Endpoint Protection

 View Only

  • 1.  Determine SEP DAT Signature Date/Version via WMI or Registry

    Posted Jan 17, 2012 10:30 AM

    I am trying to find the best way to report on the Symantec Endpoint Definitions (SEP 11 & SEP 12) in Microsoft System Center Configuration Manager.  I am also looking for the best way to remotely determine the definitions date for a SEP client by querying a remote PC directly.

    I found this article, but it seems to apply to SEP 10, and the registry key specified doesn't exist on my SEP 11 nor SEP 12 clients.

    I have written a VB.NET application that allows me to query a remote PC and examine the DEFINFO.DAT file (C:\Program Files\Common Files\Symantec Shared\VirusDefs\definfo.dat  or C:\ProgramData\Symantec\Definitions\VirusDefs\definfo.dat), and then extract the DAT version from the CURDEFS= value.  But I am hoping to find this information in WMI or the Windows Registry so that I can query it more efficiently.  I am also querying the WMI Classes \root\SecurityCenter and root\SecurityCenter2 but have had no success determining the DAT signature from there.

    Also, the ability to report on this information in ConfigMgr would be extremely beneficial and would supplement existing reporting from the SEP console.  It would also have the added benefit of allowing me to run advertisements based on a collection of computers that have out of date virus definitions.



  • 2.  RE: Determine SEP DAT Signature Date/Version via WMI or Registry

    Posted Jan 17, 2012 02:42 PM

    For SEP 11, have a look at this enlighting posting (item 6):

    https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

    For SEP 12.1, see this posting:

    https://www-secure.symantec.com/connect/forums/script-pull-virus-defination-update-clients#comment-6552511

    You can use the following patterns, as Ian_C. describes there:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileData

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileRevision

    As far as I see, the binary formats are little endian. To the year 1970 must be added.



  • 3.  RE: Determine SEP DAT Signature Date/Version via WMI or Registry

    Posted Jan 18, 2012 02:19 PM

    While you are querying the client remotely, there is a lot of information in the DB that you could access a lot faster. Have a look at https://www-secure.symantec.com/connect/forums/sql-querys-database.

    The above would also be good to do a live comparison between the client & DB. I'm saying this because of the endless posts about clients not communicating.

    PS Cool, my first quote.