DCM: SEP 11 Configuration Items


I was requested by my current employer to setup a series of pre-audit checks (SAS70) here are my experiences and scripts for anyone to dismantle, laugh or otherwise have fun with, any improvements are more than welcome.

First I checked if SEP is installed, - code based a lot on Microsoft's Configuration Packs

Name: Symantec Endpoint Protection - Client installed
Settings: Script (code)
Validation:
- Data type: String
- Validation: Equals SEP Client is installed

Report non-compliance even when it fails is checked
Instance count operator: Equals
Values: 1
Severity: Warning


Then I moved on to check SEP components, making sure SEP features and services are running and not disabled

Name: Symantec Endpoint Protection - Components Status
Settings1: Registry
Name: SMC Engine
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
Value Name: smc_engine_status
Validation:
- Type: String
- Validation: Equals 1

Report non-compliance is checked
Instance count operator: Equals
Values: 1
Severity: Warning

Settings2: WqlQuery
Name: Symantec AntiVirus
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="Symantec AntiVirus"

Settings3: WqlQuery
Name: Symantec Event Manager
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="ccEvtMgr"

Settings4: WqlQuery
Name: Symantec Management Client
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="SmcService"

Validation for 2-4: Type: "String", Validation: "Equals Running"

These covered the actual functionality of SEP; if all of these components are fine then I'm sure my clients are in good shape.

Last SEP check that I created was for the definitions, basically any computer with virus definitions older than 3 days is non-compliant (can't remember where I got most of the code from, if you recognize your work please let me know.)

Name: Symantec Endpoint Protection - Virus Definitions
Settings: Script (code)
Validation:
- Data type: String
- Validation: Equals Compliant

... This can be the base for creating a collection and advertising a script or directly the SEP package to reinstall auto-magically, I'm toying with the idea right now, once I implement I will share the results.

I'll try to post additional CI's as my skills improve and I feel it has any added-value.