Endpoint Protection

 View Only

  • 1.  Programatically detecting installed version of SAV/SEP?

    Posted Apr 30, 2009 01:09 PM
    Hello,

    With the recent announcement that all versions of Symantec AV prior to SEP MR3 are potentially vulnerable, I have started developing a new front end to my SEP installer that detects what version is currently installed so that I can then programatically decide if I want to uninstall the old client (run CleanWipe) first or do an in-place "upgrade" of SAV to SEP. The versions that I have to detect are anything from SAV 7 up to SEP 11.

    So far I have been using a combination of these registry keys:
    HKLM\SOFTWARE\Classes\Installer\Products\"GUIDS"
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
    HKEY_LOCAL_MACHINE\SOFTWARE\Intel\DLLUsage\VP6
    and these files:
    C:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll
    C:\ProgramData\Symantec\Definitions\VirusDefs\definfo.dat
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\definfo.dat

    What I'm looking for are other ideas of how I can accurately detect the MANY flavors of SAV/SEP. Filename,fileversion,serviceexists,registry something...whatever.

    Thanks for your thoughts and suggestions,

    -Mike


  • 2.  RE: Programatically detecting installed version of SAV/SEP?

    Posted Apr 30, 2009 01:49 PM

    Here's a VBScript that uses WMI to return the SEP version:

    strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    	& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colSoftware = objWMIService.ExecQuery _
    	("Select * from Win32_Product where (Caption='Symantec Endpoint Protection')")

    For Each objSoftware in colSoftware
    	wscript.echo objSoftware.Version
Next

    HTH



  • 3.  RE: Programatically detecting installed version of SAV/SEP?

    Posted Apr 30, 2009 04:18 PM
    For what it's worth:

    On the SEPM side just go to Reports, Type: Computer Status, Report: Symantec Endpoint Protection Versions to get a machine count.  Or go to the logs tab and dump the results to .csv.



  • 4.  RE: Programatically detecting installed version of SAV/SEP?

    Posted Apr 30, 2009 04:56 PM
    If it were me, I'd just use the FileSystemObject and check for the existence of smc.exe and then pull the FileVersion property using VBScrpt.  It would help to know what programming language your using.


  • 5.  RE: Programatically detecting installed version of SAV/SEP?

    Posted Apr 30, 2009 06:01 PM
    It's a good thing that you are planning to upgrade the environment but the vulnerability is not for the clients. Any SAV server that has version prior to MR8 and also has AMS2 installed on it is vulnerable.


  • 6.  RE: Programatically detecting installed version of SAV/SEP?

    Posted May 05, 2009 10:20 AM
    As it turns out, reading the version of RTVSCAN.exe in the following directories:

    %SystemDrive%\Program Files\Symantec AntiVirus
    %SystemDrive%\Program Files\SAV\Symantec AntiVirus
    %SystemDrive%\Program Files\Symantec\Symantec Endpoint Protection
    %SystemDrive%\Program Files (x86)\Symantec\\Symantec Endpoint Protection

    Or Transman.dll in the following:

    %SystemDrive%\WINNT\System32
    %SystemDrive%\Windows\System32
    %SystemDrive%\Program Files\Common Files\Symantec Shared\SSC

    Seems to get me almost all of the versions in the range I need.

    Sandeep, thanks for the clarification on the affected systems.

    -Mike


  • 7.  RE: Programatically detecting installed version of SAV/SEP?
    Best Answer

    Posted May 05, 2009 10:24 AM
    Hi,

    You can also check the version of SEP client form the following registry key:


    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Product version

    Hope this helps...

    cheers,
    Aniket