Obtaining Symantec Endpoint Protection Version Info with PowerShell @ Jonathan Medd's Blog

Obtaining Symantec Endpoint Protection Version Info with PowerShell

Posted on December 23rd, 2011 Jonathan Medd No comments

Right, let’s set this one out. I do not, have not ever, nor probably will ever will like any AV Enterprise Management Products. However, sometimes you have to work with them and frequently the data in the Management Product does not actually reflect the end user / server estate. The below function will query the registry of a remote machine(s) and report back the state of the installed Symantec SEP client to help perform a true up.

The PatternFileDate value stored in HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV needs a little figuring out, this posting helps figure it out.

You can get the Info from this Registry Location

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV

On this Key you can find two Values
PatternFileDate : Current Definition date
PatternFileRevision : Revision

These are Hexadecimal values

Example:
PatternFileDate : 27090e – 2009 Oct 14
27090e – YYMMDD Format
27 – 2009
27 Hex is 39 Decimal, this value is since 1970. So 1970+39 = 2009

09 is October (00- Jan, 0B – Dec)
0e Hex - 14 in decimal

PatternFileRevision : 16Hex – 22

16 HEX is 22 in Decimal


function Get-SEPVersion {
<#
.SYNOPSIS
Retrieve Symantec Endpoint Version, Definition Date and Sylink Group

.DESCRIPTION
Retrieve Symantec Endpoint Version, Definition Date and Sylink Group

.PARAMETER  ComputerName
Name of the computer to query SEP info for

.EXAMPLE
PS C:\> Get-SEPVersion -ComputerName Server01

.EXAMPLE
PS C:\> $servers | Get-SEPVersion

.NOTES
Author: Jonathan Medd
Date: 23/12/2011
#>

[CmdletBinding()]
param(
[Parameter(Position=0,Mandatory=$true,HelpMessage="Name of the computer to query SEP for",
ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)]
[Alias('CN','__SERVER','IPAddress','Server')]
[System.String]
$ComputerName
)

begin {
# Create object to enable access to the months of the year
$DateTimeFormat = New-Object System.Globalization.DateTimeFormatInfo

# Set Registry keys to query
$SMCKey = "SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SMC"
$AVKey = "SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV"
$SylinkKey = "SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SMC\\SYLINK\\SyLink"
}

process {

try {

# Connect to Registry
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$ComputerName)

# Obtain Product Version value
$SMCRegKey = $reg.opensubkey($SMCKey)
$SEPVersion = $SMCRegKey.GetValue('ProductVersion')

# Obtain Pattern File Date Value
$AVRegKey = $reg.opensubkey($AVKey)
$AVPatternFileDate = $AVRegKey.GetValue('PatternFileDate')

# Convert PatternFileDate to readable date
$AVYearFileDate = [string]($AVPatternFileDate[0] + 1970)
$AVMonthFileDate = $DateTimeFormat.MonthNames[$AVPatternFileDate[1]]
$AVDayFileDate = [string]$AVPatternFileDate[2]
$AVFileVersionDate = $AVDayFileDate + " " + $AVMonthFileDate + " " + $AVYearFileDate

# Obtain Sylink Group value
$SylinkRegKey = $reg.opensubkey($SylinkKey)
$SylinkGroup = $SylinkRegKey.GetValue('CurrentGroup')

}

catch [System.Management.Automation.MethodInvocationException]

{
$SEPVersion = "Unable to connect to computer"
$AVFileVersionDate = ""
$SylinkGroup = ""
}

$MYObject = “” | Select-Object ComputerName,SEPProductVersion,SEPDefinitionDate,SylinkGroup
$MYObject.ComputerName = $ComputerName
$MYObject.SEPProductVersion = $SEPVersion
$MYObject.SEPDefinitionDate = $AVFileVersionDate
$MYObject.SylinkGroup = $SylinkGroup
$MYObject

}
}