Endpoint Protection

I'm trying to set up a script for our service desk folks to run, that invokes the DoScan.exe with PSEXEC, it seems to kick off our scan, but it never shows up in the console monitor, which doesn't surprise me necessarily.  But, is there a way to do that?  After the doscan command, I then kick off an smc update command, but that doesn't seem to put the job in Monitors - Command Status windows in the console.  Here's the commands I'm running from within a compiled winbatch executable.

wntAddDrive(@DEFAULT, @DEFAULT,"\\%computername%\ipc$",@None,@False) ;this temp maps to the device C: drive admin share using the credentials of the pseron running the script (all running this would be local admins)

;This one kicks off the remote doscan
RunWithLogon("psexec.exe",' \\%computername% -u ad\symantec_account -p password "%programfiles%\Symantec\Symantec Endpoint Protection\12.1.2015.2015\Bin\DoScan.exe" /scanname "DOT Weekly Scheduled Scan"',"",@Normal,@Wait,"symantec_account","AD","password",0)

Not sure if you've reviewed this:

How to run a scan from a command line using Symantec Endpoint Protection using DoScan.exe

But the line in there: Log files for scans started with doscan.exe are by default created in C:\Programdata\Symantec\Symantec Endpoint Protection\[SEP Version]\Data\Logs\AV\ is where the AV logs are pulled from on the client so this should be possible. Have you seen an entry in the client log? Or can you test? Is there log data generated after the doscan completes?

Thanks for the info.  I just ran the script against a test box, but have to leave for the day, will post the AV log results asap tomorrow AM.

Just checked.  No, no entry appears in the log location for this specific remote intiation of the job.  Which explains why it doesn't appear in the console.

Can you try to use the direct path to the doscan.exe location in your script:

"C:\Program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015\Bin\DoScan.exe"

instead of the variable:

"%programfiles%\Symantec\Symantec Endpoint Protection\12.1.2015.2015\Bin\DoScan.exe"

...is the scan starting then?

+ if you execute the doscan.exe locally on the machine does it run withour any issues? (with the same scanname specified)?

I think it might be a credentials issue.  When I kick off the DoScan.exe with /ScanName switch on my local machine, with no credentials being passed (I would assume it's using my logon credentials at that point), it does seem to intiate a scan, the AV log does get updated when I kick if off.  But, when I follow it right up with a smc.exe -updateconfig, it still does not show up in the console in Monitors - Command Status window.

When I kick off the DoScan.exe with /ScanName switch on my local machine, with no credentials being passed (I would assume it's using my logon credentials at that point)

...yes, it does use your logon credentials.

You can try to force the use the SYSTEM acccount for scanning while starting psexec with it (psexec -s).

Question for the Symantec folks, when I initiate and full scan on a machine from the console, what is the sequence of events?  Does it kick off a doscan with silent switch embedded?  How does it then pass that information to the Monitors-Command Status window?  Basically, we're trying mimic that here with a command line sent to a remote device.

This is a good idea, should have thought of that.  And I will try that.

"You can try to force the use the SYSTEM acccount for scanning while starting psexec with it (psexec -s)."

 But why isn't it showing up in the console, I assumed the smc with the update config switch do the trick.  Is there another command or switch that can make that happen?

Edit: I ran the Docan locally on my Box and I'm able to see the logs under

monitor - logs - Log type as SCAN

I did not append the logs : Once I ran the do scan was able to see the report in the SEPM.

command status issues by SEPM will only be availabe under command status

on your client try to do update policy this should upload all the logs to sepm.

 do you see the log file created in

C:\Programdata\Symantec\Symantec Endpoint Protection\[SEP Version]\Data\Logs\AV