Video Screencast Help

Symantec Endpoint Protection –Few Registry Tweaks..

Created: 08 Sep 2009 • Updated: 08 Mar 2012 | 53 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+60 60 Votes
Login to vote
Here are a few registry tweaks and information about Symantec Endpoint Protection.

1. To check the Version of currently installed SEP client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

ProductVersion  

Value will be something like 11.0.4014.26

 
2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

4. Policy Serial Number on Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

SerialNumber

Value will be something like 2DD9-09/09/2009 00:05:14 125

5. To know the Hardware ID for the Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

HardwareID

6. What is the version of Virus Defintion the client is currently using .

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

DEFWATCH_10

The value will be some like C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090907.050

7. To know what IPS Signature SEP is using

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs

cndcIps

The value will be like: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\CNDCIP~1\20090826.002

8. To check if Network Threat Protection is installed and is Turned ON.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

smc_engine_status  0 – means turned OFF 1- turned ON.

9. Exclusion –Centralized Exceptions

32 bit

i. Security Risk Exceptions

User Defined Exceptions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions

Lock – 0- means the client can create Centralized Exceptions for Known Security Risks 1 – means this optioned is locked by the administrator in SEPM.

And Under the ClientRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the users.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions

Under the AdminRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the Admin from SEPM.

 

ii. Proactive Threat Protection Exclusions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash

\Client\ 0728bd2bb1774b9728f60d33bc1f95172374e950–(The long hexadecimal numbers point to the filehash for the excluded file )  For the exclusions created by the user

\Admin\ 0728bd2bb1774b9728f60d33bc1f95172374e950 - (The long hexadecimal numbers point to the filehash for the excluded file ) -  For exclusions made by Admin from SEPM.

Same with Directory , Files and Folder Exclusions

iii. Directory

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory

\Admin  and \Client

iv. Files

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName

\Admin  and \Client

 
v.Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions\

\Admin  and \Client

vi. Symantec also excludes it own Embedded Database from Scanning

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Symantec Embedded Database\FileExceptions

Out.log, Sem5.log and Sem5.db are excluded.

vii. To Verify Exchange Server exclusions on 32 Bit System

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server

\FileExceptions and \NoScanDir

On 64 Bit system

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions

\FileExceptions and \NoScanDir

  

10. Now say you have remote laptops you exported a Default client install package and sent them.

Now you want to change them to Unmanaged.

You replaced sylink.xml for Unmanaged SEP Cd1\SEP\Sylink.xml

Still clients are not able to do the liveupdate and the default admin defined Scan runs.

Here is the default Admin Defined Scanand if you have created few more scans for this users it will also be listed in the same location but with a different name.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

So you can delete this and then you can create your own scan.

Liveupdate button is greyed out even after replacing sylink.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

AllowManualLiveUpdate  0- means liveupdate button will be greyed out. 1-means it will be available to click.

In the same place you can enable product updates by changing the value of

EnableProductUpdates  to 1

For Scheduling and Enabling automatic liveupdates.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule

Change the value of

Enabled to 1 – for Automatic updates.

11. Handling Quarantine

Sometimes due to infection the size of the quarantine folder grows huge.

It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine

Important keys

QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then

QuarantinePurgeBySizeDirLimit   Default value is 50 ( Megabytes)  either leave it at 50 or reduce it as much you want.

You can also lower the age of purging Quarantine items from default 30 days to any number of days you want

QuarantinePurgeAgeLimit   30 days by default.

12. How to disable Application and Device Control via registry

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant

Change the Value of Start to 4 . 1 –means enabled.

13. Check this discussion on Creating Scan via registry 
https://www-secure.symantec.com/connect/forums/way-create-scan-registry

14. For Logging options via registry
How to debug the Symantec Endpoint Protection 11.x client
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

 15. GUP information via registry
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148

16. Enable debugging of Auto Location switching (ALS) and this Reg key

HKLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Comments 53 CommentsJump to latest comment

jeffwichman's picture

Great article.... lots of useful information.

thanks

+1
Login to vote
Sandeep Cheema's picture

Good auditing info.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+1
Login to vote
Satyam Pujari's picture

It's really a good article to assist sym customer to understand the product's internal working better.All regs in one place...nice effort !  

Inviting good karma to CPU...beep

+1
Login to vote
Symantec World's picture

Good and Knowledgeable.

Regards, M.R

+3
Login to vote
shp's picture

Thanks yaar...

I was looking for this.. You got my vote.....
Thanks once again.... 

Regards,
Srinivas H.P.
HCL Infosystems Ltd

+2
Login to vote
Maximilian's picture

 Very good!

I could use some more of this good stuff :)

Thanks!!! 

0
Login to vote
AravindKM's picture

Useful article. Thank you

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

+1
Login to vote
Symantec World's picture

All have to vote this article....

Regards, M.R

+1
Login to vote
Int3rn3t's picture

very useful article.

0
Login to vote
ragunayaka@gmail.com's picture

 Nice article dude..

Best of Luck

0
Login to vote
Aniket Amdekar's picture

Here is one mroe:

To enable/disable Scan Process Dialogue for Custom Scans:

HKLM\Software\Symantec\Symantec Endpoint Protection\AV\LocalScans\Default CustomScan Option

On the right pane check for the DWORD "DisplayStatusDialog"  the value must be 1, if not change it to 1.

The same is applicable to most of scans present at the location:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans

Best,
Aniket

+4
Login to vote
mssym's picture

Vikram Kumar-SAV to SEP

It seems to me that you cover the keys based on computer mode observation. If it is User mode or fix mode. The following two keys are

2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

PolicyMode 1 -- means "Computer Mode", 0 -- means User mode.

3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

In a User Mode configuration, This is defautl group, but not necessarily the group client point to, in User Mode, the SerialNumber key in the same registry locaiton is the group that client point to.

+6
Login to vote
Vikram Kumar-SAV to SEP's picture

 File System Auto-Protect

HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan

OnOff : 1- means enabled 0 - means disabled

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+8
Login to vote
Jamit's picture

I have found this setting is not always true. I had a case today where the SEPM Logs and Client console flagged File System Auto-Protect was not running. I checked HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan OnOff on the workstation and it was set to 1 (enabled) however File System Auto-Protecwas not. 

To resolve I had to repair the client. If someone can advise why I saw the above behaviour it would be appreciated?

 

Thanks

Jamit

 

0
Login to vote
manish-SecPol's picture

this helped me.nice article.

0
Login to vote
Ghent's picture

Hi, in RU5 the HardwareID was moved out of the registry and onto the disk. It's now located at %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml

+2
Login to vote
justin-new2SEP's picture

Very useful article..i was looking for these info.

0
Login to vote
Kedar Mohile's picture

 Nice article

+1
Login to vote
wosteen's picture

It looks like this one is (at least partially) incorrect: 

6. What is the version of Virus Defintion the client is currently using .

On my machine, running Windows 7 64-bit and SEP 11.0.5002.333, there is no registry key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

The only other machine I have quick access to had SAVCE 10.1.6.6000 on it before I upgraded it, and the SharedDefs key *is* there.

Any idea where I could find the information?

Thanks,
Wayne

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 I have just tested that on WIn XP 32 bit reg keys for 32 and 64 are little bit different.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+3
Login to vote
Maximilian's picture

 Great stuff!

Anyone know if these still apply after MR5 release?

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 All of this applies to MR5.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+4
Login to vote
Maximilian's picture

 Great!

Any new reg keys for MR5?

0
Login to vote
Frank019's picture

very nice article, thank you for making this one

0
Login to vote
GWA's picture

Excellent article.

0
Login to vote
jayancharles's picture

HI  vikram Great ya i know ur in other field but u doing well....I think u get from google any  nice..............

by

  Jayan charles

+1
Login to vote
Vikram Kumar-SAV to SEP's picture

I am either in football field or SEP field..no other field..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
Wally's picture

Great article - especially the EnableProductUpdates tweak - will save me a lot of time!!!

+1
Login to vote
JRV's picture

If you can't think of any other reasons not to let your users run as admins (and most of us can think of many!), the fact that SEP stores its config in the registry for all to see is a great one.

If you run as an admin, it is trivial for malware or malicious users to disable SEP.

0
Login to vote
BrooksGarrett's picture

Application and Device Control. Done.

IE: Do not allow any process to modify SEP Registry Keys.

0
Login to vote
VKalani's picture

this applies for ru6mp1 too!!!

-VKalani

0
Login to vote
SymSEP's picture

One for informative articles of urs that i have book  marked

0
Login to vote
Ian_C.'s picture

Please can we add this list of Registry keys to the list.

http://www.symantec.com/business/support/index?page=content&id=TECH106042&locale=en_US

These keys are about caching client content

  • Caching install files
  • location of cached files
  • number of revisions to keep
Please mark the post that best solves your problem as the answer to this thread.
+2
Login to vote
Ian_C.'s picture

Do the clients know that they are to use a GUP?

You can verify by looking in the registry.

[HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate]
UseMasterClient = 1 This says the client knows to use a GUP
MasterClientHost = "host name of the GUP"

Thanks to blenahan from https://www-secure.symantec.com/connect/forums/propagation-clients-server-capability-sep-wan#comment-5189451

 and officially from  "Symantec Endpoint Protection 11.0 Group Update Provider (GUP)" http://www.symantec.com/docs/TECH102541 right at the bottom.

Please mark the post that best solves your problem as the answer to this thread.
+2
Login to vote
yang_zhang's picture

So greate! I will bookmark this!

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
0
Login to vote
Moab.baom's picture

Great article,

But I'm not just interesting to know the client virus definitions (HKLM\SOFTWARE\Symantec\SharedDefs\DefWatch\VirusDefs) ,

but the windows definitions on the SEPM console home page:

Latest from symantec

Latest On Manager

Because I want first to monitor this information . I found a very good nagios pluggin, but it displays the Virus definition of the client installed on the server. The server can be the client of another SEPM, up to date, and my local server out of date, and I will not know this with this information.

https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/check_symantec_av

Me I need to know the entry in registry of the windows definitions displayed on the SEPM console.

Best regards

0
Login to vote
Wally's picture

Vikram - do you know if there is a registry entry on the SEP 11 RU6 or RU7 client for "Disable the Windows Firewall"?

0
Login to vote
LGL's picture

Is there any update from anyone according to the latest release SEP12.1 RU1 and registry entries, maybe there is some new useful registry entries to know in that version?

0
Login to vote
Srikanth_Subra's picture

Nice article

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

+1
Login to vote
HSS's picture

Hi, 

I would like to know the the reg key to chagne the Start up Type (from Auto to Manual) of 'Symantec Endpoint protection'.

Any urgent reply will be appreciated.

 

Thanks,

0
Login to vote
Ian_C.'s picture

What you are trying to do is not advisable. However, if you want to experiment with this, have a look at this key:

HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\SmcService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus

The Auto value determines the start up type.

Please mark the post that best solves your problem as the answer to this thread.
0
Login to vote
NRaj's picture

Good one. Thanks.

0
Login to vote
Ian_C.'s picture

Dear Vikram.

Please add the Reg key discussed in https://www-secure.symantec.com/connect/forums/location-awareness-and-vpn-switching#comment-6811491 to your article.

They talk about debugging of Auto Location switching (ALS) and this Reg key

KLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Thank you in advance.

Please mark the post that best solves your problem as the answer to this thread.
0
Login to vote
A Lara's picture

I can find the registry key that gives Antivirus and Antispyware definition date, and the Network Threat Protection definition date, but I cannot find the registry key that gives the definition date for Proactive Threat Protection.

 

 Where is this registry key?

+1
Login to vote
Ian_C.'s picture

Thanks to Mithun for posting in this article how to decode the time stamps for the values of

  • date and time of last full scan
  • date and time of last infection

How to decode the TimeOfLastVirus and TimeOfLastScan registry values: KB 99873

Please mark the post that best solves your problem as the answer to this thread.
0
Login to vote
tygrus's picture

Is there a way to use the SyLink.xml from the SEPM to :

A) confirm license / serial number; AND

B) use for LiveUpdate's;

.. BUT NOT .. C)  managed setting.

I want local control over when it scans, how it scans, when it updates, exceptions etc. I do not have acces to the SEPM, I do not have access to the full SEP CD's, I do have access to local workstation (OS Admin). A + B but NOT C.

Windows XP / 7, 32 and some Win7 64.

 

0
Login to vote
rojopipe's picture

Hi,

Anyone have an update of this post for SEP 12.1 RU3, the idea is to protect the registry keys necessary using ADC.

Thank you.

0
Login to vote
_Brian's picture

Yes, this is one of the default rules you can apply.

http://www.symantec.com/docs/TECH104431

0
Login to vote
rojopipe's picture

Thanks Brian81

I seek to identify registry keys SEP that can protect through policies of ADC in case someone malicious attempts to erase. Greater protection to tamper protection

0
Login to vote