Endpoint Protection

 View Only
Back to Library

Symantec Endpoint Protection –Few Registry Tweaks.. 

Sep 08, 2009 04:46 PM

Here are a few registry tweaks and information about Symantec Endpoint Protection.

1. To check the Version of currently installed SEP client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

ProductVersion  

Value will be something like 11.0.4014.26

 
2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.


3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

4. Policy Serial Number on Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

SerialNumber

Value will be something like 2DD9-09/09/2009 00:05:14 125


5. To know the Hardware ID for the Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

HardwareID


6. What is the version of Virus Defintion the client is currently using .

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

DEFWATCH_10

The value will be some like C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090907.050


7. To know what IPS Signature SEP is using

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs

cndcIps

The value will be like: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\CNDCIP~1\20090826.002


8. To check if Network Threat Protection is installed and is Turned ON.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

smc_engine_status  0 – means turned OFF 1- turned ON.

9. Exclusion –Centralized Exceptions

32 bit

i. Security Risk Exceptions

User Defined Exceptions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions

Lock – 0- means the client can create Centralized Exceptions for Known Security Risks 1 – means this optioned is locked by the administrator in SEPM.

And Under the ClientRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the users.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions

Under the AdminRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the Admin from SEPM.

 

ii. Proactive Threat Protection Exclusions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash

\Client\ 0728bd2bb1774b9728f60d33bc1f95172374e950–(The long hexadecimal numbers point to the filehash for the excluded file )  For the exclusions created by the user

\Admin\ 0728bd2bb1774b9728f60d33bc1f95172374e950 - (The long hexadecimal numbers point to the filehash for the excluded file ) -  For exclusions made by Admin from SEPM.

Same with Directory , Files and Folder Exclusions

iii. Directory

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory

\Admin  and \Client

iv. Files

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName

\Admin  and \Client

 
v.Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions\

\Admin  and \Client

vi. Symantec also excludes it own Embedded Database from Scanning

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Symantec Embedded Database\FileExceptions

Out.log, Sem5.log and Sem5.db are excluded.


vii. To Verify Exchange Server exclusions on 32 Bit System

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server

\FileExceptions and \NoScanDir

On 64 Bit system

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions

\FileExceptions and \NoScanDir

  

10. Now say you have remote laptops you exported a Default client install package and sent them.

Now you want to change them to Unmanaged.

You replaced sylink.xml for Unmanaged SEP Cd1\SEP\Sylink.xml

Still clients are not able to do the liveupdate and the default admin defined Scan runs.

Here is the default Admin Defined Scanand if you have created few more scans for this users it will also be listed in the same location but with a different name.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

So you can delete this and then you can create your own scan.

Liveupdate button is greyed out even after replacing sylink.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

AllowManualLiveUpdate  0- means liveupdate button will be greyed out. 1-means it will be available to click.

In the same place you can enable product updates by changing the value of

EnableProductUpdates  to 1

For Scheduling and Enabling automatic liveupdates.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule

Change the value of

Enabled to 1 – for Automatic updates.

11. Handling Quarantine

Sometimes due to infection the size of the quarantine folder grows huge.

It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine

Important keys

QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then

QuarantinePurgeBySizeDirLimit   Default value is 50 ( Megabytes)  either leave it at 50 or reduce it as much you want.

You can also lower the age of purging Quarantine items from default 30 days to any number of days you want

QuarantinePurgeAgeLimit   30 days by default.

12. How to disable Application and Device Control via registry

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant

Change the Value of Start to 4 . 1 –means enabled.

13. Check this discussion on Creating Scan via registry 
https://www-secure.symantec.com/connect/forums/way-create-scan-registry

14. For Logging options via registry
How to debug the Symantec Endpoint Protection 11.x client
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

 15. GUP information via registry
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148

16. Enable debugging of Auto Location switching (ALS) and this Reg key

HKLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Statistics
0 Favorited
25 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
May 24, 2016 08:57 PM

Hi. I have observed that the registry hwid is no longer working in 12.1.6, However i have checked '%ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml' and there is no 'HWID' folder in specified location in either the ProgramFiles or ProgramFiles (x86) folders. Anyone have any other idea's? 

DDepaul
Dec 22, 2015 08:39 AM

Hi all,

I'm using this atribute, Registry:Set registry value to check a value in teh registry and if it is not present, create it.

But the value is not being created and I don't know what could be the reason. SNAC service is running and the permissions are ok.

Any thougths?

 

Thanks in advance

JUSTICE
Aug 10, 2015 03:59 PM

@Chetan although written for SEP 11 (and a x32-bit OS), it is still true and relevant under SEP 12.1.6.1 (RU6, MP1a):

How to enable/ disable Network Threat Protection from the Windows Registry (Article: TECH96845)

Also the WoW6432Node for your x64-bit OS endpoints and this key: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Symantec\Symantec Endpoint Protection\SMC\smc_engine_status 

Your fact under number 8 should take into consideration:

Technical Information
NOTE: If the NTP component is not installed, the smc_engine_status value will continue to show a value of 1.

NTP component is not installed, the Teefer2 registry Key will not be present at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2

Why all the more important to implement HI...to check: registry key exists, registry value exist, and registry value equals. 

 

JUSTICE
Aug 09, 2015 11:23 AM

@et al., BRAVO ZULU! Indeed, this is even more critical and extremely relevant in the new era and dawn of SEP 12.1.6.1 (RU6, MP1) and with Host Integrity (HI) Policy as the perfect ally to the SEP 12.1 technologies for compliance. I will continue to strongly advocate HI application to all SEP/SEPM admins...period!

How to identify the Client Infection Status in Symantec Endpoint Protection (Article: TECH162193)

Registry key location changes in version 12.1.1100 (Article: HOWTO75109)

New to Host Integrity

Is there a Registry Key for quarantine status of a client?

Reference Fix ID: 3518941 (HI template files are not included in exported SEP client package). New fixes in Symantec Endpoint Protection 12.1.6 (Article: TECH230558)

About Compliance reports and logs (Article: TECH95540)(Even relevant with SEP 12.1.x – particularly HI events without hardware appliances)

 

 

Migration User
Apr 23, 2014 10:08 AM

Hi all,

If I change the ADC value on the registry, will this enable the devices that were being blocked by the policy?

 

Thanks

Rojopipe
Jul 31, 2013 06:11 PM

Thanks Brian81

I seek to identify registry keys SEP that can protect through policies of ADC in case someone malicious attempts to erase. Greater protection to tamper protection

ℬrίαη
Jul 31, 2013 05:39 PM

Yes, this is one of the default rules you can apply.

http://www.symantec.com/docs/TECH104431

Rojopipe
Jul 31, 2013 04:27 PM

Hi,

Anyone have an update of this post for SEP 12.1 RU3, the idea is to protect the registry keys necessary using ADC.

Thank you.

Migration User
Sep 12, 2012 02:59 AM

Is there a way to use the SyLink.xml from the SEPM to :

A) confirm license / serial number; AND

B) use for LiveUpdate's;

.. BUT NOT .. C)  managed setting.

I want local control over when it scans, how it scans, when it updates, exceptions etc. I do not have acces to the SEPM, I do not have access to the full SEP CD's, I do have access to local workstation (OS Admin). A + B but NOT C.

Windows XP / 7, 32 and some Win7 64.

 

Migration User
Jun 14, 2012 06:14 PM

Thanks to Mithun for posting in this article how to decode the time stamps for the values of

  • date and time of last full scan
  • date and time of last infection

How to decode the TimeOfLastVirus and TimeOfLastScan registry values: KB 99873

Migration User
Apr 27, 2012 11:24 AM

I can find the registry key that gives Antivirus and Antispyware definition date, and the Network Threat Protection definition date, but I cannot find the registry key that gives the definition date for Proactive Threat Protection.

 

 Where is this registry key?

Migration User
Mar 15, 2012 04:07 PM

What you are trying to do is not advisable. However, if you want to experiment with this, have a look at this key:

HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\SmcService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus

The Auto value determines the start up type.

Migration User
Mar 10, 2012 02:36 PM

Best article ever

Migration User
Mar 07, 2012 03:45 PM

Dear Vikram.

Please add the Reg key discussed in https://www-secure.symantec.com/connect/forums/location-awareness-and-vpn-switching#comment-6811491 to your article.

They talk about debugging of Auto Location switching (ALS) and this Reg key

KLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Thank you in advance.

NRaj
Feb 29, 2012 09:39 AM

Good one. Thanks.

Migration User
Feb 28, 2012 08:55 PM

Hi, 

I would like to know the the reg key to chagne the Start up Type (from Auto to Manual) of 'Symantec Endpoint protection'.

Any urgent reply will be appreciated.

 

Thanks,

Srikanth_Subra
Jan 21, 2012 04:34 AM

Nice article

Migration User
Dec 13, 2011 07:39 AM

Gr8

Migration User
Dec 08, 2011 01:37 AM

Is there any update from anyone according to the latest release SEP12.1 RU1 and registry entries, maybe there is some new useful registry entries to know in that version?

Wally
Nov 23, 2011 03:38 PM

Vikram - do you know if there is a registry entry on the SEP 11 RU6 or RU7 client for "Disable the Windows Firewall"?

Moab.baom
Nov 04, 2011 09:18 AM

Great article,

But I'm not just interesting to know the client virus definitions (HKLM\SOFTWARE\Symantec\SharedDefs\DefWatch\VirusDefs) ,

but the windows definitions on the SEPM console home page:

Latest from symantec

Latest On Manager

Because I want first to monitor this information . I found a very good nagios pluggin, but it displays the Virus definition of the client installed on the server. The server can be the client of another SEPM, up to date, and my local server out of date, and I will not know this with this information.

https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/check_symantec_av

Me I need to know the entry in registry of the windows definitions displayed on the SEPM console.

Best regards

yang_zhang
May 25, 2011 10:24 AM

So greate! I will bookmark this!

Migration User
Feb 17, 2011 10:50 PM

Do the clients know that they are to use a GUP?

You can verify by looking in the registry.

[HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate]
UseMasterClient = 1 This says the client knows to use a GUP
MasterClientHost = "host name of the GUP"

Thanks to blenahan from https://www-secure.symantec.com/connect/forums/propagation-clients-server-capability-sep-wan#comment-5189451

 and officially from  "Symantec Endpoint Protection 11.0 Group Update Provider (GUP)" http://www.symantec.com/docs/TECH102541 right at the bottom.

Migration User
Feb 13, 2011 03:28 PM

Please can we add this list of Registry keys to the list.

http://www.symantec.com/business/support/index?page=content&id=TECH106042&locale=en_US

These keys are about caching client content

  • Caching install files
  • location of cached files
  • number of revisions to keep

Jamit
Nov 11, 2010 02:48 AM

I have found this setting is not always true. I had a case today where the SEPM Logs and Client console flagged File System Auto-Protect was not running. I checked HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan OnOff on the workstation and it was set to 1 (enabled) however File System Auto-Protecwas not. 

To resolve I had to repair the client. If someone can advise why I saw the above behaviour it would be appreciated?

 

Thanks

Jamit

 

Migration User
Sep 11, 2010 04:02 AM

One for informative articles of urs that i have book  marked

Migration User
Aug 22, 2010 09:50 AM

this applies for ru6mp1 too!!!

postechgeek
Jul 16, 2010 12:37 PM

Nice, thanks.

Migration User
Jul 16, 2010 10:39 AM

Very good article. 

Migration User
Apr 09, 2010 11:24 AM

Application and Device Control. Done.

IE: Do not allow any process to modify SEP Registry Keys.

Migration User
Mar 24, 2010 11:29 AM

If you can't think of any other reasons not to let your users run as admins (and most of us can think of many!), the fact that SEP stores its config in the registry for all to see is a great one.

If you run as an admin, it is trivial for malware or malicious users to disable SEP.

Wally
Mar 16, 2010 05:09 PM

Great article - especially the EnableProductUpdates tweak - will save me a lot of time!!!

Migration User
Mar 02, 2010 08:32 AM

I am either in football field or SEP field..no other field..

Migration User
Mar 02, 2010 08:12 AM

HI  vikram Great ya i know ur in other field but u doing well....I think u get from google any  nice..............

by

  Jayan charles

Migration User
Dec 15, 2009 11:25 AM

Excellent article.

Migration User
Dec 02, 2009 12:31 PM

very nice article, thank you for making this one

Migration User
Dec 02, 2009 09:01 AM

 Great!

Any new reg keys for MR5?

Migration User
Dec 01, 2009 03:22 PM

 All of this applies to MR5.

Migration User
Nov 19, 2009 04:22 AM

 Great stuff!

Anyone know if these still apply after MR5 release?

Migration User
Nov 17, 2009 05:39 AM

 I have just tested that on WIn XP 32 bit reg keys for 32 and 64 are little bit different.

Migration User
Nov 12, 2009 10:41 AM

It looks like this one is (at least partially) incorrect: 

6. What is the version of Virus Defintion the client is currently using .


On my machine, running Windows 7 64-bit and SEP 11.0.5002.333, there is no registry key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

The only other machine I have quick access to had SAVCE 10.1.6.6000 on it before I upgraded it, and the SharedDefs key *is* there.

Any idea where I could find the information?

Thanks,
Wayne

Migration User
Nov 03, 2009 04:32 PM

 Nice article

Migration User
Oct 22, 2009 06:52 AM

Very useful article..i was looking for these info.

Migration User
Oct 17, 2009 11:18 AM

Hi, in RU5 the HardwareID was moved out of the registry and onto the disk. It's now located at %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml

Migration User
Oct 05, 2009 03:34 PM

this helped me.nice article.

Migration User
Sep 24, 2009 10:56 AM

 File System Auto-Protect

HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan

OnOff : 1- means enabled 0 - means disabled

Hogan Chen
Sep 23, 2009 08:01 PM

Vikram Kumar-SAV to SEP

It seems to me that you cover the keys based on computer mode observation. If it is User mode or fix mode. The following two keys are

2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

PolicyMode 1 -- means "Computer Mode", 0 -- means User mode.

3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

In a User Mode configuration, This is defautl group, but not necessarily the group client point to, in User Mode, the SerialNumber key in the same registry locaiton is the group that client point to.

Migration User
Sep 23, 2009 12:05 AM

Here is one mroe:

To enable/disable Scan Process Dialogue for Custom Scans:

HKLM\Software\Symantec\Symantec Endpoint Protection\AV\LocalScans\Default CustomScan Option

On the right pane check for the DWORD "DisplayStatusDialog"  the value must be 1, if not change it to 1.

The same is applicable to most of scans present at the location:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans


Best,
Aniket


Migration User
Sep 18, 2009 11:54 AM

 Nice article dude..

Best of Luck

Migration User
Sep 17, 2009 05:51 AM

very useful article.

Migration User
Sep 11, 2009 04:12 AM

All have to vote this article....

Migration User
Sep 10, 2009 04:53 AM

Useful article. Thank you

Migration User
Sep 10, 2009 04:48 AM

 Very good!

I could use some more of this good stuff :)

Thanks!!! 

Migration User
Sep 10, 2009 04:07 AM

Thanks yaar...

I was looking for this.. You got my vote.....
Thanks once again.... 

Migration User
Sep 09, 2009 10:57 PM

Good and Knowledgeable.

Migration User
Sep 09, 2009 03:07 PM

It's really a good article to assist sym customer to understand the product's internal working better.All regs in one place...nice effort !  

Migration User
Sep 09, 2009 02:26 PM

Good auditing info.

Migration User
Sep 09, 2009 01:11 PM

Great article.... lots of useful information.

thanks

Related Entries and Links

No Related Resource entered.