Few Registry Tweaks from Symantec for Symantec Endpoint Protection

1. To check the Version of currently installed SEP client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

ProductVersion  

Value will be something like 11.0.4014.26

 
2. Client is communicating with SEPM or is OFFLINE

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

PolicyMode  1 – means communicating 0- means offline.

3. Which Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Preferredgroup

4. Policy Serial Number on Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

SerialNumber

Value will be something like 2DD9-09/09/2009 00:05:14 125

5. To know the Hardware ID for the Client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

HardwareID

6. What is the version of Virus Defintion the client is currently using .

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs

DEFWATCH_10

The value will be some like C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090907.050

7. To know what IPS Signature SEP is using

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-cndcipsdefs

cndcIps

The value will be like: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\CNDCIP~1\20090826.002

8. To check if Network Threat Protection is installed and is Turned ON.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC

smc_engine_status  0 – means turned OFF 1- turned ON.

9. Exclusion –Centralized Exceptions

32 bit

i. Security Risk Exceptions

User Defined Exceptions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions

Lock – 0- means the client can create Centralized Exceptions for Known Security Risks 1 – means this optioned is locked by the administrator in SEPM.

And Under the ClientRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the users.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions

Under the AdminRiskExceptions\1234567890 (normally a 10 digit numerical folder )  you will find the Known Security Risk exceptions created by the Admin from SEPM.

 

ii. Proactive Threat Protection Exclusions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash

\Client\ 0728bd2bb1774b9728f60d33bc1f95172374e950–(The long hexadecimal numbers point to the filehash for the excluded file )  For the exclusions created by the user

\Admin\ 0728bd2bb1774b9728f60d33bc1f95172374e950 – (The long hexadecimal numbers point to the filehash for the excluded file ) –  For exclusions made by Admin from SEPM.

Same with Directory , Files and Folder Exclusions

iii. Directory

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory

\Admin  and \Client

iv. Files

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName

\Admin  and \Client

 
v.Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions\

\Admin  and \Client

vi. Symantec also excludes it own Embedded Database from Scanning

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Symantec Embedded Database\FileExceptions

Out.log, Sem5.log and Sem5.db are excluded.

vii. To Verify Exchange Server exclusions on 32 Bit System

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server

\FileExceptions and \NoScanDir

On 64 Bit system

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions

\FileExceptions and \NoScanDir

 

10. Now say you have remote laptops you exported a Default client install package and sent them.

Now you want to change them to Unmanaged.

You replaced sylink.xml for Unmanaged SEP Cd1\SEP\Sylink.xml

Still clients are not able to do the liveupdate and the default admin defined Scan runs.

Here is the default Admin Defined Scanand if you have created few more scans for this users it will also be listed in the same location but with a different name.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

So you can delete this and then you can create your own scan.

Liveupdate button is greyed out even after replacing sylink.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

AllowManualLiveUpdate  0- means liveupdate button will be greyed out. 1-means it will be available to click.

In the same place you can enable product updates by changing the value of

EnableProductUpdates  to 1

For Scheduling and Enabling automatic liveupdates.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule

Change the value of

Enabled to 1 – for Automatic updates.

11. Handling Quarantine

Sometimes due to infection the size of the quarantine folder grows huge.

It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine

Important keys

QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then

QuarantinePurgeBySizeDirLimit   Default value is 50 ( Megabytes)  either leave it at 50 or reduce it as much you want.

You can also lower the age of purging Quarantine items from default 30 days to any number of days you want

QuarantinePurgeAgeLimit   30 days by default.

12. How to disable Application and Device Control via registry

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant

Change the Value of Start to 4 . 1 –means enabled.

13. Check this discussion on Creating Scan via registry
https://www-secure.symantec.com/connect/forums/way-create-scan-registry

14. For Logging options via registry
How to debug the Symantec Endpoint Protection 11.x client
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090611252048

 15. GUP information via registry
Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040113243148

16. Enable debugging of Auto Location switching (ALS) and this Reg key

HKLM\SOFTWARE\S ymantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump

Advertisements

Posted on February 23, 2014, in General. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: