I have Symantec Endpoint Protection installed on some of the endpoints . I need a analysis that shows that Symantec Endpoint Protection is installed. I have the below analysis that is true. How do I change this so that when true it displays Symantec Endpoint Protection? Or is there a better way as I need to show the Application Name and not that it exists.
exists keys whose (exists value “DisplayName” whose (it as string as lowercase contains “symantec endpoint protection” ) of it) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries;x32 registries)
Depending on what exactly you are trying to achieve, there are many different approaches, but if you only want to return ‘Symantec Endpoint Protection’ if the above relevance returns True, then you can use an if statement such as:
if (exists keys whose (exists value "DisplayName" whose (it as string as lowercase contains "symantec endpoint protection" ) of it) of keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries;x32 registries)) then "Symantec Endpoint Protection" else ""
Note also that you might be able to achieve the desired result with existing analyses within the ‘Client Manager for Endpoint Protection’ site (which can return additional information such as the version, whether or not it’s running, and virus definition version).
Thanks Aram for the quick response and yes that solved the requirement. I did look at the Client Manager for Endpoint Protection but it does not provide the product name in the analysis and tasks.
how about checking if its actually running… Here is a portion I use of an analysis I use to check for many flavours of AV…
Its a tad messy but it works for me…
if (exists running service whose (service name of it = “SepMasterService”)) then “Symantec” else if (exists running service whose (service name of it = “Symantec AntiVirus”)) then “Symantec”