Endpoint Protection

Following the recent zero day vulnerability foudn in SEP 11.x and 12.x, how do I generate a report from the SEPM showing how many SEP clients have the "Appplication & Device Control" module installed?

There isn't an easy way to do this via reporting in SEPM....

Monitors >> Logs >> Application and Device Control, this will show you logs if enabled for clients.

Partial solution here:

https://www-secure.symantec.com/connect/forums/zero-day-flaws-found-symantecs-endpoint-protection-computerworld-article-73014-629am-et#comment-10363241

*Note* a policy needs to be applied.

If you run the Computer Status report, export to CSV and drop into Excel, it would be ideal to see something here like the other components but it just doesn't exist.

ok thanks - we dont deploy the ADC module by default so all of the ADC policies are disabled. I just wanted to confirm nobody has installed ADC on the fly.

It's a shame Symantec dont include this functionality as it's not the first time I've needed basic component reporting like this. There is also nothing in the registry so looks like there is no workaround either.

Thanks for your help.

Clayton / Brian,

I disagree, the SEPM front end cannot provide this info, and arguably neither can the entire DB itself.

I think you will find the query I posted in this thread a lot more accurate in its ability to identify endpoints with ADC installed. It's the best the product can offer.

https://www.symantec.com/connect/forums/zero-day-flaws-found-symantecs-endpoint-protection-computerworld-article-73014-629am-et#comment-10365321

The alternative, and not a nice one, is to deploy a script to ALL your endpoints whereby it runs "sc query sysplant" and returns the result to you.

Thanks Steven appreciated - I'll give the script a try against my SQL DB.

Also tested the sc query sysplant on a couple of machines and that seems to work well too:

• ADC not running: [SC] EnumQueryServicesStatus:OpenService FAILED 1060:

• ADC Running:

           SERVICE_NAME: sysplant
           TYPE               : 1  KERNEL_DRIVER
           STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
           WIN32_EXIT_CODE    : 0  (0x0)
           SERVICE_EXIT_CODE  : 0  (0x0)
          CHECKPOINT         : 0x0
          WAIT_HINT          : 0x0
 

Sure, but when you have thousands of endpoints across multiple customers like we do the "sc query" option is the last thing you want to do. Also, the machines need to be turned on, and on the network to achieve that.

We've got mobile users who come and go for many of our customers, makes these kind of issues VERY challenging.

Agreed, I've got 10,000 endpoint spanning 150 sites so the DB script will definitely be the best course of action :)

Just nice to have a manual option available for individual cases.

Thanks again