Monitoring the status of SEP Cloud devices with Remote Monitoring and Management Software

book

Article ID: 172377

calendar_today

Updated On:

Products

Endpoint Protection Cloud

Issue/Introduction

You want to be able to monitor the status of Symantec Endpoint Protection Cloud (SEP Cloud) on Windows devices with Remote Monitoring and Management (RMM) Software.

This document provides generic recommendations on aspects of the agent to monitor on Windows workstation and server devices to verify its current status. Please refer to the documentation provided by your RMM vendor for specific details on how to configure monitoring for these in your specific solution. Note that it may not be possible to monitor all of these depending on your RMM solution.

Resolution

Important: Agent Folder Locations

On Windows devices, the location of executables and data on the file system is variable, and will be updated when Symantec releases agent upgrades. To verify the current directories related to the agent on a specific device, information is provided within the Windows registry.

This document makes reference the to the following locations:

INSTALLDIR

The INSTALLDIR directory is referred to in the following registry location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}
  • Value (DWORD): INSTALLDIR

By default, this will point to C:\Program Files\Symantec Endpoint Protection Cloud\Engine\<Product Version> (Example: C:\Program Files\Symantec Endpoint Protection Cloud\Engine\22.15.0.88).

DATADIR

The DATADIR directory is referred to in the following registry location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\PathExpansionMap
  • Value (DWORD): DATADIR

By default, this will point to C:\Program Files\Symantec Endpoint Protection Cloud\NortonData\<Product Version> (Example: C:\Program Files\Symantec Endpoint Protection Cloud\NortonData\22.15.0.88).

Monitoring the Symantec Endpoint Protection Cloud service

The following service will be present and start automatically on Windows devices running SEP Cloud. When possible, this is the recommended way to verify that SEP Cloud is running on a system, rather than monitoring for the presence of running processes.

  • Service Name: SCS
  • Display Name: Symantec Endpoint Protection Cloud

Monitoring the client version

The client version can be checked in the Windows registry under the following location:

  • Key: HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}
  • Value (DWORD): PRODUCTVERSION

Monitoring for running processes

At least one instance of the following process will be running on a device running SEP Cloud. This can be used if your RMM solution does not allow for the monitoring of running Windows processes.

  • Executable: SCS.exe
  • Full Path: INSTALLDIR\SCS.exe

Monitoring for updated AntiVirus Definitions

Information on current AntiVirus definitions can be found within the following file:

  • File: definfo.dat
  • Full Path: DATADIR\Definitions\SDSDefs\definfo.dat

This is a text file in the following format:

[DefDates]
CurDefs=YYYYMMDD.Rev

An example of this file is as follows:

[DefDates]
CurDefs=20180829.001

Providing the ability to update the Client

Some RMM solutions have the ability to invoke a command to update AntiVirus agents. For SEP Cloud, updates can be invoked by running  uistub.exe with the /lu argument.

  • Executable: uistub.exe
  • Full Path: INSTALLDIR\uistub.exe
  • Argument: /lu

For example, from the Windows command prompt this could be invoked as follows (given agent version 22.15.0.88):

"C:\Program Files\Symantec Endpoint Protection Cloud\Engine\22.15.0.88\uistub.exe" /lu

Settings for ConnectWise Automate

This section is for customers and partners who utilize ConnectWise Automate as their RMM solution.

ConnectWise Integration Package For Partners

For partners who manage SEP Cloud customers through the Partner Management Console (PMC), a ConnectWise Integration Package is available. On the Home Page of the PMC, under Quick Tasks, there is a link to download the ConnectWise Integration Package. This package contains a ReadMe PDF with instructions on how to utilize this package. Please refer to that PDF for details on how to use the integration package.

Manual Settings for Customers

For customers who do not have access to the PMC, or those who wish to manually configure monitoring in ConnectWise, the following settings are recommended for ConnectWise Automate in order to monitor the status of SEP Cloud agents.

  • Program Location: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:INSTALLDIR-%}\SCS.exe
  • Definition Location: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\PathExpansionMap:DATADIR-%}\Definitions\SDSDefs\definfo.dat
  • Update Command: "{%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:INSTALLDIR-%}\uistub.exe" /lu
  • Version Check: {%-HKLM\SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}:PRODUCTVERSION-%}
  • AP Process: scs*
  • Date Mask: (.*)
  • OS type: All OS's
  • Version Mask: (.*)