document for content cache directories:

http://www.symantec.com/docs/TECH106034

Hello,

You can check this Thread:

http://community.spiceworks.com/topic/170034-script-to-get-versions-of-symantec-endpoint-security-of-remote-servers

Hope that might helps a bit.

He he, nice to see Spiceworks gets a mention here.

Why have you not got access when this is part of your responsibilities. Is this not similar to telling you to hammer in these nails & then not being given a hammer? Surely you should have the tools to do your job?

Your security team should be able to set you up a a Limited Admin with reporting rights. You won't be able to see any of the Admin stuff or change policies. Admittedly, the security settings could be more fine grained & support groups.

I'd have to disagree with greg12 on using the content cache folders. Mainly because it doesn't tell you which files are currently used, but also because you can have multiple versions there, including some really old ones that never got cleaned up.

Ideally, your method for SEP v11 should be similar to your script for SAV v10. You have not mentioned the method this script employs. Do you read GRC.DAT or DEFINFO.DAT or any other method?

Just an idea, I am sure there are more elegant ways (registry?).

Now we're talking. Have a look at this: https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

You are looking for the last 12 characters of HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\DEFWATCH_10

or you could convert HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileData

and HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileRevision

Then you also need IPS versions:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs\cndcIps

It's also always good to see that NTP is enabled via HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_engine_status

You're right, that's a far better approach

Hi...

Actually I am looking for a SCOM Managment pack through which we will have verious options to monitor the SAV.  So it could be really helpful if some one provide me the information on my requirement else any script.

Thanks!!

Hi.

See my reply in the dedicated SCOM thread: https://www-secure.symantec.com/connect/idea/sep-management-pack-microsoft-scom-system-center-operations-manager