Symantec Endpoint Protection (formerly Symantec AntiVirus) detects and removes viruses and spyware, prevents virus-infected emails from spreading and performs a full system deep scan to remove existing viruses, spyware and other threats. It also includes email and instant message scanning that detects, removes or blocks infected attachments.
Following versions apply to Symantec Antivirus
Following versions apply to Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager.
Product Component | OS Type | Versioning | Pattern Depth |
---|---|---|---|
Symantec Endpoint Protection Client | Windows | WMI Query, Registry, Package, Path | Instance Based |
Symantec Endpoint Protection Manager | Windows | WMI Query, Registry, File, Package | Instance Based |
The pattern definition identifies instances of Symantec Endpoint Protection Client (formerly Symantec Antivirus) and Symantec Endpoint Protection Manager running on Microsoft Windows.
Pattern | Trigger Node | Attribute | Condition | Argument |
---|---|---|---|---|
SymantecAV | DiscoveredProcess | cmd | matches | (?i)\bRtvscan\.exe$ |
or | ||||
(?i)\bSmc\.exe$ | ||||
or | ||||
ccSvcHst | ||||
SymantecEPManager | DiscoveredProcess | cmd | matches | (?i)\bSemSvc\.exe$ |
Note
The pattern module SymantecAV will stop immediately if its triggers on Smc.exe and finds no package for Symantec Endpoint Protection
The following processes are given simple identification mappings
Name | Command |
---|---|
Symantec Endpoint Protection Client | (?i)\bRtvscan\.exe$ |
Symantec Endpoint Protection Client process | (?i)\bSymCorpUI\.exe$ |
Symantec AntiVirus Roaming | (?i)\bSavRoam\.exe$ |
Symantec Antivirus Definition Watch | (?i)\bdefwatch\.exe$ |
Symantec Antivirus vpc32 | (?i)\bsymantec antivirus\\vpc32\.exe$ |
Symantec Endpoint Protection | (?i)\bccSvcHst\.exe$ |
Symantec Endpoint Protection Manager | (?i)\bSemSvc\.exe$ |
Symantec Endpoint Protection Client | (?i)\bSmc\.exe$ |
Version information for the product is currently collected using one of four possible methods. All these methods are tried in an order of precedence based on likely success and/or depth of the version information that can be gathered.
If the path to the trigger process is fully qualified the pattern attempts to extract version information using the WMI query:
If WMI query versioning fails, the pattern attempts to get versioning information from the one of the following Windows registry key:
The following registry key will only work on versions 11 and above of Symantec Endpoint Protection Client
The following registry key will work for legacy version ie. Symantec AntiVirus and all versions of Symantec Endpoint Protection Manager
No registry versioning is possible for Symantec AntiVirus
The following file is used to get the versioning of Symantec Endpoint Protection Manager.
Version Regex -
scm\.server\.version=(\d+(?:\.\d+)*)Versioning is obtained by reading package information on Windows. The package name that is searched for commences with one of the following:
For Symantec Endpoint Protection Manager , the package versioning is done using the following package entry
Versioning is achieved to either x.x.x or x.x.x.x depth using this approach.
Versioning for Symantec Endpoint Protection Client is obtained by the path of the trigger process using the regex
(?i)\\Symantec Endpoint Protection\\(\d+(?:\.\d+)*)Symantec Endpoint Protection contains four main architectural components :
Symantec Anti Virus versions prior to version 11 ran as a Windows service: rtvscan.exe. The pattern triggers on that process
Symantec Anti Virus was renamed Symantec Endpoint Protection Client in version 11. The executable file of the windows service also changed to smc.exe. The pattern therefore also triggers on smc.exe
Note that smc.exe is also a valid trigger process for Sygate Firewall. Therefore, if the pattern triggers on smc.exe it stops immediately if the "Symantec EndPoint Protection" package is not present.
The pattern module SymantecEPManager has been created with the Symantec Endpoint Protection Manager (SemSvc.exe) process as its trigger process which runs all the time when Symantec Endpoint Protection Manager is installed.
The pattern SymantecAV will create software instance of the following type:
The pattern module SymantecEPManager will create software instance of type "Symantec Endpoint Protection Manager"
Only one instance of any of the products modelled (Symantec AntiVirus, Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager) can run on a host. It is possible to run both a client and a manager on the same host. The pattern therefore creates an instance based software instance with the key based on type and host key
The following processes, if found running on the host, are associated to the created Software Instance:
Details of these processes can be found in the simple identities section
The pattern was tested against the following:
Processes and services Description
Installation Guide
Created by: Rebecca Shalfield 30 Oct 2007
Updated by: [Pradeep Tyagi] 16 Jan 2013