Endpoint Protection

Can somebody tell me what file shows SEP client offline or disabled status?

They are all stored in:

Program Files\Symantec\Symantec Endpoint Protection Manager\data\dump

What is the message string in text file?

Thanks.

you can query the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

But this information stored on client's registry.

I expect to have information in log or tmp file.

The external dump log will not have the status mentiond directly as online of offline.

However, if you are looking to find out whether the SEP cleint service was stopped on a computer at a particular date/time, you may search using the following syntax (full or partial)

Example1: "2015-11-10 18:18:38,Info,MachineName,Category: 0,Smc,Symantec Management Client is stopped."

Example2: 2015-11-10 18:19:30,Info,MachineName,Category: 0,Smc,Symantec Management Client has been started.

If you can find the time of the above 2 events, then you can say that the client service was stopped between these time.

Hi Seyad.

Where I can find these two events?

Windows Event logs? Application logs?

Symantec logs?

Thanks for answer.

It can be found in the dumps that are created by the SEPM (upon enabling external logging - Dump) at the following location.

Program Files\Symantec\Symantec Endpoint Protection Manager\data\dump (the same that you mentioned in the original question of this thread)