Monitoring the status of SEP Cloud devices with Remote Monitoring and Management Software


Article ID: 172377


Updated On:


Endpoint Protection Cloud


You want to be able to monitor the status of Symantec Endpoint Protection Cloud (SEP Cloud) on Windows devices with Remote Monitoring and Management (RMM) Software.

This document provides generic recommendations on aspects of the agent to monitor on Windows workstation and server devices to verify its current status. Please refer to the documentation provided by your RMM vendor for specific details on how to configure monitoring for these in your specific solution. Note that it may not be possible to monitor all of these depending on your RMM solution.


Important: Agent Folder Locations

On Windows devices, the location of executables and data on the file system is variable, and will be updated when Symantec releases agent upgrades. To verify the current directories related to the agent on a specific device, information is provided within the Windows registry.

This document makes reference the to the following locations:


The INSTALLDIR directory is referred to in the following registry location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}

By default, this will point to C:\Program Files\Symantec Endpoint Protection Cloud\Engine\<Product Version> (Example: C:\Program Files\Symantec Endpoint Protection Cloud\Engine\


The DATADIR directory is referred to in the following registry location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\PathExpansionMap
  • Value (DWORD): DATADIR

By default, this will point to C:\Program Files\Symantec Endpoint Protection Cloud\NortonData\<Product Version> (Example: C:\Program Files\Symantec Endpoint Protection Cloud\NortonData\

Monitoring the Symantec Endpoint Protection Cloud service

The following service will be present and start automatically on Windows devices running SEP Cloud. When possible, this is the recommended way to verify that SEP Cloud is running on a system, rather than monitoring for the presence of running processes.

  • Service Name: SCS
  • Display Name: Symantec Endpoint Protection Cloud

Monitoring the client version

The client version can be checked in the Windows registry under the following location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}

Monitoring for running processes

At least one instance of the following process will be running on a device running SEP Cloud. This can be used if your RMM solution does not allow for the monitoring of running Windows processes.

  • Executable: SCS.exe
  • Full Path: INSTALLDIR\SCS.exe

Monitoring for updated AntiVirus Definitions

Information on current AntiVirus definitions can be found within the following file:

  • File: definfo.dat
  • Full Path: DATADIR\Definitions\SDSDefs\definfo.dat

This is a text file in the following format:


An example of this file is as follows:


Providing the ability to update the Client

Some RMM solutions have the ability to invoke a command to update AntiVirus agents. For SEP Cloud, updates can be invoked by running  uistub.exe with the /lu argument.

  • Executable: uistub.exe
  • Full Path: INSTALLDIR\uistub.exe
  • Argument: /lu

For example, from the Windows command prompt this could be invoked as follows (given agent version

"C:\Program Files\Symantec Endpoint Protection Cloud\Engine\\uistub.exe" /lu

Settings for ConnectWise Automate

This section is for customers and partners who utilize ConnectWise Automate as their RMM solution.

ConnectWise Integration Package For Partners

For partners who manage SEP Cloud customers through the Partner Management Console (PMC), a ConnectWise Integration Package is available. On the Home Page of the PMC, under Quick Tasks, there is a link to download the ConnectWise Integration Package. This package contains a ReadMe PDF with instructions on how to utilize this package. Please refer to that PDF for details on how to use the integration package.

Manual Settings for Customers

For customers who do not have access to the PMC, or those who wish to manually configure monitoring in ConnectWise, the following settings are recommended for ConnectWise Automate in order to monitor the status of SEP Cloud agents.

  • Program Location: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:INSTALLDIR-%}\SCS.exe
  • Definition Location: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\PathExpansionMap:DATADIR-%}\Definitions\SDSDefs\definfo.dat
  • Update Command: "{%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:INSTALLDIR-%}\uistub.exe" /lu
  • Version Check: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:PRODUCTVERSION-%}
  • AP Process: scs*
  • Date Mask: (.*)
  • OS type: All OS's
  • Version Mask: (.*)