Video Screencast Help

Script to pull virus defination update from clients.

Created: 10 Jan 2012 | 13 comments

Hi,

Can anyone help me to prepare a script to pull the virus dat information from my clients. Currently I have a very big setup of all most 2000 servers and all are running with SEP 11 and few are running SAV 10. So its not possible to validate the virus update everyday on all machines without getting a report generated which machine has not update with latest dat or virus definations.

I have a script which pulls the info about SAV10 but cant pull the info of the clients which are recently upgraded to SEP11. Any help would be appriciated.

 

Thanks.!

Deb.

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

does not the computer status report from SEPM helps to collect the required information?

Mithun Sanghavi's picture

Hello,

Why Create special Script for SEP 11 and SAV 10??

Why not fetch a Log from the SEPM 11.0?

Check these Articles:

About log types
 
 
About Computer Status reports and logs
 
 
 
About Legacy SAV 10 Clients Log, you can check this Articles below: 
 
How to configure Symantec Endpoint Protection Manager to receive SAV 10.x logs
 
 
Transfer historical log data from SAV 10.1 to Endpoint Protection Manager
 
 
Log data from legacy clients
 
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Deb ITConsultant's picture

I understand your concer, But it is not possible for me to loginto individual machine everyday and check for the definition, as the machine list is huge.

So if I get a script in place, Probably it will do my job on all servers and which are failed for the update, I can take alook at them and fix them.

Hope you all understand the situations.

Thanks.

Mithun Sanghavi's picture

Hello,

I believe you haven't read the above comment properly.

I suggested you to fetch the Logs from the Symantec Endpoint Protection Manager (Console) which would fetch all the logs for you and you would not have to visit the SEP / SAV machines at all.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Deb ITConsultant's picture

Our security guys have access to SEPM console but not me.

However as a proactive measure, I need to start monitoring all my servers as very recently we experianced a virus bug in one our machine. Which needed a step forward from my end.

Mithun Sanghavi's picture

Hello,

You can check this Thread:

http://community.spiceworks.com/topic/170034-script-to-get-versions-of-symantec-endpoint-security-of-remote-servers

Hope that might helps a bit.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ian_C.'s picture

He he, nice to see Spiceworks gets a mention here.

Please mark the post that best solves your problem as the answer to this thread.
Ian_C.'s picture

Why have you not got access when this is part of your responsibilities. Is this not similar to telling you to hammer in these nails & then not being given a hammer? Surely you should have the tools to do your job?

 

Your security team should be able to set you up a a Limited Admin with reporting rights. You won't be able to see any of the Admin stuff or change policies. Admittedly, the security settings could be more fine grained & support groups.

Please mark the post that best solves your problem as the answer to this thread.
greg12's picture

If you have access to SEPM database and IIS, you can use the SEP Content Distribution Monitor tool to get some informations about clients. These infos include clients which are not up-to-date. However, it's necessary to reconfigure the SEPM IIS settings for this. Here is the link:

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

If you don't have access or the tool doesn't fit your needs, you could search for the content cache files on the clients. By default, every SEP client saves 3 content cache files. The folders for the AV/AS content look like this (since SEP 11 MR2):

 %COMMONPROGRAMFILES%\Symantec Shared\VirusDefs\YYYYMMDD.NNN (32-bit)

 %COMMONPROGRAMFILES(x86)%\Symantec Shared\VirusDefs\YYYYMMDD.NNN (64-bit)

NNN = content revision number

Your script has to collect the content folder names (YYYYMMDD.NNN) and pick the youngest of the three (if your clients are saving three revisions) for every single SEP client.

Just an idea, I am sure there are more elegant ways (registry?).

See this KB document for content cache directories:

http://www.symantec.com/docs/TECH106034

Ian_C.'s picture

I'd have to disagree with greg12 on using the content cache folders. Mainly because it doesn't tell you which files are currently used, but also because you can have multiple versions there, including some really old ones that never got cleaned up.

Ideally, your method for SEP v11 should be similar to your script for SAV v10. You have not mentioned the method this script employs. Do you read GRC.DAT or DEFINFO.DAT or any other method?

Just an idea, I am sure there are more elegant ways (registry?).

Now we're talking. Have a look at this: https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

You are looking for the last 12 characters of HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\DEFWATCH_10

or you could convert HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileData

and HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\PatternFileRevision

Then you also need IPS versions:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs\cndcIps

It's also always good to see that NTP is enabled via HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_engine_status

Please mark the post that best solves your problem as the answer to this thread.
maadi's picture

Hi...

Actually I am looking for a SCOM Managment pack through which we will have verious options to monitor the SAV.  So it could be really helpful if some one provide me the information on my requirement else any script.

Thanks!!

Ian_C.'s picture

Hi.

See my reply in the dedicated SCOM thread: https://www-secure.symantec.com/connect/idea/sep-management-pack-microsoft-scom-system-center-operations-manager

 

Please mark the post that best solves your problem as the answer to this thread.