Endpoint Protection

 View Only

  • 1.  Endpoint Protection Agent monitoring via SCOM?

    Posted May 27, 2015 11:39 AM

    I have been asked to monitor the status of the endpoint agent on my client's 1600 servers via SCOM (System Center Operations Manager) 2012, and it appears that there is no management pack from Symantec to allow this to happen. Has anyone else figured out a way to make this happen? In particular, my client is interested in getting SCOM alerts when an agent is behind on receiving the AV updates.

    If there is no built in SCOM Management pack to do this, is there any powershell/vb script way of checking the status of the agent? The alternative I am looking at is having a script write to the Application event log indicating when it is behind on the signature updates, which SCOM can then monitor for.



  • 2.  RE: Endpoint Protection Agent monitoring via SCOM?



  • 3.  RE: Endpoint Protection Agent monitoring via SCOM?

    Posted May 27, 2015 12:07 PM

    @DP123...

    Not being a SCOM guy I can't give you a solution, but I will suggest that you could check the registry and identify the the Current Definitions:

    For SEP 12.1 64bit, you would look at the following: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs", "DEFWATCH_10"

    That said, you could write a script that does a check of that reg key, and if the value is greater than 7 days old (or whatever number of days works for your customer) then have the script write the event log you suggested SCOM could then monitor. The script could be called by a scheduled task so that you don't have another TSR on your customers desktop.  :-)

    Hope this gives you some ideas,

    -Mike

     



  • 4.  RE: Endpoint Protection Agent monitoring via SCOM?

    Posted May 27, 2015 12:12 PM

    Brian,

    I am not looking to monitor the server, but the health of the agents, which is an entirely different process. My client has 1600 servers being protected by SEP, and they need to know if any of the agents are not current on their virus definitions.



  • 5.  RE: Endpoint Protection Agent monitoring via SCOM?

    Broadcom Employee
    Posted May 27, 2015 02:44 PM

    I believe there isn't any built in SCOM Management pack to do this

    Go with other alternatives as you know like script write to the Application event log indicating when it is behind on the signature updates, which SCOM can then monitor for.

     

     



  • 6.  RE: Endpoint Protection Agent monitoring via SCOM?

    Posted Jul 22, 2015 10:02 AM

    @DreadPirate123: Suggestion from a SEPM Admin. If your SEPM's are on version 12.1.6 (new) and your server endpoints are on a minmum of 12.1.6 (because of Fix ID: 3518941 under SEP 12.1.6) , try Host Integrity (HI) to check compliance and you can provide this to your management as an alternative as in your own words "they need to know if any of the agents are not current on their virus definitions."

    SNAC Self Enforcement for Virus Definition Compliance

    References:

    Host Integrity check

    What you can do with Host Integrity policies (Article: HOWTO81726)