This is an integer sent by the client to represent the current deployment status. "Registers details about the status of client software download, installation, upgrade, or patch. Note: This subkey appears to be redundant with the following subkey." "Registers whether Virus and Spyware Protection is enabled or disabled. "Registers the reason for a restart of the client computer.ġ=Reboot required for threat remediation.Ĥ=Reboot required for install completion.ĥ=Reboot required by SEP manager command.Ħ=Reboot required due to catastrophic install failure.ħ=Reboot required for driver config change." Registers the IP address of the most recent Symantec Endpoint Protection management server that the client connected to. Registers whether firewall protection is enabled or disabled. Registers whether Symantec Network Access Control is enabled or disabled. "Registers whether the client computer is infected with one or more risks that are detected by Virus and Spyware Protection. Virus Definition Revision number in use by client Registers whether Virus and Spyware Protection is enabled or disabled. HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\QRecords(10 digit numerical folder) Maximum size in Megabytes of the repaired folder Maximum size in Megabytes of the quarantine folder Maximum days to hold onto quarantine files Maximum size in Megabytes of the backup folderĮnable forwarding of quarantine to central server: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine The last time a virus was detected on the client computer (GMT) "Severity of the worst detection that was made:ġ4 = (Severity 14) Proactive Threat Scan - Heuristic HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV File: C:\Windows\System32\config\SOFTWAREĪll registry subkeys are placed in the following location: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion, or under HKLM\SOFTWARE\Wow6432Node\Symantec.Registry key entries are found in the following location: This list is not complete but I tried to hit on some of the more interessting ones. There is one that will tell you the worst infection type that occured on the endpoint, files that were quarantined and various other settings. There are a few interesting keys that can be found here. What research is complete without looking at the registry. SEPparser has the ability to extract (-e) the quarantined data or it can dump the data to the console in hex format with the -qd option. When it comes to quarantine files, SEPparser has some additional features that can be useful. If an error occurred, the -v option can be used to get a more verbose output of what went wrong. This can be useful to check for errors during parsing. SEPparser has a logging feature (-l) that can be used to save the console output to a log file. The -tz option can be used to manually enter a time zone offset.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |