Endpoint Protection

Greetings to all,

I was wondering if it's possible to perform a SymDiag via a Host Integrity script without the user noticing.

I used as a template the script already incorporated in SEPM (called "Run SymHelp") which collects the result if a registry key is valued 0.

The only thing i changed in that script is the path of the files, and i'm trying to upload the result of the symdiag to a shared folder which from my PC is accessible.

The script runs, (i see a download bar when the download of the updated version occurs - which shouldn't happen) and then after the SymDiag process is done i don't see any results in the destination folder. The command which runs is the following:

C:\<folder>\SymDiag.exe -noup -s -logs –alldata -dest \\\\<SharedFolderPath>\SymHelp\Results

Do you have any idea why this might happen? Are there any alternative methods to perform this (for instance: instead of using a shared folder i use an FTP server)?

I look forward to hear your reply,

Thanks a lot

Does the account you're using have permissions to write to the share? If you try to access the share from the machine via the path does it open?

Does it work with a local path?  If so, you can just add a file upload action to your custom HI requirements, after SymDiag has completed.

Hi Brian, thanks for the reply.

Yes, I can open the shared folder from the PC i'm testing and I've got r/w permissions to it. Other machines may not, but for now I'm testing this one and it works fine.

Please note that i've tried running SymDiag both via System account and my own account: The results are the same for both cases. Furthermore, if I do it with my own account I'll have to disable the UAC during the SymHelp execution.

Thanks

Hi, thanks for your reply.

I did not try that, but i do not think it is feasible, since i would have to create an account for each machine to get the SymDiag results.

Thanks

The permissions required for HI to upload the file would be no different than those required for SymDiag to upload the file.  Both run under the Local System context in this case.

My reasoning is purely to test whether or not SymDiag is having issue outputting to a share path.  If you have already successfully tested SymDiag output to a remote share as Local System, then the permissions to allow all machines to write to the share are already there, right?  In which case, I'd still recommend my original suggestion to help determine if this is a foible of SymDiag under HI.

Hi,

Sorry for the delayed response.

I have tested what you asked but i don't see any results in my local folder as well: Do you think this might be a defect with Host Integrity?

Regards

I know HI gets rid of the files it creates after it is complete, they are just used to run the "Requirement" and then deleted.

In which case, how are you running SymDiag?

I'd suggest you actually use HI to run a script that copies down SymDiag down to %TEMP% or something, and that runs SymDiag from there (i.e. instead of calling it directly from in the HI requirement, add a layer of abstraction in the form of a bat file or something, so that HI calls the script, and the script copies & runs SymDiag, and uploads the files).  This way, you may avoid the deletion of files.

Hi,

You can find the settings i'm using in the attached screenshot.

Basically it's the one that comes pre-installed with SEPM, only the locations are changed of course.

Only this script is enabled. the check on the registry keys just checks if a regkey (HKLM/Software/Symantec/SymHelpExecuted) is set to value 1, in which case, it shouldn't run.

Then it downloads the file to the specified directory and executes it.

Thanks

Can you confirm it's actually getting as far as running SymDiag?  You may be encountering the issue described below (even though it states SNAC11, it was last updated in Jan this year, so I assume is still relevant):

http://www.symantec.com/docs/TECH175548

Can you post the HI logs?

Also, while clearly not the same thing, the below article documents how to run SymDiag manually, but remotely:

http://www.symantec.com/docs/HOWTO84127

I can confirm. The processes (symdiag and symdiagUI) run just after the download.

Can you please point me to the HI logs?

SEPM Console -> Monitors -> Compliance -> Client Host Integrity

Hi,

Please find the report attached herein. Also i seem to have skipped the article about command lines. Thanks for this, i shall take a look.

Thanks

Attachment(s)

compliance_export.xlsx   10 KB 1 version

I didn't see anything meaningful in those logs, might I suggest the below?

http://www.symantec.com/docs/HOWTO101748

I did some research on running SymDiag remotely and documented it here...

https://support.symantec.com/en_US/article.HOWTO84128.html

My understanding from this work was that the System account may not have any network permissions.  Depending on how SymDiag is launched you will want to verify that the command-line is being applied.  Also, double check that there are no .sdbz files anywhere on the local drive (especially root of system drive) in case there is a problem with processing the share path.

You will find multiple (two or three) processes running while SymDiag is running.  This should allow you to determine if the tool is launched and still operating.  The first process, SymDiag.exe, is a self-extractor and launcher and it is also the last process to stop as it cleans up the files that it first unpacked in order to launch the main exe.  Find the temp directory for the account you are using to find where the binaries for SymDiag are being unpacked and the database (.SdDb) files are being written. Alternately, while SymDiag is running, search the drive for .SdDb files to locate the temp directory.