Managing Symantec Endpoint Protection with Symantec Software Management Solution, Part 3: Applicability and Detection Rules

In Part 1 I covered the basics of a Software Resource for Symantec's Software Management built upon the Altiris Notification Server infrastructure, focusing on Symantec Endpoint Protection (SEP). In part 2 I moved deeper into a deployment method of SEP, allowing an administrator to push out SEP to target systems using Software Management's Quick Delivery functionality. In Part 3 we'll discuss Applicability and Detection Rules that can be applied to Software, specifically SEP in this article. The way rules are implemented can be the same no matter what software is being managed. These rules will then be utilized by the Managed Software Delivery functionality provided by Software Management in Notification Server (NS) 7.

Introduction

The "magic" of Software Management comes from the ability to setup rules applying to a Software Resource. These rules tell a job whether it applies to the target system, and separately if the System is compliant or not. First, the job checks the system to see if it applies to the job. If applicable, the job then runs a detection rule to see if the targeted software is installed or not. If it is, the system is marked as compliant and nothing happens. If it is not detected the software install (or other applicable action) will be executed on the system.

The Rules tab of a Software Resource gives the ability to choose or create Applicability and Detection Rules. For our example browse to the SEP Software Resource created from Part 1 by browsing through Manage > Software > Software Catalog > Deliverable Software > Releases. Select the SEP Software Resource and click the Edit icon (pencil). Under the Rules tab, you'll see the following controls:

File Inventory

File Inventory can be utilized to assist in using the Rule Builder. When a rule is built from scratch this information is useful in identifying the proper Software Resource. While Inventory Solution populates a lot of the data that can be used under this tab (with the Server File option), actual Applicability and Detection Rules cannot be built to scan for a specific file, thus it is only used as metadata. File Inventory is also used when building Application Metering policies, but this will be covered in a later Article.

Important SEP executables:

• Rtvscan.exe - Main Antivirus executable protecting against Windows Viruses
• Smc.exe - Symantec Management Client, it provides network threat protection and application and device control on the system
• Snac.exe - This provides Network Access Control.

Server File

I will use the above files as examples of how to add files to the File Inventory tab. The Server file method

Please follow the process below:

1. Edit the Software Resource created for SEP.
2. Click the + Add button.
3. In the resulting Files to add window, click the + Add button and choose Server file.
4. The default list will provide all known files on the Notification Server. This includes all files captured through an Inventory Solution Audit scan or a Targeted Inventory Policy. See this screenshot for an example:

   

5. From the search box in the upper right type in the name of the file, in this example type rtvscan.exe.
6. Select the file when found and click OK.
7. On the next screen it will provide a Size of the file. This is part of the detection rule to ensure it targets the right file.
8. Click OK to add the File to the File Inventory tab.

Local File

To add a file using the Local file method, follow these steps. When you are configuring software that may not already be installed in the environment, and thus not captured by Inventory, the Local method is useful if the files are available:

1. Edit the Software Resource created for SEP.
2. Click the + Add button.
3. In the resulting Files to add window, click the + Add button and choose Local file.
4. Use the resulting Browse window to reach the following location:
   C:\ > Program Files > Symantec > Symantec Endpoint Protection
5. Select the file Smc.exe and click Open.
6. On the next screen it will provide a Size of the file. This is part of the detection rule to ensure it targets the right file.
7. Click OK to add the File to the File Inventory tab.

The way these are used with the Rule Builder is illustrated below:

1. When building a rule under the Rules tab, click New or Edit an existing Rule.
2. Click the blue + Plus or right-click on a place in the tree if applicable and browse through Smart Rule > Software File Expression.
3. Click the hyperlink Select a Software Resource.
4. In the Search field in the upper right, type in the name of your SEP Software Resource.
5. When it is found in the below results, select it and click OK.
6. You'll see that the configured Files we added earlier are now available in the results. See this screenshot for an example:

   

7. You can adjust these depending on the circumstances, including providing the right versions.

Applicability Rules

Applicability Rules determine if the Managed Software Delivery Job applies to a system or not. This is useful to ensure software doesn't try to execute on a system it isn't meant for. Examples of this include:

• Specific Operating Systems - Having trouble making sure the right version of software deploys to the right machine? Use an Applicability rule to ensure the OS meets the requirements.
• If you have a company add-on to an application such as Microsoft Office, you can use an Applicability Rule to target systems that have Office. If a system doesn't have Office, the job will not apply.
• Do you have a known vulnerability in a specific version of an application? Use an Applicability Rule to target those systems to receive a specific update to patch the vulnerability.

The following types of Applicability Rules are available. I've only highlighted the more common rules, though any of the rules can be used if the Software supports it. Note that these rules are the same for Detection as the actual rule logic is the same:

1. Smart Rules:
      a. MSI Product Code - This refers to the MSI Product Code provided by the Manufacturer of the Software
      b. Software File Expression
      c. Static File Expression
      d. Static Shortcut Target
2. Standard Rules:
      a. 64-bit Windows Installed
      b. File Version - This is very useful to pinpoint a
      c. MSI Product Code - See above
      d. Multilingual User Interface Installed
      e. Processor Type
      f. Registry Key Exists - While a more precise method is Registry Key Value, this rule can check for a specific key in the registry.
      g. Registry Key to File Version
      h. Registry Key Value - This one has proven most useful as most Software contains a registry key (string) of the version of the Software. This allows a specific detection to be made to ensure the software is present.
      i. Registry Key Version
      j. Registry Key/File Path to File Version
      k. Registry Key/File Path to Product Version
      l. Windows Language
      m. Windows Version - This is important to pinpoint Windows installations that may not be on the latest service pack, etc.

Applicability rules also allow the use of Operators to apply multiple Applicability rules to a Software Resource. For example I can include multiple Windows Versions using the OR operator or I can supply both a Key and Value in the registry to ensure the software is installed correctly. I can also provide a Reg Key Value and a File Version relating to SEP to ensure it is up and running correctly.

The following walkthrough creates a combination Applicability Rule of different versions of Windows:

1. Browse to the Rules tab of the SEP Software Resource.
2. Next to the Applicability Rule field, click the *New button.
3. Provide a Name. In this example I used Applicable Windows Versions.
4. Click the blue plus + > browse under the Standard Rule menu > and select Windows Version.
5. Check the box labeled: Check Windows version and/or machine role.
6. Place the value 5 into the Major version.
7. Place the value 1 into the Minor version. This is Windows XP.
8. Select the Machine Role that fits your deployment of SEP. For this example I selected Any.
9. Click OK to save the new Rule.
10. Click the blue plus + > browse under the Operator menu > and select Or.
11. Highlight the new OR rule.
12. Right-click on the Or rule and choose Add > browse under the Standard Rule menu > and select Windows Version.
13. Repeat steps 5 - 12 for the values below on a., and steps 5 - 8 for b.:
       a. Major: 6, Minor: 0 (Windows Vista)
       b. Major: 6, Minor: 1 (Windows 7)
14. Please note that the above step put the rules in the right place to allow the Applicability rule to detect one of the three Operating Systems to be considered Applicable. It should appear as in the example on this screenshot:

    

15. Click OK to save the complete new Rule.
16. By default the new rule will already be selected in the Applicability rule field.

Alternatively you can select an existing rule by using the multi-function field to find the Rule you will use.

Detection Rules

Detection Rules determine if a Job should or should not run on a target system. This takes the guesswork out of large or sustained rollouts. Even if the software is already installed, the Job can be pushed out to all systems in the target and it will leave it up to the Detection Rule to determine if it really needs to install it or not. The same thing can apply to uninstall jobs. Use cases include:

• Software Rollouts - From Antivirus (in this example of SEP) to Microsoft Office, any Windows software can be utilized for a rollout.
• Uninstalling Software as part of a migration - Upgrading your antivirus from another brand to Symantec? Uninstalls can be intelligently handled.
• Uninstalling Unauthorized Software - Need to remove unauthorized software such as Limewire? Have a Detection Rule that runs the uninstall command when the software is detected.

The same Rules that are available for Applicability Rules are also available for Detection Rules. The only difference is how the Rule is used, whether to see if the Managed Software Delivery job applies to the machine or not, or if the job is executed and if the system is already compliant or not.

The following walkthrough provides a method to create a Detection Rule for Symantec Endpoint Protection. This method includes one Registry Value and one File Detection:

1. Browse to the Rules tab of the SEP Software Resource.
2. Next to the Detection Rule field, click the *New button.
3. Provide a Name. In this example I used SEP 11 Detection.
4. Click the blue plus + > browse under the Standard Rule menu > and select Registry Key Value.
5. For the Registry key path, in this example I used:
   HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
6. For the Registry entry field, use: ProductVersion
7. For the Registry value, use: 11.0.4014.26
8. Leave Match as Entire String.
9. Click OK to add the Rule.
10. Click the blue plus + > browse under the Smart Rule menu > and select Static File Expression.
11. Change the Base folder entry to ProgramFiles.
12. Put in the File path and filename in the File path: field, as listed here:
    C:\Program Files\Symantec\Symantec Endpoint Protection\rtvscan.exe
13. In the Version field change the dropdown to = and place 11 in the value field. For an example of how this Rule may look when you have completed it, see this screenshot:

    

14. Click OK to Save and apply the rule.
15. Back under the Rules tab you should now see both your Applicability and Detection rules selected in the dropdown. In this example it should show:
       • Detection rule: SEP 11 Detection
       • Applicability rule: Applicable Windows Versions
16. Click Save Changes to save the Rules selected to the Software Resource.

These Rules will be used as part of a Managed Software Delivery job. The next article in this series will cover how to configure and use this intelligent Software Management functionality.

Conclusion

This article shows you how Rules are configured, but the real functionality is when the rules are invoked by a Managed Software Delivery Job. Part 4 will cover this functionality. Consider a Managed Delivery as Application State Management. Subsequent parts will cover everything that can be done with SEP using this powerful set of tools.

Read Part 2: Managing Symantec Endpoint Protection with Symantec Software Management Solution, Part 2: Quick Delivery