Symantec Endpoint protection service status

(imported topic written by kaushalw91)

Hi,

I have Symantec Endpoint installed on some systems, this is an upgrade to symantec antivirus corporate edition. Bigfix displays the version of Antivirus in console properly. But, it is not accurately detecting the service state for Symantec endpoint, whether is stopped or running. I created custom analyses for Symantec Endpoint :

if (exists service “Symantec Endpoint Protection”) then (state of service “Symantec Endpoint Protection”) else (if (exists service “norton antivirus client”) then (state of service “norton antivirus client”) else (if (exists service “symantec antivirus server”) then (state of service “symantec antivirus server”) else (if (exists service “symantec antivirus client”) then (state of service “symantec antivirus client”) else (if (exists service “symantec antivirus”) then (if (state of service “Symantec AntiVirus” = “Running” AND exists running application “rtvscan.exe” whose (version of it >= “11” as version)) then (if ((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan” whose (value “OnOff” of it = 0) of registry) OR (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan” whose (value “OnOff” of it = 0) of registry)) then “Stopped” else “Running”) else state of service “Symantec Antivirus”) else (if (exists service “navapsvc”) then (state of service “navapsvc”) else “”)))))

There are systems running with Symantec Endpoint protection service and it shows “stopped” in console. I hope everything is fine with above mentioned relevance.

(imported comment written by Danny_Leung91)

Hi kaushalw,

Can you please tell which analysis and site that is not correctly reporting the service state of Symantec EP? We would like to fix it, if it gives inconsistent results.

Also, can you please clarify the relevance you included - are you suggesting that relevance statement correctly reflects SEP’s running state OR are you having difficulty getting that relevance to work correctly?

Thanks,

Danny

(imported comment written by kaushalw91)

The above relevance works fine but the results are not accurate. There are some systems where Symantec endpoint is stopped but still according to relevance it shows “Running”.

(imported comment written by kaushalw91)

Anyone to help me ?

(imported comment written by jessewk)

Hi kaushalw,

When you say the endpoint incorrectly shows “running”, is that what you see in the console or is that what you see in the relevance debugger?

If you’re looking in the console, can you try running the query in the relevance debugger on the problematic machine and see what it says?

If not, check back and we can try some other things.

Jesse

(imported comment written by kaushalw91)

I had checked in Relevance Debugger prior to customising it. It works fine in Relevance Debugger on my system. When I created a custom analyses and activated, on some systems it reflects inaccurate results. How do I install relevance debugger on other system to check the relevance.?

Thanks,

Kaushal

(imported comment written by jessewk)

You’ll need to open a terminal session to the system where you are getting incorrect results and download the relevance debugger directly to the box.

You can get the relevance debugger here: http://support.bigfix.com/fixlet/

(imported comment written by kaushalw91)

Thanks. I checked and found problem with relevance. The registry setting indicates the service is off. I want to modify the relevance to check the service and state of service

  1. Check for “Symantec Endpoint Protection” service, if installed, state of service ( start or stop )

  2. If not installed, it should report “Not installed”

Can you help me in coding the relevance. I dont want to check the registry for status of service.

Thanks,

Kaushal

(imported comment written by Danny_Leung91)

The relevance statement you posted appears to be from the following:

Site: Client Manager for AntiVirus

Analysis: Symantec AntiVirus - Client Information - Windows NT/2000/XP/2003/Vista

Property: Symantec AntiVirus Client Service Status

After testing the relevance, we confirm the behavior is consistent with that of SEP 11 client console. The registry settings you refer, reflect the ‘File System Auto-Protect’ and ‘Internet Email Auto-Protect’ features that are part of the ‘Antivirus and Antispyware Protection’ settings available from the SEP client console.

Through our investigation, excluding the registry settings from the check will give a false report of the SEP’s ‘Antivirus and Antispyware Protection’ status. We found three components that affect the status (as presented in SEP client console):

-Symantec Endpoint Protection: Windows system service

-File System Auto-Protect:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

“OnOff”=dword:00000000

-Internet Email Auto-Protect: registry setting

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan

“OnOff”=dword:00000001

If any of the mentioned settings are disabled ‘Antivirus and Antispyware Protection’ is reported as ‘Off’ in the SEP client console.

We intend in keeping the analysis relevance as is and recommend using that to provide a status check consistent with SEP. However, if you still would like to only report the status of Symantec Endpoint Protection Windows system service, then you can simply remove the registry check. Please try the following relevance:

if (exists service “norton antivirus server”) then (state of service “norton antivirus server”) else (if (exists service “norton antivirus client”) then (state of service “norton antivirus client”) else (if (exists service “symantec antivirus server”) then (state of service “symantec antivirus server”) else (if (exists service “symantec antivirus client”) then (state of service “symantec antivirus client”) else (if (exists service “symantec antivirus”) then (if (state of service “Symantec AntiVirus” = “Running” AND exists running application “rtvscan.exe” whose (version of it >= “11” as version)) then (“Running”) else state of service “Symantec Antivirus”) else (if (exists service “navapsvc”) then (state of service “navapsvc”) else “”)))))

(imported comment written by kaushalw91)

Thanks. I will update and let you know.