Obtaining Symantec Endpoint Protection Version Info with PowerShell
Right, let’s set this one out. I do not, have not ever, nor probably will ever will like any AV Enterprise Management Products. However, sometimes you have to work with them and frequently the data in the Management Product does not actually reflect the end user / server estate. The below function will query the registry of a remote machine(s) and report back the state of the installed Symantec SEP client to help perform a true up.
The PatternFileDate value stored in HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV needs a little figuring out, this posting helps figure it out.
You can get the Info from this Registry Location
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV
_On this Key you can find two Values _ PatternFileDate : Current Definition date PatternFileRevision : Revision
These are Hexadecimal values
Example: _PatternFileDate : 27090e - 2009 Oct 14 _ 27090e - YYMMDD Format 27 - 2009 27 Hex is 39 Decimal, this value is since 1970. So 1970+39 = 2009
09 is October (00- Jan, 0B - Dec) 0e Hex - 14 in decimal
PatternFileRevision : 16Hex - 22
16 HEX is 22 in Decimal
function Get-SEPVersion { <# .SYNOPSIS Retrieve Symantec Endpoint Version, Definition Date and Sylink Group
.DESCRIPTION Retrieve Symantec Endpoint Version, Definition Date and Sylink Group
.PARAMETER ComputerName Name of the computer to query SEP info for
.EXAMPLE PS C:\\> Get-SEPVersion -ComputerName Server01
.EXAMPLE PS C:\\> $servers | Get-SEPVersion
.NOTES Author: Jonathan Medd Date: 23/12/2011 #>
\[CmdletBinding()\] param( \[Parameter(Position=0,Mandatory=$true,HelpMessage="Name of the computer to query SEP for", ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)\] \[Alias('CN','\_\_SERVER','IPAddress','Server')\] \[System.String\] $ComputerName )
begin { # Create object to enable access to the months of the year $DateTimeFormat = New-Object System.Globalization.DateTimeFormatInfo
\# Set Registry keys to query $SMCKey = "SOFTWARE\\\\Symantec\\\\Symantec Endpoint Protection\\\\SMC" $AVKey = "SOFTWARE\\\\Symantec\\\\Symantec Endpoint Protection\\\\AV" $SylinkKey = "SOFTWARE\\\\Symantec\\\\Symantec Endpoint Protection\\\\SMC\\\\SYLINK\\\\SyLink" }
process {
try {
\# Connect to Registry $reg = \[Microsoft.Win32.RegistryKey\]::OpenRemoteBaseKey("LocalMachine",$ComputerName)
\# Obtain Product Version value $SMCRegKey = $reg.opensubkey($SMCKey) $SEPVersion = $SMCRegKey.GetValue('ProductVersion')
\# Obtain Pattern File Date Value $AVRegKey = $reg.opensubkey($AVKey) $AVPatternFileDate = $AVRegKey.GetValue('PatternFileDate')
\# Convert PatternFileDate to readable date $AVYearFileDate = \[string\]($AVPatternFileDate\[0\] + 1970) $AVMonthFileDate = $DateTimeFormat.MonthNames\[$AVPatternFileDate\[1\]\] $AVDayFileDate = \[string\]$AVPatternFileDate\[2\] $AVFileVersionDate = $AVDayFileDate + " " + $AVMonthFileDate + " " + $AVYearFileDate
\# Obtain Sylink Group value $SylinkRegKey = $reg.opensubkey($SylinkKey) $SylinkGroup = $SylinkRegKey.GetValue('CurrentGroup')
}
catch \[System.Management.Automation.MethodInvocationException\]
{ $SEPVersion = "Unable to connect to computer" $AVFileVersionDate = "" $SylinkGroup = "" }
$MYObject = “” | Select-Object ComputerName,SEPProductVersion,SEPDefinitionDate,SylinkGroup $MYObject.ComputerName = $ComputerName $MYObject.SEPProductVersion = $SEPVersion $MYObject.SEPDefinitionDate = $AVFileVersionDate $MYObject.SylinkGroup = $SylinkGroup $MYObject
} }