Symantec Endpoint Protection

Hi, does anyone have relevance they are willing to share for AV definition file version and date for SEP 14 ?
I have a working analysis for previous versions of SEP but the locations differ for 14 and unfortunately I don’t have access to a machines with 14 installed to code it up.
Appreciated.

Are you looking for something more than what is currently provided in the Client Manager for Endpoint Protection site (which now supports SEP 14)?

Reference: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Client%20Manager%20for%20Endpoint%20Protection

Have you searched for “Symantec” on BigFix.me?

Unfortunately not subscribed to that site, I suspect it has exactly what I need :slight_smile:

I don’t see anything specifically for SEP 14, do you have any direct links ?

making progress, just stuck on the last piece. How would I compare the definition date stamp to today’s date to return how many days old the definition file is compared to today’s date. Thinking I need to add current date - somewhere ?

if (name of operating system does not contain “Win”) then “N/A” else if (exists service “SepMasterService”) then if (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs” whose (exists value “NAVCORP_70” of it) of registry) then date ((last 2 of first 8 of it & " " & first 3 of (last 2 of first 6 of it as integer as month as string) & " " & first 4 of it) of ((if (exists “” of it AND following text of last “” of it contains “.”) then (preceding text of last “.” of following text of last “” of it) else (it)) of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs” of registry as string))) as string else if (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs” whose (exists value “NAVCORP_70” of it) of registry) then date ((last 2 of first 8 of it & " " & first 3 of (last 2 of first 6 of it as integer as month as string) & " " & first 4 of it) of ((if (exists “” of it AND following text of last “” of it contains “.”) then (preceding text of last “.” of following text of last “” of it ) else (it)) of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs” of registry as string))) as string else if (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs” whose (exists value “NAVCORP_70” of it) of registry) then date ((last 2 of first 8 of it & " " & first 3 of (last 2 of first 6 of it as integer as month as string) & " " & first 4 of it) of ((if (exists “” of it AND following text of last “” of it contains “.”) then (preceding text of last “.” of following text of last “” of it) else (it)) of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs” of registry as string))) as string else (if (exists key “HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs” whose (exists value “NAVCORP_70” of it) of registry) then date ((last 2 of first 8 of it & " " & first 3 of (last 2 of first 6 of it as integer as month as string) & " " & first 4 of it) of ((if (exists “” of it AND following text of last “” of it contains “.”) then (preceding text of last “.” of following text of last “” of it) else (it)) of (value “NAVCORP_70” of key “HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs” of registry as string))) as string else (“N/A”)) else “N/A”

Unfortunately, we stopped using Symantec Endpoint Protection as our AV product. I think we were using v12, so these properties may require a little tweaking to work with v14. We ran Symantec AV products on Windows, Mac’s and Linux systems.

SEP - VDefs Version
IF (Windows of Operating System) THEN (following text of last "\" of (value "DEFWATCH_10" of (( /* SEP 12+ location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) | ( /* SEP 11- location */ key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)) ELSE (IF (Mac of Operating System) THEN (IF (exists file ("/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist")) THEN ((("20" & first 6 of it) & "." & substring(6,3) of it) of (string "ItemSeqData" of dictionaries of values of array "ProductArray" of dictionary of file "/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist" as string)) ELSE (nothing)) ELSE (nothing))

SEP - VDefs days old
IF (Windows of Operating System) THEN ((current date - (((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date) of (value "DEFWATCH_10" of (if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) then (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) else (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string))) as string) ELSE (IF (Mac of Operating System) THEN (if exists file ("/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist") then ((current date - (((substring (4,2) of it & (substring (2,2) of it as string as integer as month as three letters) & ("20" & first 2 of it)) as date) of (string "ItemSeqData" of dictionaries of values of array "ProductArray" of dictionary of file "/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist" as string))) as string) ELSE (nothing)) ELSE (nothing))

SEP - VDefs Date
IF (Windows of Operating System) THEN (((substring (6,2) of (following text of last "\" of it) & (substring (4,2) of (following text of last "\" of it) as string as integer as month as three letters) & first 4 of (following text of last "\" of it)) as date as string) of (value "DEFWATCH_10" of (IF exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) THEN (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry) ELSE (key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs" of registry)) as string)) ELSE (IF (Mac of Operating System) THEN (IF exists file ("/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist") THEN (((substring (4,2) of it & (substring (2,2) of it as string as integer as month as three letters) & ("20" & first 2 of it)) as date as string) of (string "ItemSeqData" of dictionaries of values of array "ProductArray" of dictionary of file "/Library/Application Support/Symantec/LiveUpdate/ActiveRegistry/NAV12Defs.plist" as string)) ELSE (nothing)) ELSE (nothing))