- Discover with BMC Discovery
-
This product can be discovered by any edition of BMC Discovery. Download our free Community Edition to try it out, or [see what else it can discover] !
- What is this?
- This is a product information page, containing details of the information that BMC Discovery gathers about a product and how it is obtained.
- Product Name
- Endpoint Protection
- Publisher Page
- Symantec
- Category
- Secure Content and Threat Management
- Release
- TKU 2019-04-1
- Change History
- Symantec Endpoint Protection - Change History
- Reports & Attributes
- Symantec Endpoint Protection - Reports & Attributes
- Publisher Link
- Symantec
Product Description
Symantec Endpoint Protection (formerly Symantec AntiVirus) detects and removes viruses and spyware, prevents virus-infected emails from spreading and performs a full system deep scan to remove existing viruses, spyware and other threats. It also includes email and instant message scanning that detects, removes or blocks infected attachments.
Known Versions
Following versions apply to Symantec Antivirus
- 5
- 7
- 8.0
- 8.1
- 8.5
- 8.6
- 9.0
- 10.0
- 10.1
- 10.2
Following versions apply to Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager.
- 11.0
- 12.0
- 12.1
Software Pattern Summary
| Product Component | OS Type | Versioning | Pattern Depth |
|---|---|---|---|
| Symantec Endpoint Protection Client | Windows | WMI Query, Registry, Package, Path | Instance Based |
| Symantec Endpoint Protection Manager | Windows | WMI Query, Registry, File, Package | Instance Based |
Platforms Supported by the Pattern
The pattern definition identifies instances of Symantec Endpoint Protection Client (formerly Symantec Antivirus) and Symantec Endpoint Protection Manager running on Microsoft Windows.
Identification
Software Instance Triggers
| Pattern | Trigger Node | Attribute | Condition | Argument |
|---|---|---|---|---|
| SymantecAV | DiscoveredProcess | cmd | matches | (?i)\bRtvscan\.exe$ |
| or | ||||
| (?i)\bSmc\.exe$ | ||||
| or | ||||
| ccSvcHst | ||||
| SymantecEPManager | DiscoveredProcess | cmd | matches | (?i)\bSemSvc\.exe$ |
Note
The pattern module SymantecAV will stop immediately if its triggers on Smc.exe and finds no package for Symantec Endpoint Protection
Simple Identification Mappings
The following processes are given simple identification mappings
| Name | Command |
|---|---|
| Symantec Endpoint Protection Client | (?i)\bRtvscan\.exe$ |
| Symantec Endpoint Protection Client process | (?i)\bSymCorpUI\.exe$ |
| Symantec AntiVirus Roaming | (?i)\bSavRoam\.exe$ |
| Symantec Antivirus Definition Watch | (?i)\bdefwatch\.exe$ |
| Symantec Antivirus vpc32 | (?i)\bsymantec antivirus\\vpc32\.exe$ |
| Symantec Endpoint Protection | (?i)\bccSvcHst\.exe$ |
| Symantec Endpoint Protection Manager | (?i)\bSemSvc\.exe$ |
| Symantec Endpoint Protection Client | (?i)\bSmc\.exe$ |
Versioning
Version information for the product is currently collected using one of four possible methods. All these methods are tried in an order of precedence based on likely success and/or depth of the version information that can be gathered.
WMI Query Versioning
If the path to the trigger process is fully qualified the pattern attempts to extract version information using the WMI query:
- SELECT Version FROM CIM_DataFile where Name='<trigger process>'
Registry Versioning
If WMI query versioning fails, the pattern attempts to get versioning information from the one of the following Windows registry key:
The following registry key will only work on versions 11 and above of Symantec Endpoint Protection Client
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ProductVersion
The following registry key will work for legacy version ie. Symantec AntiVirus and all versions of Symantec Endpoint Protection Manager
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTVERSION
No registry versioning is possible for Symantec AntiVirus
File versioning
The following file is used to get the versioning of Symantec Endpoint Protection Manager.
- File Name - <install_path>\etc\conf.properties , where install_path is extracted from the path of the trigger process.
Version Regex -
scm\.server\.version=(\d+(?:\.\d+)*)
Package Versioning
Versioning is obtained by reading package information on Windows. The package name that is searched for commences with one of the following:
- Symantec Endpoint Protection
- Symantec AntiVirus
For Symantec Endpoint Protection Manager , the package versioning is done using the following package entry
- Symantec Endpoint Protection Manager
Versioning is achieved to either x.x.x or x.x.x.x depth using this approach.
Path Versioning
Versioning for Symantec Endpoint Protection Client is obtained by the path of the trigger process using the regex
(?i)\\Symantec Endpoint Protection\\(\d+(?:\.\d+)*)Product Architecture and deployment
Symantec Endpoint Protection contains four main architectural components :
- Symantec Endpoint Protection Manager - The management server that is used to configure clients, reports, and alerts.
- Symantec Endpoint Protection Client - Software that is deployed to networked computers. The client is used to monitor policies and automate policy compliance activities.
- Following is the basic deployment model for this product
Application Model Produced by Software Pattern
Pattern Trigger
SymantecAV
Symantec Anti Virus versions prior to version 11 ran as a Windows service: rtvscan.exe. The pattern triggers on that process
Symantec Anti Virus was renamed Symantec Endpoint Protection Client in version 11. The executable file of the windows service also changed to smc.exe. The pattern therefore also triggers on smc.exe
Note that smc.exe is also a valid trigger process for Sygate Firewall. Therefore, if the pattern triggers on smc.exe it stops immediately if the "Symantec EndPoint Protection" package is not present.
SymantecEPManager
The pattern module SymantecEPManager has been created with the Symantec Endpoint Protection Manager (SemSvc.exe) process as its trigger process which runs all the time when Symantec Endpoint Protection Manager is installed.
SI Type
The pattern SymantecAV will create software instance of the following type:
- "Symantec AntiVirus" for all legacy versions (before version 11), and all those instances where version cannot be discovered
- "Symantec Endpoint Protection Client" for all modern versions
The pattern module SymantecEPManager will create software instance of type "Symantec Endpoint Protection Manager"
SI Depth
Only one instance of any of the products modelled (Symantec AntiVirus, Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager) can run on a host. It is possible to run both a client and a manager on the same host. The pattern therefore creates an instance based software instance with the key based on type and host key
Relationship Creation
The following processes, if found running on the host, are associated to the created Software Instance:
- SymCorpUI.exe
- ccApp.exe
- ccSvcHst.exe
Details of these processes can be found in the simple identities section
Subject Matter Expertise
Testing
The pattern was tested against the following:
- A local installation of Symantec AntiVirus Corporate Edition version 8 & 9 installed on windows XP Professional and Windows 2003 hosts
- A local installation of Symantec Endpoint Protection Client and Symantec Endpoint Protection Manger with version 11 and 12.1
- Record data from Windows 2003 hosts
Information Sources
Processes and services Description
Installation Guide
Open Issues
Created by: Rebecca Shalfield 30 Oct 2007
Updated by: [Pradeep Tyagi] 16 Jan 2013
Overview
Content Tools
Add-ons
Reporter Replacement
com.bmc.atlassian.bmc-util-plugin-2.section.label
Tasks