SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

symanteccontrols

Symantec Control

This control is the next step after AD Controls and also uses the Functions script that is listed there. The purpose of the script below is to get the client list of Symantec EndPoint Protection and check for various things. See the script comments to check exactly.

Note that the script is a PowerShell Core script, so you need to install PowerShell 6.

The Script

# Author: Sjoerd Hooft / https://www.linkedin.com/in/sjoerdhooft/
 
### Versioning and functionality ##################################################################
### 2019 02 14 - Sjoerd Hooft ###
# Collect Evidence for ICT Control 12
### Retrieve and list all clients in Symantec Endpoint Protection 
### List servers that have not been scanned or updated in more than 5 days  
### List servers that found a virus yesterday or are infected
### List offline servers 
### List servers that are in AD but are not in Symantec
### Sends an email for ICT CF or BoD check depending on day and variables that are set in the scripyt
###################################################################################################
 
### Bugs ##########################################################################################
### Encrypted passwords are not accepted by Symantec. I consider that a bug
# Reading the password from a save file like bel;ow won't work, SEPM won't accept it as a valid password
# $symantecusername = "syssjoerd"
# NOTE: Run once manually from the account the script will run from: read-host -assecurestring | convertfrom-securestring | out-file "symanteccreds.txt"
# $symantecpassword = get-content "symanteccreds.txt" | convertto-securestring
# $cred2 = new-object -typename System.Management.Automation.PSCredential -argumentlist $symantecusername,$symantecpassword
# $auth = $cred2 | Select @{Name="username";Expression = {$symantecusername}},@{Name="password";Expression = { $_.password | ConvertFrom-SecureString }},@{Name="domain";Expression = {$domain}} | ConvertTo-Json
###################################################################################################
 
### How-To ########################################################################################
# I can't test on Infected servers so I'm not 100% sure that works as expected. 
###
# When changing and testing
## Disable the toemail and ccmail variable below in fase 4. Then the default variables from fase 1 are used. 
# After the script has run, Microsoft Flow picks up the email and places it on the SharePoint Evidence site
# Symantec REST API documentation: https://support.symantec.com/en_US/article.HOWTO125873.html
# Import certificate from SEP Management server: http://WIN-SEP-PRD:9090/downloadServerCertificate 
# This script needs to run in PowerShell Core 6.x 
###################################################################################################
 
### Script Overview ###############################################################################
### Fase 1
# Set script variables
# Start Logging
# Check for required modules
# All other Variables 
# Import default functions 
# Script specific functions
### Fase 2
# Collect Symantec Client List 
# Find some high prio things
# Compare list of servers with list of servers in AD 
### Fase 3
# Create Report body
# Create Report High Prio 
# Find some more high prio things
### Fase 4
# Define body of email based on day of month and if high prio findings
# Send report
### Fase 5
# Legenda of JSON file of symantec output 
###################################################################################################
 
########################################## Start Fase 1 ###########################################
 
# Script Variables
$scriptname = [System.IO.Path]::GetFilenameWithoutExtension($MyInvocation.MyCommand.Path.ToString())
$scriptlocation = Split-Path $myinvocation.mycommand.path
 
# Start transcript for full logging capabilities
start-transcript -path "$scriptlocation\logtranscript.txt"
 
# Check Required Modules
# The active directory module is not available for powershell 6 core, but as we need it we import a session from the domain controller (needs domain admin permissions)
# ActiveDirectory Module is not available in PS 6 Core, so we import the powershell session from a domain controller 
$dc = "WIN-ADDC"
$loadps = New-PSSession -ComputerName $dc
Import-Module -PSsession $loadps -Name ActiveDirectory
 
# System Variables 
# Set system variables for tls 1.2 and certificates
# Error if you don't: Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel.
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
 
# Date & Time Variables
$timenow = Get-Date
$timestamp = Get-Date -format "yyyyMMdd-HH.mm"
$readdate = Get-Date -format "d MMM yyyy"
$weekdate = Get-Date -uformat %V
$monthdate = Get-Date -format "MMMM-yyyy"
$monthday = get-date -uFormat %d
 
# Reporting Variables
### Email Variables
$priority = "normal"
$report = "$scriptlocation\$scriptname.xlsx"
#$monthreport = "$scriptlocation\$monthdate-$scriptname.xlsx"
$mailserver = "smtpserver"
#$toemail = "webmaster_shift.nl"
# To and CC get replaced below when sending the report. These are default for testing. 
$toemail = "webmaster_shift.nl"
$ccmail = "sjoerd_shift.nl"
$fromemail = "$scriptname_shift.nl"
# Make the email start specific for this control
$info = "Dear $toemail , <br>"
$info += "<br>"
# Create body for Evidence Email 
$infoevidence = "This is the automatic report as run for ICT Control Framework 12 <br>"
$infoevidence += "<i>What do you need to do:</i><br>"
$infoevidence += "<i>What:</i> Checking if the actuality of the Malware detection and repair software is up to date: is the latest version implemented. It concerns the following software: <br>
-	Symantec (server protection); <br>
-	Defender and Cylance (end-point (laptop)protection). <br>
<br>"
$infoevidence += "<i>Who:</i> Manager ICT Infrastructure <br>"
$infoevidence += "<i>When:</i> Monthly. <br>"
$infoevidence += "<br>"
$infoevidence += "<b>The following information was found:</b> <br>"
$infoevidence += "<br>"
 
# Control Framework variables
# Number of days before missed updates or scannes becomes a problem
$misseddays = 5
# Day the CF is run, should be two digits, so 05 for the fifth of the month, on all other days it reports as the Begin Of Day (BOD) check 
$evidenceday = "05"
 
### Start Functions ###
# Import functions from global function file
. "$scriptlocation\Functions.ps1"
 
########################################## Start Fase 2 ###########################################
 
# SEP Management Server	  
$SEP = 'WIN-SEP-PRD:8446'
 
# Symantec Credentials 
# So, this is an EXPIRED Symantec System Administrator, to change the password, log on to the Symantec Endpoint Protection Manager as an admin.
$cred= @{
	username = "sa_symantec"
	password = "1234567890"
	domain = "shift"
}
#converts $cred array to json to send to the SEPM
$auth = $cred | ConvertTo-Json
 
# Get the SEPM token and put in a header variable
$Authent = Invoke-RestMethod -Uri https://$SEP/sepm/api/v1/identity/authenticate -Method Post -Body $auth -ContentType 'application/json' -SkipCertificateCheck
$access_token = $Authent.Token
$header =@{Authorization='Bearer '+$access_token}
 
# Retrieve all protected nodes 
### Note: pagesize is the number of servers that are retrieved. Adjust if required 
$json = Invoke-RestMethod -Uri https://$SEP/sepm/api/v1/computers?pageSize=500 -Headers $header -SkipCertificateCheck
 
# Returned info is either a JSON Object or Array with page info around. To convert the JSON information to something useful we need to trim the page info 
# Strip from start: {"content":
$json = $json -replace '\{\"content\"\:',""
# Strip everything after last }] which is the start of the page description, which starts with size 
$json = $json.Substring(0,$json.IndexOf(',"size"'))
# Create a powershell array
# The parameter below (-AsHashTable) is only available in powershell core 6.x
$servers = $json | ConvertFrom-Json -AsHashtable
 
# Get all servers that are listed offline 
$offlineservers = $servers | select computerName,onlineStatus | Where-Object {$_.onlineStatus -eq 0} | select -ExpandProperty computerName
$allofflineservers = $offlineservers -join '; '
 
# Get all servers that are infected 
$infectedservers = $servers | select computerName,infected | Where-Object {$_.infected -ne 0} | select -ExpandProperty computerName
$allinfectedservers = $infectedservers -join '; '
 
# Get all online servers for further processing
$onlineservers = $servers | select computerName,onlineStatus,lastscantime,lastupdatetime,lastvirustime,domainOrWorkgroup,infected | Where-Object {$_.onlineStatus -ne 0} | sort domainorworkgroup,computername
 
# Compare to AD Servers 
# Get online servers in symantec for the production domain only 
$onlineadservers = $servers | select computerName,onlineStatus,domainOrWorkgroup | Where-Object {$_.onlineStatus -ne 0 -and $_.domainorworkgroup -eq "ad.shift.nl"} | select -ExpandProperty computerName
# Get online AD servers and check if in symantec
 
# Check which servers are missing
$missingadservers = Get-ADComputer -Filter {(operatingSystem -like "*windows*Server*")} | Where {$onlineadservers -notcontains $_.Name} | Select Name 
# Check is missing server is online, if so, add it to the missing servers list 
$allmissingadserverscount = 0
ForEach ($missingadserver in $missingadservers){
	$adcomputername = [string]$missingadserver.Name
	$adserverstate = CheckAvailability $adcomputername
	if ($adserverstate -eq "OK"){
		$allmissingadserverscount ++
		$allmissingadservers = $allmissingadservers + "$adcomputername; "
	}
}
 
########################################## Start Fase 3 ###########################################
 
# Provide tableheader in email for readability
$infoservers += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoservers += "<tr>"
$infoservers += '<th style="width: 200px; text-align: left;">'
$infoservers += "ServerName"
$infoservers += '</th>'
$infoservers += '<th style="width: 100px; text-align: left;">'
$infoservers += "Domain"
$infoservers += '</th>'
$infoservers += '<th style="width: 100px; text-align: left;">'
$infoservers += "Last Updated On"
$infoservers += '</th>'
$infoservers += '<th style="width: 100px; text-align: left;">'
$infoservers += "Last Scanned On"
$infoservers += '</th>'
$infoservers += '<th style="width: 200px; text-align: left;">'
$infoservers += "Last time the server found a virus"
$infoservers += '</th>'
$infoservers += '<th style="text-align: left;">'
$infoservers += "Server is infected"
$infoservers += '</th>'
$infoservers += "</tr>"
$infoservers += "</table>"
 
Foreach ($server in $onlineservers){
	$computer = $server.computerName
	$domain = $server.domainOrWorkgroup
	$infected = $server.infected
	# Convert Unix/Epoch time in seconds
	# (([System.DateTimeOffset]::FromUnixTimeSeconds($lastscantime)).DateTime).ToString("s")
	# Convert Unix/Epoch time in milliseconds - some time stamps appear to be milliseconds
	# (([System.DateTimeOffset]::FromUnixTimeMilliSeconds($lastScanTimetemp)).DateTime).ToString("s")
	# How long ago was the server scanned
	$lastScanTimeTemp = $server.lastScanTime
	$lastScanTime = (([System.DateTimeOffset]::FromUnixTimeMilliSeconds($lastScanTimeTemp)).DateTime).ToString("s")
	$lastScanDate = $lastScanTime | get-date -Uformat "%d %b %Y"
	$tbls = (New-TimeSpan $lastScanTime $timenow).Days
	# If time between last scan and now is equal or more days then $misseddays we need to take action
	if($tbls -ge $misseddays){
		$priority = "high"
		$tblsservers = $tblsservers + "$computer; "
	}
	# How long ago was the server updated
	$lastUpdateTimeTemp = $server.lastUpdateTime
	$lastUpdateTime = (([System.DateTimeOffset]::FromUnixTimeMilliSeconds($lastUpdateTimeTemp)).DateTime).ToString("s")
	$lastUpdateDate = $lastUpdateTime | get-date -Uformat "%d %b %Y"
	$tblu = (New-TimeSpan $lastUpdateTime $timenow).Days
	# If time between last update and now is equal or more days then $misseddays we need to take action
	if($tblu -ge $misseddays){
		$priority = "high"
		$tbluservers = $tbluservers + "$computer; "
	}
	# How long ago did the server had a virus
	$lastVirusTimeTemp = $server.lastVirusTime
	# If the $lastVirusTime is a 0, the server never had a virus 
	if ($lastVirusTimeTemp -ne 0){
		$lastVirusTime = (([System.DateTimeOffset]::FromUnixTimeMilliSeconds($lastVirusTimeTemp)).DateTime).ToString("s")
		$lastVirusDate = $lastVirusTime | get-date -Uformat "%d %b %Y"
		$tblv = (New-TimeSpan $lastVirusTime $timenow).Days
		# If time between last virus and now is 1 or more it is already reported, so only when $tblv is 0 we need to take action
		if($tblv -eq 0){
			$priority = "high"
			$tblvservers = $tblvservers + "$computer; "
		}
	}else{
		# Reset $tblv
		$tblv = $null
	}
	$infoservers += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
	$infoservers += "<tr>"
	$infoservers += '<th style="width: 200px; text-align: left;">'
	$infoservers += "$computer"
	$infoservers += '</th>'
	$infoservers += '<td style="width: 100px; text-align: left;">'
	$infoservers += "$domain"
	$infoservers += '</td>'
	$infoservers += '<td style="width: 100px; text-align: left;">'
	$infoservers += "$lastUpdateDate"
	$infoservers += '</td>'
	$infoservers += '<td style="width: 100px; text-align: left;">'
	$infoservers += "$lastScanDate"
	$infoservers += '</td>'
	$infoservers += '<td style="width: 200px; text-align: left;">'
	if($tblv -eq $null){
		$infoservers += "Never had a virus"
	}else{
		$infoservers += "$lastVirusDate (is $tblv days ago)"
	}
	$infoservers += '</td>'
	$infoservers += '<td style="text-align: left;">'
	if($infected -eq 0){
		$infoservers += "&#10004;"
	}else{
		$infoservers += "Server is infected"
	}
	#$infoservers += "$infected"
	$infoservers += '</td>'
	$infoservers += "</tr>"
	$infoservers += "</table>"
}
 
# Add the high prio things, they should go on top 
# List servers that have missed their scans
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers which are scanned more than $misseddays days ago: "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$tblsservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
# List servers that have missed their updates
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers which are updated more than $misseddays days ago: "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$tbluservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
# List servers with a new virus detection
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers which encountered a virus in the last day: "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$tblvservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
# List offline servers
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers which are offline: "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$allofflineservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
# List infected servers
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers which are infected: "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$allinfectedservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
# List servers that are in shift Production AD and can be pinged but are not in the Symantec Clients List 
$infoprio += '<table style="width:100%; border: 1px solid #dddddd; text-align: left;">'
$infoprio += "<tr>"
$infoprio += '<th style="width: 400px; text-align: left;">'
$infoprio += "Servers that are online but missing in Symantec ($allmissingadserverscount): "
$infoprio += '</th>'
$infoprio += '<td style="text-align: left;">'
$infoprio += "$allmissingadservers"
$infoprio += '</td>'
$infoprio += "</tr>"
$infoprio += "</table>"
 
########################################## Start Fase 4 ###########################################
 
# Send report
if ($priority -eq "high" -and $monthday -eq $evidenceday){
	$subject = "HIGH PRIO: ICT Control Framework 12 for month: $monthdate"
	#$toemail = "employee1_shift.nl", "team1_shift.nl"
	#$ccmail = "sjoerd_shift.nl", "webmaster_shift.nl", "employee2_shift.nl"
	$body = $info + $infoevidence + $infoprio + $infoservers
}elseif($priority -ne "high" -and $monthday -eq $evidenceday){
	$subject = "ICT Control Framework 12 for month: $monthdate"
	#$toemail = "employee1_shift.nl"
	#$ccmail = "sjoerd_shift.nl", "webmaster_shift.nl", "employee2_shift.nl"
	$body = $info + $infoevidence + $infoprio + $infoservers
}elseif($priority -eq "high"){
	$subject = "HIGH Prio: BOD: Check Symantec - $readdate"
	#$toemail = "webmaster_shift.nl", "team1_shift.nl"
	#$ccmail = "sjoerd_shift.nl"
	$body = $info + $infoprio + $infoservers
}else{
	$subject = "BeginOfDay Check Symantec - $readdate"
	#$toemail = "webmaster_shift.nl"
	#$ccmail = "sjoerd_shift.nl"
	$body = $info + $infoprio + $infoservers
}
 
Send-Email $subject $body
 
# Stop transcript 
stop-transcript
 
########################################## Start Fase 5 ###########################################
 
# BELOW you can find the output as you would find in the raws JSON array from symantec. If you would ever want more information in the report you can use this information to define which object properties you need 
 
############################################ SERVER 1 #############################################
 
# virtualizationPlatform         Microsoft
# cidsEngineVersion              0.0.0.0
# computerName                   WIN-WSUS
# lastSiteName                   shift
# employeeStatus
# writeFiltersStatus
# diskDrive                      C:\
# computerUsn                    45371670
# idsChecksum
# department
# fullName
# groupUpdateProvider            False
# creationTime                   1496061997778
# agentTimeStamp                 1549967159878
# deploymentStatus               302456832
# osflavorNumber                 7
# employeeNumber
# worstInfectionIdx              9999
# licenseId
# deploymentRunningVersion       14.0.1904.0000
# atpDeviceId
# vsicStatus                     3
# profileChecksum
# agentId                        A5ED9D72AC19782F7D2DAE78BFE5E26D
# macAddresses                   {00-15-5D-BE-22-5A}
# osFunction                     Server
# licenseExpiry                  0
# tamperOnOff                    1
# licenseStatus                  -1
# agentType                      105
# osVersion
# memory                         4293935104
# osversion
# osElamStatus                   0
# osservicePack
# deploymentTargetVersion        14.0.1904.0000
# bwf                            2
# agentVersion                   14.0.1904.0000
# osmajor                        0
# gateways                       {110.10.10.1}
# ptpOnOff                       2
# serialNumber                   7855-7485-1374-7682-5142-1476-53
# group                          {fullPathName, domain, id, name}
# physicalCpus                   2
# svaId
# isNpvdiClient                  0
# dhcpServer                     0.0.0.0
# uwf                            2
# isGrace                        0
# osFlavorNumber                 7
# lastHeuristicThreatTime        0
# deploymentMessage
# currentClientId                3174495AAC19782F7D2DAE7821CFCF15
# profileSerialNo                8B45-01/31/2018 14:42:10 432
# lastServerName                 WIN-SEP-PRD
# rebootRequired                 0
# computerDescription
# cidsDefsetVersion              190211061
# atpServer
# profileVersion                 14.0.1904
# officePhone
# osbitness                      x64
# dnsServers                     {110.10.10.63, 110.10.10.163}
# freeDisk                       53142253568
# avEngineOnOff                  1
# deploymentPreVersion
# operatingSystem                Windows Server 2016 Standard Edition
# osName
# uniqueId                       49E7B55BAC19782F7D2DAE7852F0CAB6
# pepOnOff                       2
# hardwareKey                    7903D647A13DC398375D45EEAF84877A
# lastSiteId                     A9C577D8AC19782F019C892715A18D97
# cidsBrowserIeOnOff             2
# publicKey                      BgIAAACkAABSU0ExAAgAAAEAAQB1hS3Modrp90XLfHpX/HC+2PHQ90SDISnSRqPfBUsZY6g0mvGZ6k1zTDBuD...
# idsSerialNo
# jobTitle
# email
# daOnOff                        1
# osBitness                      x64
# osname
# securityVirtualAppliance
# osfunction                     Server
# tmpDevice
# mobilePhone
# processorType                  Intel64 Family 6 Model 79 Stepping 1
# lastDeploymentTime             1496062005000
# logonUserName                  sjoerd
# cidsDrvOnOff                   2
# cidsBrowserFfOnOff             2
# agentUsn                       45371670
# infected                       0
# encryptedDevicePassword
# quarantineDesc                 Host Integrity check is disabled.  Host Integrity policy has been disabled by the adm...
# idsVersion
# osMajor                        0
# loginDomain                    MANAGEMENT.shift.NL
# cidsDrvMulfCode                0
# ipAddresses                    {110.10.10.15}
# osLanguage                     en-US
# totalDiskSpace                 81351
# winServers                     {0.0.0.0, 0.0.0.0}
# lastScanTime                   1549954012000
# processorClock                 2597
# uuid                           25F5C190-0A88-4B0A-BF54-89FB58A644FD
# homePhone
# computerTimeStamp              1549967159881
# lastUpdateTime                 1549967159851
# attributeExtension
# lastDownloadTime               0
# osminor                        0
# timeZone                       -60
# majorVersion                   14
# lastServerId                   56A9C170AC19782F01DD325215D6C199
# hypervisorVendorId             2
# onlineStatus                   1
# biosVersion                    VRTUAL - 1 Hyper-V UEFI Release v1.0
# fbwf                           2
# domainOrWorkgroup              MANAGEMENT.shift.NL
# edrStatus                      0
# installType                    0
# rebootReason
# snacLicenseId
# subnetMasks                    {255.255.255.0}
# lastVirusTime                  0
# tpmDevice                      0
# firewallOnOff                  2
# osMinor                        0
# description
# logicalCpus                    0
# cidsSilentMode                 1
# kernel
# patternIdx                     9A169357F8D94F893DDB65BF7381FE2A
# elamOnOff                      1
# lastConnectedIpAddr            110.10.10.12
# oslanguage                     en-US
# freeMem                        1997651968
# deleted                        0
# osServicePack
# bashStatus                     2
# apOnOff                        1
# contentUpdate                  1
# minorVersion                   0
 
############################################ SERVER 2 #############################################
 
# virtualizationPlatform         Microsoft
# cidsEngineVersion              0.0.0.0
# computerName                   WIN-CITRIX
# lastSiteName                   shift
# employeeStatus                 
# writeFiltersStatus             
# diskDrive                      C:\
# computerUsn                    45370777
# idsChecksum                    
# department                     
# fullName                       
# groupUpdateProvider            False
# creationTime                   1549877110451
# agentTimeStamp                 1549967417857
# deploymentStatus               0
# osflavorNumber                 7
# employeeNumber                 
# worstInfectionIdx              9999
# licenseId                      
# deploymentRunningVersion       
# atpDeviceId                    
# vsicStatus                     3
# profileChecksum                
# agentId                        0D682199AC19782F000C6160BA35171C
# macAddresses                   {00-15-5D-00-10-54}
# osFunction                     Server
# licenseExpiry                  0
# tamperOnOff                    1
# licenseStatus                  -1
# agentType                      105
# osVersion                      6.1
# memory                         4294500352
# osversion                      6.1
# osElamStatus                   0
# osservicePack                  Service Pack 1
# deploymentTargetVersion        
# bwf                            2
# agentVersion                   12.1.6168.6000
# osmajor                        6
# gateways                       {110.10.10.1}
# ptpOnOff                       2
# serialNumber                   1175-9574-9812-7765-6561-0971-62
# group                          {fullPathName, domain, id, name}
# physicalCpus                   2
# svaId                          
# isNpvdiClient                  0
# dhcpServer                     0.0.0.0
# uwf                            2
# isGrace                        0
# osFlavorNumber                 7
# lastHeuristicThreatTime        0
# deploymentMessage              
# currentClientId                4D8498D9AC19782F26D547FD12873FF5
# profileSerialNo                8B45-01/31/2018 14:42:10 432
# lastServerName                 WIN-SEP-PRD
# rebootRequired                 0
# computerDescription            
# cidsDefsetVersion              190211061
# atpServer                      
# profileVersion                 14.0.1904
# officePhone                    
# osbitness                      x64
# dnsServers                     {110.10.10.63, 110.10.10/163}
# freeDisk                       22501261312
# avEngineOnOff                  1
# deploymentPreVersion           
# operatingSystem                Windows Server 2008 R2 Standard Edition
# osName                         Windows Server 2008 R2
# uniqueId                       04B65474AC19782F26D547FD25389A27
# pepOnOff                       2
# hardwareKey                    2D20F7DA0BAD529C7B07A055ECEC0B6D
# lastSiteId                     A9C577D8AC19782F019C892715A18D97
# cidsBrowserIeOnOff             2
# publicKey                                                                                                            ...
# idsSerialNo                    
# jobTitle                       
# email                          
# daOnOff                        1
# osBitness                      x64
# osname                         Windows Server 2008 R2
# securityVirtualAppliance       
# osfunction                     Server
# tmpDevice                      
# mobilePhone                    
# processorType                  Intel64 Family 6 Model 79 Stepping 1
# lastDeploymentTime             0
# logonUserName                  sjoerd
# cidsDrvOnOff                   2
# cidsBrowserFfOnOff             2
# agentUsn                       45371730
# infected                       0
# encryptedDevicePassword        
# quarantineDesc                 Host Integrity check is disabled.  Host Integrity policy has been disabled by the admi...
# idsVersion                     
# osMajor                        6
# loginDomain                    AD.shift.NL
# cidsDrvMulfCode                0
# ipAddresses                    {110.10.10.11}
# osLanguage                     en-US
# totalDiskSpace                 61337
# winServers                     {0.0.0.0, 0.0.0.0}
# lastScanTime                   1549951243000
# processorClock                 2597
# uuid                           590C7DE4-3401-4645-B530-C83E605BFC6E
# homePhone                      
# computerTimeStamp              1549963839747
# lastUpdateTime                 1549967417856
# attributeExtension             
# lastDownloadTime               0
# osminor                        1
# timeZone                       -60
# majorVersion                   12
# lastServerId                   56A9C170AC19782F01DD325215D6C199
# hypervisorVendorId             2
# onlineStatus                   1
# biosVersion                    VRTUAL - 4001628 Intel(R) Xeon(R) CPU E5-2690 v4 @ 2.60GHz
# fbwf                           2
# domainOrWorkgroup              ad.shift.nl
# edrStatus                      0
# installType                    0
# rebootReason                   
# snacLicenseId                  
# subnetMasks                    {255.255.255.0}
# lastVirusTime                  0
# tpmDevice                      0
# firewallOnOff                  2
# osMinor                        1
# description                    
# logicalCpus                    0
# cidsSilentMode                 1
# kernel                         
# patternIdx                     9A169357F8D94F893DDB65BF7381FE2A
# elamOnOff                      2
# lastConnectedIpAddr            110.10.10.10
# oslanguage                     en-US
# freeMem                        2442936320
# deleted                        0
# osServicePack                  Service Pack 1
# bashStatus                     2
# apOnOff                        1
# contentUpdate                  1
# minorVersion                   1

Resources

You could leave a comment if you were logged in.
symanteccontrols.txt · Last modified: 2021/09/24 00:25 (external edit)