Symantec Endpoint Protection –Few Registry Tweaks..
1. To check the Version of currently installed SEP client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
ProductVersion
Value will be something like 11.0.4014.26
2. Client is communicating with SEPM or is OFFLINE
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
PolicyMode 1 – means communicating 0- means offline.
3. Which Group the client is pointing to
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
Preferredgroup
4. Policy Serial Number on Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
SerialNumber
Value will be something like 2DD9-09/09/2009 00:05:14 125
5. To know the Hardware ID for the Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
HardwareID
6. What is the version of Virus Defintion the client is currently using .
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs
DEFWATCH_10
The value will be some like C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090907.050
7. To know what IPS Signature SEP is using
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs
cndcIps
The value will be like: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\CNDCIP~1\20090826.002
8. To check if Network Threat Protection is installed and is Turned ON.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
smc_engine_status 0 – means turned OFF 1- turned ON.
9. Exclusion –Centralized Exceptions
32 bit
i. Security Risk Exceptions
User Defined Exceptions
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions
Lock – 0- means the client can create Centralized Exceptions for Known Security Risks 1 – means this optioned is locked by the administrator in SEPM.
And Under the ClientRiskExceptions\1234567890 (normally a 10 digit numerical folder ) you will find the Known Security Risk exceptions created by the users.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions
Under the AdminRiskExceptions\1234567890 (normally a 10 digit numerical folder ) you will find the Known Security Risk exceptions created by the Admin from SEPM.
ii. Proactive Threat Protection Exclusions
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash
\Client\ 0728bd2bb1774b9728f60d33bc1f95172374e950–(The long hexadecimal numbers point to the filehash for the excluded file ) For the exclusions created by the user
\Admin\ 0728bd2bb1774b9728f60d33bc1f95172374e950 - (The long hexadecimal numbers point to the filehash for the excluded file ) - For exclusions made by Admin from SEPM.
Same with Directory , Files and Folder Exclusions
iii. Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory
\Admin and \Client
iv. Files
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName
\Admin and \Client
v.Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions\
\Admin and \Client
vi. Symantec also excludes it own Embedded Database from Scanning
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Symantec Embedded Database\FileExceptions
Out.log, Sem5.log and Sem5.db are excluded.
vii. To Verify Exchange Server exclusions on 32 Bit System
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server
\FileExceptions and \NoScanDir
On 64 Bit system
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
\FileExceptions and \NoScanDir
10. Now say you have remote laptops you exported a Default client install package and sent them.
Now you want to change them to Unmanaged.
You replaced sylink.xml for Unmanaged SEP Cd1\SEP\Sylink.xml
Still clients are not able to do the liveupdate and the default admin defined Scan runs.
Here is the default Admin Defined Scanand if you have created few more scans for this users it will also be listed in the same location but with a different name.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )
So you can delete this and then you can create your own scan.
Liveupdate button is greyed out even after replacing sylink.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
AllowManualLiveUpdate 0- means liveupdate button will be greyed out. 1-means it will be available to click.
In the same place you can enable product updates by changing the value of
EnableProductUpdates to 1
For Scheduling and Enabling automatic liveupdates.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule
Change the value of
Enabled to 1 – for Automatic updates.
11. Handling Quarantine
Sometimes due to infection the size of the quarantine folder grows huge.
It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine
Important keys
QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then
QuarantinePurgeBySizeDirLimit Default value is 50 ( Megabytes) either leave it at 50 or reduce it as much you want.
You can also lower the age of purging Quarantine items from default 30 days to any number of days you want
QuarantinePurgeAgeLimit 30 days by default.
12. How to disable Application and Device Control via registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant
Change the Value of Start to 4 . 1 –means enabled.
13. Check this discussion on Creating Scan via registry
https://www-secure.symantec.com/connect/forums/way-create-scan-registry
14. For Logging options via registry
How to debug the Symantec Endpoint Protection 11.x client
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048
15. GUP information via registry
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148
Great article.... lots of
Great article.... lots of useful information.
thanks
Good auditing info.
Good auditing info.
good info for sym customers.
It's really a good article to assist sym customer to understand the product's internal working better.All regs in one place...nice effort !
Inviting good karma to CPU...0xal0ne0
Re
Good and Knowledgeable.
Regards,
M.R
Thanks yaar... I was looking
Thanks yaar...
I was looking for this.. You got my vote.....
Thanks once again....
Regards,
Srinivas H.P.
HCL Infosystems Ltd
Very good! I could use some
Very good!
I could use some more of this good stuff :)
Thanks!!!
Useful article
Useful article. Thank you
Re
All have to vote this article....
Regards,
M.R
very useful article.
very useful article.
Nice article dude.. Best of
Nice article dude..
Best of Luck
Here is one mroe: To
Here is one mroe:
To enable/disable Scan Process Dialogue for Custom Scans:
HKLM\Software\Symantec\Symantec Endpoint Protection\AV\LocalScans\Default CustomScan Option
On the right pane check for the DWORD "DisplayStatusDialog" the value must be 1, if not change it to 1.
The same is applicable to most of scans present at the location:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans
Best,
Aniket
@Vikram Kumar-SAV to SEP
Vikram Kumar-SAV to SEP
It seems to me that you cover the keys based on computer mode observation. If it is User mode or fix mode. The following two keys are
2. Client is communicating with SEPM or is OFFLINE
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
PolicyMode 1 – means communicating 0- means offline.
PolicyMode 1 -- means "Computer Mode", 0 -- means User mode.
3. Which Group the client is pointing to
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
Preferredgroup
In a User Mode configuration, This is defautl group, but not necessarily the group client point to, in User Mode, the SerialNumber key in the same registry locaiton is the group that client point to.
File System
File System Auto-Protect
HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan
OnOff : 1- means enabled 0 - means disabled
Celebrating 2 years as a community member....
this helped me.nice article.
this helped me.nice article.
Hardware ID in RU5
Hi, in RU5 the HardwareID was moved out of the registry and onto the disk. It's now located at %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml
Very useful article..i was
Very useful article..i was looking for these info.
Nice article
Nice article
Kedar Mohile
http://kedarmohile.blogspot.com
It looks like this one is (at
It looks like this one is (at least partially) incorrect:
6. What is the version of Virus Defintion the client is currently using .
On my machine, running Windows 7 64-bit and SEP 11.0.5002.333, there is no registry key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs
The only other machine I have quick access to had SAVCE 10.1.6.6000 on it before I upgraded it, and the SharedDefs key *is* there.
Any idea where I could find the information?
Thanks,
Wayne
I have just tested that on
I have just tested that on WIn XP 32 bit reg keys for 32 and 64 are little bit different.
Celebrating 2 years as a community member....
Great stuff! Anyone know if
Great stuff!
Anyone know if these still apply after MR5 release?
Would you like to reply?
Login or Register to post your comment.