Video Screencast Help

Query the network for workstation without endpoint agents

Created: 15 Jan 2014 | 11 comments

Is there any symantec recommendation or tool that can be used to probe/query the network for workstations without DLP endpoint agent.

Operating Systems:

Comments 11 CommentsJump to latest comment

yang_zhang's picture

You can use the Network Monitor to query the network traffic of the workstations.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Santosh Mistry's picture

Use Symantec messaging gateway as Email DLP or DLP solution suite for network monitoring

madstan's picture

You can use sc.exe to query the remote workstation to verify if the agent process is running. If it is not running, you can assume the agent is not installed.

 

sc \\workstation query type= service | find "edpa"

 

 

yemmy's picture

@Madstan, thanks for your contribution. The Service Control (SC) query can only probe specific workstation on the network. In this case, I want to probe the entire network for workstations without the EDPA services.

madstan's picture

It could easily be scripted. In fact perl has a function that will query services on remote workstations. 

Something like this:

use Win32::Service;
use Net::IP;

#define service

my $myedpa = "EDPA";

my %statusHash;

# define subnet

my $subnet = new Net::IP ('10.0.0.1 - 10.0.0.254') || die

#loop through subnet

do {

    my $myip = $subnet->ip();

    Win32::Service::GetStatus("$myip", "$myedpa", \%statusHash);

    if ($statusHash{"CurrentState"} =~ /[1-7]/){
            print "$myedpa" . " service for $myip is currently " . $statcodeHash{$statusHash{"CurrentState"}} . "\n";
        } else {
            print "$myedpa" . " service for " . "$myip" .  " is not running.\n";

        }
} while (++$ip)

yemmy's picture

I need a solution or tools to track device on the network that is not running endpoint agent.

DLP Solutions's picture

Yemmy,

Netflow is a Network Traffic tool.. this will not help you when it comes to DLP agents. The only way that it can work is if Netflow controls what laptops can connect to the DHCP servers and see if they have a specific application or service running. If you can do this then look to make sure that it sees an agent running on port 8000 (this is customizable, but 8000 is the default port). This would be a similar approach to seeing if a laptop has a specific Anti-Virus software running.

The best way to see if something is or is not running is by using a Desktop tool or Logon script that will check and make sure that specific applications or ervices are running on a device.

The other option is to run a netstat tool that probes EVERY ip address and see if port 8000 is accepting connections, if not then they might not have the DLP agent installed. Though this seems like overkill and would set off a ton of IDS alarms if you have them on your network.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

yemmy's picture

Symantec Network Access Control should be able to do this