Endpoint Protection

I have a customer this week that wants to use unmanaged detector, but would prefer not to use the Admin console to configure it.  He wants the ability to script it.  Is there a reg key(s) that can be modified, or a file created or changed that would accomplish this.  Is it in the sylink.xml?

it wont be in sylink..

it would collect all the systems in network and check the reg key to see if sep is present or not;

you dont need the innerfunctionality to check that; 

all u have to do is check the folder of remote machines to see if sav or sep folder is present along with registry keys.

you can use the nst.exe; the link is removed now; check u r internal KB u will find it :) 

Check this link whether it helps.

http://service1.symantec.com/support/ent-security.nsf/docid/2008042514314748

Sent you a PM with the cached copy. the doucument is not public anymore

Without using the admin console how can I define a client as an unmanaged detector.  I understand how an unmanaged detector works.  Client has specific procedures in place and has to configure via a script or batch file.

I am coming up blank looking for an alternate way to turn a client into an unmanaged detector, other than using the admin console.  Hard to say if it is just a simple registry key that needs to be flipped or created, or if it is more complex than that.

If they really need to do this, I would recommend opening a case with support for a more thorough investigation.

There really isn't anything to configure other than right clicking the client in admin console and turning on the feature. Do they not have access to the admin console?

I think the customer or consultant is being somewhat shortsighted. They are going to either have to cripple their policy distribution process, or cripple the protection. Also consider as new versions of SEP are implemented (including simple Maintenanvce Patches) the functionality could change without notice therebye resulting in further problems for the customer.

 Figuring it out would likely be possible using Filemon, and Regmon (Yay SysInternals), however I think this is inadvisable for the customer to do.

Looking to actually DO this I would be asking: Will the SEP client ever speak to the manager?

 If this is changed only by script on a managed SEP Client:

• The client will eventually speak to it's manager, and get an updated configuration resulting in this setting be reset to the SEPM configuration.
• If enabled Tamper Protection is likely to go Ballistic when the script attempts to modify the registry key (or drop in a Sylink/whatever is needed).
• If they are configuring the SEPM the same way then I ask - why the need to deploy this way?

If this is on an unmanged SEP client:

• An unmanaged client detector on an unmanaged client - intriguingly useless. When will the data ever be read?
• I would fear that the data will be cached locally for an unknown and undefinable period of time, in a format that is likely not easily accessible, or (consider this) flushable. Without the ability to flush this data, and no uploading - the client could become unstable.

About the only supported way to accomplish this (imho):

• Use "Third party content management" to enable the outbox. Then using a "staging SEPM" collect a policy file with the setting configured as desired, and drop it in the Inbox.
• Upon my third or fourth consideration is occurs to me that Unamanged Detector is an individual computer setting, and may not be in the policy settings - which means this may not even work.

The only real application I can think of would be to deploy settings to clients that log into a segment of the network where their SEPM is not present (VPN?). In that case they should address the root isssue rather than this workaround.

Hope this helps - Joz

(Edit x2: Further thoughts)