Endpoint Protection

I am writing some automation scripts to create some reports for management and one part I cannot seem to find is the "Latest on Manager" field that is on the SEPM home screen. Does anyone know if that is in the database and if so, where it might be?

Thanks

Martin

Here's the DB schema:

http://www.symantec.com/docs/DOC8633

Enabling comments and doing a search isn't returning much. This value may not be read from the DB but from a file instead.

Within C:\program files\symantec\symantec endpoint protection manager\inetpub\content there is a file call ContentInfo.txt from where it could be pulling from.

The "Latest on Manager" is the most current AV/AS content on SEPM. You can pull it from the file system. Under <SEPM installation folder>\inetpub\content, you will find a folder starting with {07B...} containing the 64-Bit AV/AS content. The folder starting with {535c...} is containing the 32-Bit stuff. Within these folders there are subfolders with the name schema YYMMDDRRR (R = release). The youngest folder contains the info you are needing.

If your SEPM is downloading only one type of content (32-Bit or 64-Bit), it's necessary to get the proper folder. Otherwise, it doesn't matter which folder you use.

If you want to pull your info from the database, the following q&d command is working for me (embedded DB). Example for 32-Bit AV/AS content:

SELECT TOP 1 VERSION 
FROM PATTERN 
WHERE CLIENT_MONIKER = '{535CB6A4-441F-4e8a-A897-804CD859100E}' 
ORDER BY PATTERNDATE DESC

All what you need is in the Pattern table.

If your SEPM is only downloading 64-Bit content, you have to change the WHERE line to 64-Bit moniker.

HTH!

Hi Greg,

That for sure helps!

I ran the query as you wrote and got the expected results. We are downloading both 32 and 64 bit definitions, but most systems are 64 bit. I then tried to use the 64-bit def id, but I do not even see that listed. I do see the folder in the inetpub\content directory. Odd.

Anyway, this does give me what I want.

Thanks

Martin

Hi Brian,

Good info to have. I had the older db schema, so it helps to have the new one.

I thought about the file, but I was already pulling info from the DB, so I was hoping to do it there also.

Thanks

Martin

It appears that the information in that table does not properly reflect the version on the SEPM server. It appears that it stores the versions of the definitions that are on the clients.

Here is what I did to test this

1. The SEPM console is reporting "Latest on Manager: 11/22/2015 r2".
2. Checked the database with the query above and it reported the same date and revision number "2015-11-22 rev. 002"
3. Downloaded the most recent definition from http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep and installed it on a client system that had the 11/22/2015 r2 definitons.
4. Waited about 30 minutes (hearbeat) and executed query on SEPM. The query now returns "2015-11-22 rev. 024"
5. Refreshed the SEPM console and it still reports "Latest on Manager: 11/22/2015 r2".

I also checked the inetpub\content folder and it still has the 151122002 as the most recent update.

Close but not quite :(

Thanks

Martin

With the info you guys provided, I think that this seems to get me the info I need. Going to try out a few more tests

SELECT TOP 1 
      [CLIENT_MONIKER]
      ,[PATTERN_TYPE]
      ,[SEQUENCE]
      ,[VERSION]
  FROM [sem5].[dbo].[PATTERN]
  where PATTERN_TYPE = 'VIRUS_DEFS'
  and SEQUENCE = '0'
  order by PATTERNDATE desc

Thanks

Martin