I was requested by my current employer to setup a series of pre-audit checks (SAS70) here are my experiences and scripts for anyone to dismantle, laugh or otherwise have fun with, any improvements are more than welcome.
First I checked if SEP is installed, - code based a lot on Microsoft's Configuration Packs
Name: Symantec Endpoint Protection - Client installed
Validation:
- Data type: String
- Validation: Equals SEP Client is installed
Report non-compliance even when it fails is checked
Instance count operator: Equals
Values: 1
Severity: Warning
Then I moved on to check SEP components, making sure SEP features and services are running and not disabled
Name: Symantec Endpoint Protection - Components Status
Settings1: Registry
Name: SMC Engine
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
Value Name: smc_engine_status
Validation:
- Type: String
- Validation: Equals 1
Report non-compliance is checked
Instance count operator: Equals
Values: 1
Severity: Warning
Settings2: WqlQuery
Name: Symantec AntiVirus
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="Symantec AntiVirus"
Settings3: WqlQuery
Name: Symantec Event Manager
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="ccEvtMgr"
Settings4: WqlQuery
Name: Symantec Management Client
Namespace: root\cimv2
Class: win32_service
Property: State
WQL Query WHERE Clause: Name="SmcService"
Validation for 2-4: Type: "String", Validation: "Equals Running"
These covered the actual functionality of SEP; if all of these components are fine then I'm sure my clients are in good shape.
Last SEP check that I created was for the definitions, basically any computer with virus definitions older than 3 days is non-compliant (can't remember where I got most of the code from, if you recognize your work please let me know.)
Name: Symantec Endpoint Protection - Virus Definitions
Validation:
- Data type: String
- Validation: Equals Compliant
... This can be the base for creating a collection and advertising a script or directly the SEP package to reinstall auto-magically, I'm toying with the idea right now, once I implement I will share the results.
I'll try to post additional CI's as my skills improve and I feel it has any added-value.
