Product Description

Symantec Endpoint Protection (formerly Symantec AntiVirus) detects and removes viruses and spyware, prevents virus-infected emails from spreading and performs a full system deep scan to remove existing viruses, spyware and other threats. It also includes email and instant message scanning that detects, removes or blocks infected attachments.

Known Versions

Following versions apply to Symantec Antivirus

• 5
• 7
• 8.0
• 8.1
• 8.5
• 8.6
• 9.0
• 10.0
• 10.1
• 10.2

Following versions apply to Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager.

• 11.0
• 12.0
• 12.1

Software Pattern Summary

Platforms Supported by the Pattern

The pattern definition identifies instances of Symantec Endpoint Protection Client (formerly Symantec Antivirus) and Symantec Endpoint Protection Manager running on Microsoft Windows.

Identification

Software Instance Triggers

Simple Identification Mappings

The following processes are given simple identification mappings

Versioning

Version information for the product is currently collected using one of four possible methods. All these methods are tried in an order of precedence based on likely success and/or depth of the version information that can be gathered.

WMI Query Versioning

If the path to the trigger process is fully qualified the pattern attempts to extract version information using the WMI query:

• SELECT Version FROM CIM_DataFile where Name='<trigger process>'

Registry Versioning

If WMI query versioning fails, the pattern attempts to get versioning information from the one of the following Windows registry key:

The following registry key will only work on versions 11 and above of Symantec Endpoint Protection Client

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ProductVersion

The following registry key will work for legacy version ie. Symantec AntiVirus and all versions of Symantec Endpoint Protection Manager

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTVERSION

No registry versioning is possible for Symantec AntiVirus

File versioning

The following file is used to get the versioning of Symantec Endpoint Protection Manager.

• File Name - <install_path>\etc\conf.properties , where install_path is extracted from the path of the trigger process.

• Version Regex - scm\.server\.version=(\d+(?:\.\d+)*)

Package Versioning

Versioning is obtained by reading package information on Windows. The package name that is searched for commences with one of the following:

• Symantec Endpoint Protection
• Symantec AntiVirus

For Symantec Endpoint Protection Manager , the package versioning is done using the following package entry

• Symantec Endpoint Protection Manager

Versioning is achieved to either x.x.x or x.x.x.x depth using this approach.

Path Versioning

Versioning for Symantec Endpoint Protection Client is obtained by the path of the trigger process using the regex (?i)\\Symantec Endpoint Protection\\(\d+(?:\.\d+)*)

Product Architecture and deployment

Symantec Endpoint Protection contains four main architectural components :

• Symantec Endpoint Protection Manager - The management server that is used to configure clients, reports, and alerts.
• Symantec Endpoint Protection Client - Software that is deployed to networked computers. The client is used to monitor policies and automate policy compliance activities.

• Following is the basic deployment model for this product

Application Model Produced by Software Pattern

Pattern Trigger

SymantecAV

Symantec Anti Virus versions prior to version 11 ran as a Windows service: rtvscan.exe. The pattern triggers on that process

Symantec Anti Virus was renamed Symantec Endpoint Protection Client in version 11. The executable file of the windows service also changed to smc.exe. The pattern therefore also triggers on smc.exe

Note that smc.exe is also a valid trigger process for Sygate Firewall. Therefore, if the pattern triggers on smc.exe it stops immediately if the "Symantec EndPoint Protection" package is not present and registry_version can not be extracted.

SymantecEPManager

The pattern module SymantecEPManager has been created with the Symantec Endpoint Protection Manager (SemSvc.exe) process as its trigger process which runs all the time when Symantec Endpoint Protection Manager is installed.

SI Type

The pattern SymantecAV will create software instance of the following type:

• "Symantec AntiVirus" for all legacy versions (before version 11), and all those instances where version cannot be discovered
• "Symantec Endpoint Protection Client" for all modern versions

The pattern module SymantecEPManager will create software instance of type "Symantec Endpoint Protection Manager"

SI Depth

Only one instance of any of the products modelled (Symantec AntiVirus, Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager) can run on a host. It is possible to run both a client and a manager on the same host. The pattern therefore creates an instance based software instance with the key based on type and host key

Relationship Creation

The following processes, if found running on the host, are associated to the created Software Instance:

• SymCorpUI.exe
• ccApp.exe
• ccSvcHst.exe

Details of these processes can be found in the simple identities section

Subject Matter Expertise

Testing

The pattern was tested against the following:

• A local installation of Symantec AntiVirus Corporate Edition version 8 & 9 installed on windows XP Professional and Windows 2003 hosts
• A local installation of Symantec Endpoint Protection Client and Symantec Endpoint Protection Manger with version 11 and 12.1
• Record data from Windows 2003 hosts

Information Sources

Processes and services Description
Installation Guide

Open Issues