Symantec Endpoint Protection oddity

Content Authoring
1

(imported topic written by Tim.Rice)

I’d be thrilled if someone whose been using SEP for a while can to tell me I’m off my rocker on this one. It involves Symantec Endpoint Protection and trying to use BigFix/IEM/TEM to query a registry key.

I have two computers, both running Win7. One of them is 32bit and the other is 64bit. TEM Clients are both 9.0.586.0

Also, on both machines is Symantec Endpoint Protection 12.1. Here’s where I’m getting confused.

On BOTH computers, I can open RegEdit and navigate to “HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink” and see the Values kept there. Same path on both machines.

On the 32bit computer, using QnA, I get the following …

Q: Exists Key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink” of Registry

A: True

T: 0.084 ms

On the 64bit computer, the same query (I saved it on the 32bit and opened it on the 64bit system to make sure there were no typo’s) returns FALSE.

To get a return of TRUE on the 64bit system I have to revert to the OF NATIVE REGISTRY style of the relevance. I even tried “walking” down the Registry to the Key. Everything returns TRUE until I get down to the “SYLINK” key.

i don’t mind using the OF NATIVE REGISTRY clause, but things have worked pretty well up to now with 64bit queries without it. And why the break after SMC in the SYLINK key?

Does Symantec do something funky with the 64bit Registry?

2

(imported comment written by BrianPGreen)

I suspect that SEP runs as a 64-bit app on 64-bit windows, and so writes to HKLM\Software\Symantec. However, the TEM client runs as a 32-bit app, so by default when it looks at HKLM\Software\Symantec, it will instead be redirected by windows to HKLM\Software\Wow6432Node\Symantec.

I’m not sure I can explain the behavior of what you’re seeing with the SYLINK key. Is it possible that part of the Symantec registry hive is duplicated in HKLM\Software\Wow6432Node?

There are a couple of synonyms to ‘registry’ that can control what the client will do. Using ‘of registry’ will access whatever registry that windows gives us. Since the client runs as a 32-bit app, this currently means that it will access stuff in Wow6432Node when windows redirects it there. Using ‘of native registry’ will access the 32-bit registry on 32-bit windows machines, and the 64-bit registry on 64-bit windows machines. Using ‘of x32 registry’ will always access the 32-bit registry, and using ‘of x64 registry’ will always access the 64-bit registry. It sounds like in your case using ‘of native registry’ is best, as you discovered.