search cancel

How to verify an Endpoint Protection client's last heartbeat time via the registry

book

Article ID: 151609

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How can one determine the last time a Symantec Endpoint Protection (SEP) client checked into the manager in the client's registry?
 

Cause

Typically this information can be found by viewing the Client tab through SEPM and viewing the properties for a client, or by viewing the data in the columns, or by running a report. However, in some circumstances, the manager is not always available to everyone and you need to gather this information from the client's registry.

Resolution

The last heartbeat time is found in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HeartbeatComplete

※For 64-bit systems running a version after Symantec Endpoint Protection 12.1 RU5,

navigate to:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HeartbeatComplete

For versions 14.2 and newer heartbeat time can be found at: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\CommunicationStatus 1587417432;10.xxx.xxx.xxx;443;1587417432;10.xxx.xxx.xxx;443;0;0;

The hex value is in epoch time (# of seconds since Jan. 1 1970).

Note: The value in the registry key is stored in hexadecimal format. If you use an epoch converter that requires a decimal value, use the Windows calculator in Scientific mode to convert the hex value to decimal format, and then the decimal result for the epoch time conversion.



References
More information on epoch time can be found at the following website:

http://www.epochconverter.com/