Video Screencast Help

Determine SEP DAT Signature Date/Version via WMI or Registry

Created: 17 Jan 2012 | 2 comments

I am trying to find the best way to report on the Symantec Endpoint Definitions (SEP 11 & SEP 12) in Microsoft System Center Configuration Manager.  I am also looking for the best way to remotely determine the definitions date for a SEP client by querying a remote PC directly.

I found this article, but it seems to apply to SEP 10, and the registry key specified doesn't exist on my SEP 11 nor SEP 12 clients.

I have written a VB.NET application that allows me to query a remote PC and examine the DEFINFO.DAT file (C:\Program Files\Common Files\Symantec Shared\VirusDefs\definfo.dat  or C:\ProgramData\Symantec\Definitions\VirusDefs\definfo.dat), and then extract the DAT version from the CURDEFS= value.  But I am hoping to find this information in WMI or the Windows Registry so that I can query it more efficiently.  I am also querying the WMI Classes \root\SecurityCenter and root\SecurityCenter2 but have had no success determining the DAT signature from there.

Also, the ability to report on this information in ConfigMgr would be extremely beneficial and would supplement existing reporting from the SEP console.  It would also have the added benefit of allowing me to run advertisements based on a collection of computers that have out of date virus definitions.

Comments 2 CommentsJump to latest comment

greg12's picture

For SEP 11, have a look at this enlighting posting (item 6):

https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

For SEP 12.1, see this posting:

https://www-secure.symantec.com/connect/forums/script-pull-virus-defination-update-clients#comment-6552511

You can use the following patterns, as Ian_C. describes there:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileData

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileRevision

As far as I see, the binary formats are little endian. To the year 1970 must be added.

Ian_C.'s picture

While you are querying the client remotely, there is a lot of information in the DB that you could access a lot faster. Have a look at https://www-secure.symantec.com/connect/forums/sql-querys-database.

The above would also be good to do a live comparison between the client & DB. I'm saying this because of the endless posts about clients not communicating.

PS Cool, my first quote.

Please mark the post that best solves your problem as the answer to this thread.