narrow default width wide
colour style colour style colour style colour style

DCM For SEP 11

Everyone will probably have different things they want to report on but these might get you started.


I created a single DCM Baseline (“SEP Baseline”) with three Configuration Items.


Each of the Configuration Items does multiple checks:

  • SEP 11 - Components Status
    • Makes sure services are running
    • Makes sure specific SEP components are running
  • SEP 11 - Configuration Checks
    • Lots of checks to make sure the client is assigned and functioning as desired
  • SEP 11 - Pattern Files
    • Checks to make sure the client has current pattern files



----------SEP 11 - Components Status----------

  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
    • smc_engine_status 1 (Network Threat Protection)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect
    • ServiceStatus 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan
    • Disabled 0
    • (this is tamper protection per http://98.129.119.162/connect/de/forums/can-you-script-disabling-sav-tamper-protection-installing-sep)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymHeurProcessProtection
    • ServiceStatus 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem
    • ServiceStatus 1
  • WQL/WMI Service State
    • Name="Symantec AntiVirus" RUNNING
    • Name="ccEvtMgr" RUNNING
    • Name="SmcService" RUNNING


----------SEP 11 - Configuration Checks----------

  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
    • CurrentGroup IS NOT BLANK
    • CurrentMode 1
    • PreferredGroup IS NOT BLANK
    • PreferredMode 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV
    • ClientType 2
    • InstalledProducts 1
    • ScanEngineVendor NAV
    • Status 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
    • MasterClientHost IS NOT BLANK
    • MasterClientThrottling -1
    • UseManagementServer 1
    • UseLiveUpdateServer 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
    • ProductVersion 11.0.6005.562

----------SEP 11 - Pattern Files----------

This is a custom script that checks the timestamp on the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\DEFWATCH_10

The data in that value should be similar to this:C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101115.048

The main change I made to the script that I found was to just have it return the DateDiff so you could set your rules in the Configuration Item rather than having to set it in the script. Also, this lets you see how old the pattern files are in your reports instead of just seeing "Compliant/Non-compliant".


'from:
'http://www.raduti.com/2010/08/dcm-sep-11-configuration-items.html
'With some modifications
Option Explicit
 
Dim WshShell, bKey, bits, valueDefVer, yearDef, monthDef, dayDef, revDef, DefinitionVersion, strWow64, DateThen, DateNow
 
Set WshShell = CreateObject("WScript.Shell")
 
'Determine whether 32 or 64-bit Windows
Select Case (right(wshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%"), 2) mod 86) / 2 + 32
  Case "32"
    strWow64 = ""
  Case "64"
    strWow64 = "Wow6432Node\"
End Select
 
bKey = WshShell.RegRead("HKLM\Software\" & strWow64 & "Symantec\SharedDefs\DEFWATCH_10")
 
bits = Split(bKey, "\")
valueDefVer  = bits(UBound(bits))
yearDef = Left(valueDefVer, 4)
monthDef = Mid(valueDefVer, 5, 2)
dayDef = Mid(valueDefVer, 7, 2)
revDef = Right(valueDefVer, 3)
DateThen = monthDef & "/" & dayDef & "/" & yearDef
DateNow = Now
WScript.Echo CInt(DateDiff("d", DateThen, Now))
' If Left(revDef, 1) = 0 Then
'   revDef = Right(revDef, 2)
'   If dateDiff("d",DateThen,Now)>3 Then
'     WScript.Echo "Non Compliant"
'   Else
'     wScript.Echo "Compliant"
'   End If
' End If