Page tree
    Skip to end of metadata
    Go to start of metadata
    Discover with BMC Discovery

    This product can be discovered by any edition of BMC Discovery. Download our free Community Edition to try it out, or [see what else it can discover] !

    What is this?
    This is a product information page, containing details of the information that BMC Discovery gathers about a product and how it is obtained.
    Product Name
    Endpoint Protection
    Publisher Page
    Secure Content and Threat Management
    TKU 2019-04-1
    Change History
    Symantec Endpoint Protection - Change History
    Reports & Attributes
    Symantec Endpoint Protection - Reports & Attributes
    Publisher Link

    Product Description

    Symantec Endpoint Protection (formerly Symantec AntiVirus) detects and removes viruses and spyware, prevents virus-infected emails from spreading and performs a full system deep scan to remove existing viruses, spyware and other threats. It also includes email and instant message scanning that detects, removes or blocks infected attachments.

    Known Versions

    Following versions apply to Symantec Antivirus

    • 5
    • 7
    • 8.0
    • 8.1
    • 8.5
    • 8.6
    • 9.0
    • 10.0
    • 10.1
    • 10.2

    Following versions apply to Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager.

    • 11.0
    • 12.0
    • 12.1

    Software Pattern Summary

    Product ComponentOS TypeVersioningPattern Depth
    Symantec Endpoint Protection ClientWindowsWMI Query, Registry, Package, PathInstance Based
    Symantec Endpoint Protection ManagerWindowsWMI Query, Registry, File, PackageInstance Based

    Platforms Supported by the Pattern

    The pattern definition identifies instances of Symantec Endpoint Protection Client (formerly Symantec Antivirus) and Symantec Endpoint Protection Manager running on Microsoft Windows.


    Software Instance Triggers

    PatternTrigger NodeAttributeConditionArgument

    matches (?i)\bRtvscan\.exe$
    SymantecEPManagerDiscoveredProcesscmdmatches (?i)\bSemSvc\.exe$


    The pattern module SymantecAV will stop immediately if its triggers on Smc.exe and finds no package for Symantec Endpoint Protection

    Simple Identification Mappings

    The following processes are given simple identification mappings

    Symantec Endpoint Protection Client (?i)\bRtvscan\.exe$
    Symantec Endpoint Protection Client process (?i)\bSymCorpUI\.exe$
    Symantec AntiVirus Roaming (?i)\bSavRoam\.exe$
    Symantec Antivirus Definition Watch (?i)\bdefwatch\.exe$
    Symantec Antivirus vpc32 (?i)\bsymantec antivirus\\vpc32\.exe$
    Symantec Endpoint Protection (?i)\bccSvcHst\.exe$
    Symantec Endpoint Protection Manager (?i)\bSemSvc\.exe$
    Symantec Endpoint Protection Client (?i)\bSmc\.exe$


    Version information for the product is currently collected using one of four possible methods. All these methods are tried in an order of precedence based on likely success and/or depth of the version information that can be gathered.

    WMI Query Versioning

    If the path to the trigger process is fully qualified the pattern attempts to extract version information using the WMI query:

    • SELECT Version FROM CIM_DataFile where Name='<trigger process>'

    Registry Versioning

    If WMI query versioning fails, the pattern attempts to get versioning information from the one of the following Windows registry key:

    The following registry key will only work on versions 11 and above of Symantec Endpoint Protection Client

    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ProductVersion

    The following registry key will work for legacy version ie. Symantec AntiVirus and all versions of Symantec Endpoint Protection Manager

    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTVERSION

    No registry versioning is possible for Symantec AntiVirus

    File versioning

    The following file is used to get the versioning of Symantec Endpoint Protection Manager.

    • File Name - <install_path>\etc\ , where install_path is extracted from the path of the trigger process.
    • Version Regex -


    Package Versioning

    Versioning is obtained by reading package information on Windows. The package name that is searched for commences with one of the following:

    • Symantec Endpoint Protection
    • Symantec AntiVirus

    For Symantec Endpoint Protection Manager , the package versioning is done using the following package entry

    • Symantec Endpoint Protection Manager

    Versioning is achieved to either x.x.x or x.x.x.x depth using this approach.

    Path Versioning

    Versioning for Symantec Endpoint Protection Client is obtained by the path of the trigger process using the regex

    (?i)\\Symantec Endpoint Protection\\(\d+(?:\.\d+)*)

    Product Architecture and deployment

    Symantec Endpoint Protection contains four main architectural components :

    • Symantec Endpoint Protection Manager - The management server that is used to configure clients, reports, and alerts.
    • Symantec Endpoint Protection Client - Software that is deployed to networked computers. The client is used to monitor policies and automate policy compliance activities.
    • Following is the basic deployment model for this product

    Application Model Produced by Software Pattern

    Pattern Trigger


    Symantec Anti Virus versions prior to version 11 ran as a Windows service: rtvscan.exe. The pattern triggers on that process

    Symantec Anti Virus was renamed Symantec Endpoint Protection Client in version 11. The executable file of the windows service also changed to smc.exe. The pattern therefore also triggers on smc.exe

    Note that smc.exe is also a valid trigger process for Sygate Firewall. Therefore, if the pattern triggers on smc.exe it stops immediately if the "Symantec EndPoint Protection" package is not present.


    The pattern module SymantecEPManager has been created with the Symantec Endpoint Protection Manager (SemSvc.exe) process as its trigger process which runs all the time when Symantec Endpoint Protection Manager is installed.

    SI Type

    The pattern SymantecAV will create software instance of the following type:

    • "Symantec AntiVirus" for all legacy versions (before version 11), and all those instances where version cannot be discovered
    • "Symantec Endpoint Protection Client" for all modern versions

    The pattern module SymantecEPManager will create software instance of type "Symantec Endpoint Protection Manager"

    SI Depth

    Only one instance of any of the products modelled (Symantec AntiVirus, Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager) can run on a host. It is possible to run both a client and a manager on the same host. The pattern therefore creates an instance based software instance with the key based on type and host key

    Relationship Creation

    The following processes, if found running on the host, are associated to the created Software Instance:

    • SymCorpUI.exe
    • ccApp.exe
    • ccSvcHst.exe

    Details of these processes can be found in the simple identities section

    Subject Matter Expertise


    The pattern was tested against the following:

    • A local installation of Symantec AntiVirus Corporate Edition version 8 & 9 installed on windows XP Professional and Windows 2003 hosts
    • A local installation of Symantec Endpoint Protection Client and Symantec Endpoint Protection Manger with version 11 and 12.1
    • Record data from Windows 2003 hosts

    Information Sources

    Processes and services Description
    Installation Guide

    Open Issues

    Created by: Rebecca Shalfield 30 Oct 2007
    Updated by: [Pradeep Tyagi] 16 Jan 2013