Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Discovering Machines without AV through SSIM

Created: 18 Dec 2012 | 6 comments

 

Good Afternoon!
 
I have an environment with about 50.000 machines (workstations and servers) and I would like to discover which ones does not have Anti-Virus installed using SSIM.
 
The AV Product is Symantec Endpoint Protection.
 
I have already used Unmanaged Detector, but it shows all types of devices as printers and so on.
 
How to correlate this event with other to find out only MACHINES without AV, please?
 
I think about "LookUpTable", but this resource is limited (1024 machines) and I have much more than it, so it is not possible to use it.
 
Thanks in advanced!

Comments 6 CommentsJump to latest comment

maximb@netcom.co.il's picture

You can use any vulnerability scanner like nessus for example. You can run specific check for that

pete_4u2002's picture

you can exclude IP and MAC address of the printers and devices from the unmanged detector

Laurent_c's picture

You need to use Asset Table. I have done something similar with a customer before. Lookup table are not fexible enough for this.

Assuming the machines without AV are windows only ? (except if you want to know linux machine not running an AV ?).

I would export the list of machines from my AD in a CSV file, tweak it to import it into the Asset table from SSIM. You can tweak the file so the Machine Operating system are Windows.

Now the unamanaged detector from SEP will report all the machines without AV, you have to compare these events with a condition against the asset table. (to exclude all the non windows machine)

As mentionned above, a regular scan like nessus, that update your entire asset table on a weekly basis is nicer as it populates entries like Operating System..

Of course there is the issue of someone in a workgroup machine on the network Exporting only the AD will miss those. So a regular scan is better.

 

 

GarethR's picture

I have similar requirements to compare SSIM logged data from systems for SEP versions, sig versions, SCSP versions, and do this against asset list based on OS Type. The issue is we had problem creating a SQL rule/query that could reference the asset table values, and ended up with creating a lookup table of PCI Servers - not elegant as it's a separate managed list, and also is also apparently not big enough (1024 limit mentioned above).

Are there an good examples to compare in rules against asset data ?

We are automating import of asset data from SEP, CCS/VM when operational, and potentially SCSP.

We are also intending to XML import asset properties from a CMDB (only XML import permits a merge, CSV reports assets exist and won't allow merging data).

Also, it seems that there are automatic tables (see Schema, eg STO2_0_SAVLATEST) that gather versions from SAV devices, but these are unpopulated for SEP, and there are no equivalent tables for SEP.

Thanks

Gareth

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

Laurent_c's picture

Gareth,

The Table you mentionned are old legacy summary table that used by the SAV collector.

Asset is still the more efficent way as, it is not as limtied in size as lookup table.

You could add a policy to all the assets that are PCI, and then add a criteria in rule based on asset policy ?

SEP State collector and CCSVM works well together at populating asset table.

 

Laurent

GarethR's picture

The asset table is still limited in fields available to store information about assets (even in the new v4.8 which does have longer OS fields), and cross referencing asset data and event data is difficult in rules or queries, unless you have some good examples ???

I have added SCSP to populate the Asset table, but I don't know how well it will do this....no easy way to tell what asset has been updated when by what collector/sensor.

So my requirement is similar to the original poster Viniciuuss where we also need to check against assets from CMDB which server have SEP installed against requirement for all Windows Servers, and which have SCSP installed against Win/Linux in certain groups (defined as Asset Location value). I will review the policy option but this would have to be set manually for each system - prone to error.

This is all about proof against the PCI requirement - am I protecting and monitoring what should be monitored - exactly the sort of question the SSIM should be able to answer for us.

Thanks

Gareth Rhys

Managed Services, SSIM, SCSP, SEP