Endpoint Protection

 View Only

  • 1.  Antivirus audit tools

    Posted Feb 02, 2010 01:03 AM

    Hi to everyone !
    Lets discuss khow you can audit antivirus , like symantec .
    Plks. post your suggestions here .
    Some tools or some methods



    Thanks





    Lets start !!!



  • 2.  RE: Antivirus audit tools

    Posted Feb 02, 2010 10:27 AM
    An easy antivirus audit can be performed here : The Anti-Virus or Anti-Malware test file (European Institute of Computer Anti-virus Research).

    This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File", and it satisfies all the criteria listed above.
    It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").  The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").
    Once downloaded run your AV scanner. It should detect at least the file "eicar.com". Good scanners will detect the 'virus' in the single zip ARCHIVEe and may be even in the double zip ARCHIVEe. Once detected the scanner might not allow you any access to the file(s) anymore. You might not even be allowed by the scanner to delete these files. This is caused by the scanner which puts the file into quarantaine. The test file will be treated just like any other real virus infected file.


  • 3.  RE: Antivirus audit tools

    Posted Feb 02, 2010 02:10 PM
     In terms of how well an anti-virus will catch a particular Trojan virus ect ect you should definitely follow Riva's solution. Eicar is the best way to go for that knowledge. You might also check out this article http://reviews.cnet.com/Labs/4520-6603_7-5020816-10.html. It goes over how CNET evaluates an anti-virus for other categories like boot speed and overall system impact. I think between these two test you should get a good idea of how good any particular anti-virus is.

    Cheers
    Grant


  • 4.  RE: Antivirus audit tools

    Posted Feb 02, 2010 02:18 PM
    This is what I monitor using an external monitoring system.   I don't really a 100 percent on what Symantec's SEPM server says.    Nessus has some features you can use to scan with, but it really hasn't been  updated for the Endpoint protection version.  

    Endpoint Client Version

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps" of registry) then ((if (exists value "SAV Install Directory" of it) then (version of file "rtvscan.exe" of (value "SAV Install Directory" of it as folder) as string) else (if (exists value "SAVCE" of it) then (version of file "rtvscan.exe" of (value "SAVCE" of it as folder) as string) else (if (exists value "NAVNT" of it) then (version of file "rtvscan.exe" of (value "NAVNT" of it as folder) as string) else (if (exists value "NAV" of it) then (version of file "rtvscan.exe" of (value "NAV" of it as folder) as string) else ("<Not Installed>"))))) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps" of registry) else (if (exists folder (value of variable "ProgramFiles" of environment as string & "\NavNT" as string) whose (exists file "rtvscan.exe" of it)) then (value of variable "ProgramFiles" of environment as string & "\NavNT" as string) else ("<Not Installed>"))

    Common Client Version

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Common Client" of registry) then (value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Common Client" of registry as string) else "Not Installed"

    Decomposer Version

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Decomposer ABI" of registry) then (value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Decomposer ABI" of registry as string) else "Not Installed"

    SPBBC Version

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SPBBC") then (value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SPBBC" of registry as string) else "Not Installed"

    Endpoint Protection Status

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists service "norton antivirus server") then (state of service "norton antivirus server") else (if (exists service "norton antivirus client") then (state of service "norton antivirus client") else (if (exists service "symantec antivirus server") then (state of service "symantec antivirus server") else (if (exists service "symantec antivirus client") then (state of service "symantec antivirus client") else (if (exists service "symantec antivirus") then (if (state of service "Symantec AntiVirus" = "Running" AND exists running application "rtvscan.exe" whose (version of it >= "11" as version)) then ("Running") else state of service "Symantec Antivirus") else (if (exists service "navapsvc") then (state of service "navapsvc") else "<Not Installed>")))))

    Network Threat Protection Status

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of registry) then (value "smc_engine_status" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC" of registry as string) else "0"

    Endpoint Event Manager Status

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists service "ccEvtMgr") then (state of service "ccEvtMgr") else ("<Not Installed>")

    Endpoint Management Status

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists service "SmcService") then (state of service "SmcService") else ("<Not Installed>")

    Reporting to Server Status

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of registry) then (value "PolicyMode" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" of registry as string) else "0"

    Antivirus Definition

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" of registry as string)) else "<Not Installed>"

    IPS Definition

    • <nobr>Period</nobr> Every Report
    Show indented relevance
    if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs" of registry) then (value "cndcIps" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs" of registry as string) else "Not Installed"

    Relevance

    Relevance 1

    Show indented relevance
    exists service "Norton AntiVirus Server" OR exists service "defwatch" OR exists service "Norton AntiVirus Client" OR exists service "Symantec AntiVirus Server" OR exists service "Symantec AntiVirus Client" OR exists service "Symantec AntiVirus" OR exists service "navapsvc"



  • 5.  RE: Antivirus audit tools

    Posted Feb 02, 2010 02:30 PM
     I want to be clear on exactly what you are asking. Do you mean audit as in a financial audit where you scan all of your network for information on what AV is installed? This seems to be what tekkid is getting to. Or do you mean audit as in the evaluation of a particular anti-virus? The later is what myself and Riva were assuming.

    Thanks
    Grant


  • 6.  RE: Antivirus audit tools

    Posted Feb 02, 2010 02:39 PM
    Good question, I just you wanted to audit what was installed.   Sorry, if I misunderstood.


  • 7.  RE: Antivirus audit tools

    Posted Feb 02, 2010 02:44 PM
     I am not sure you did. I think you were actually on the right track : ) and it was us that were wrong.

    Grant


  • 8.  RE: Antivirus audit tools

    Posted Feb 12, 2010 08:26 AM
     This is a great site, thx.


  • 9.  RE: Antivirus audit tools

    Posted Feb 12, 2010 03:26 PM
     Hi Demonarm,

    Did you end up getting your question solved? Were you happy with the tools we posted to audit anti-virus products? I am still unsure which "kind" of audit you meant so if you require further help please come back and let us know and we will be happy to post more tools.

    Thanks
    Grant