Endpoint compliance and Symantec Endpoint Protection for Macintosh

book

Article ID: 177712

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Your customer has questions about endpoint compliance policies. Specifically, why the SEP installation is not detected when competitor installations are.

Symptoms
For example, using Check Point's Connectra web-based SSL VPN or Juniper VPN, Macintosh clients that have SEP for Macintosh installed are not seen by compliance policy to have antivirus installed.


 

Cause

Under investigation. - Is the compliance policy one that must be manually created, or is there a default, built-in policy provided by the software manufacturer? - has the customer contacted support for the product in question? They will of course know more about the technical aspects of their own program.

Resolution

If the vendor does not support Symantec products, if it is possible to create your own compliance rules, you could check that the AutoProtect process (/Library/StartupItems/SymAutoProtect) is running as root. See also How to determine if SEP for Macintosh is installed and running.

In addition, if definition compliance needs to be established, the GetDefsDate and GetIPSsignatureDate Terminal script could be used.  See Technical Information for details.

Technical Information

The most recent version of the GetDefsDate and GetIPSsignatureDate commands can be found in the SupportFiles folder of the unzipped GatherSymantecInfo tool: GatherSymantecInfo.zip

GetDefsDate:

Usage: GetDefsDate.command [-c] [-i] [files] [folders] /

Summary: Shows virus defs dates of Engine, Hub, and NewEngine folders in the AntiVirus support folder if no files or folders are passed, otherwise shows virus defs dates of all files or folders passed. GetDefsDate.command will report the first date it finds in a given folder unless the -i option is passed. If -c is passed, then screen is not cleared. This option is useful when you wish to pipe the output into a file. If -i is passed, then dates of all individual files at the root level of a given folder are shown.

Examples:

GetDefsDate.command
Shows the date of the first virus defs file it finds in the currently installed Engine and Hub folders.

GetDefsDate.command -i
Shows the date of every virus defs file in the currently installed Engine and Hub folders. This provides a way to see if all the files that have a date stamp in those folders are getting updated.

GetDefsDate.command /Users/qa/Desktop/microdefs\ folder
Shows the date of the first virus defs file it finds in '/Users/qa/Desktop/microdefs folder' folder.

GetDefsDate.command /VIRSCAN1.DAT
Shows the date of virus defs file VIRSCAN1.DAT, located at the root of the boot volume.

The AntiVirus/engine.mfst file is also a list of current and backup definition dates, and can be listed with the "strings" command line. The first entry listed will be the current definitions, and subsequent entries are backups.

GetIPSsignatureDate:

Usage: GetIPSsignatureDate.command [-c] [-i] [files] [folders]

Summary: Shows IPS signature dates of CurrentSignatures and SavedSignatures folders in the IntrusionPrevntion support folder if no files or folders are passed, otherwise shows virus defs dates of all files or folders passed. GetIPSsignatureDate.command will report the first date it finds in a given folder unless the -i option is passed. If -c is passed, then screen is not cleared. This option is useful when you wish to pipe the output into a file. If -i is passed, then dates of all individual files at the root level of a given folder are shown.

Examples:

GetIPSsignatureDate.command
Shows IPS signature dates of CurrentSignatures and SavedSignatures folders.

GetDefsDate.command -i
Shows the date of every IPS signature file in the currently installed CurrentSignatures and SavedSignatures folders. This provides a way to see if all the files that have a date stamp in those folders are getting updated.

GetDefsDate.command /Library/Application\ Support/Symantec/IntrusionPreventions/CurrentSignatures/
Shows the date of the first virus defs file it finds in 'CurrentSignatures' folder.

The CurrentSignatures/virscan1.dat and SavedSignature/virscan1.dat are also plain text files that can be examined directly to see the date/time/version stamp for signatures in those directories.

Check Point Connectra: "Unified Secure Remote Access Gateway". "Connectra can be deployed as a turnkey appliance, software on an open server, or as a virtual appliance." At this time (26 June 09), Connectra / Checkpoint does not support Symantec products. http://www.checkpoint.com/products/connectra/index.html