- 1 Product Description
- 1.1 Known Versions
- 2 Software Pattern Summary
- 3 Platforms Supported by the Pattern
- 4 Identification
- 5 Versioning
- 6 Application Model Produced by Software Pattern
- 6.1 Software Pattern Model
- 6.2 SI Type
- 6.3 SI Depth
- 6.4 Relationship Creation
- 7 Differences to 6.x approach
- 8 Subject Matter Expertise
- 9 Testing
- 10 Information Sources
- 11 Open Issues
- Discover with BMC ADDM
-
This product can be discovered by any edition of BMC Atrium Discovery and Dependency Mapping. Download our free Community Edition to try it out, or see what else it can discover!
- What is this?
- This is a product information page, containing details of the information that BMC Atrium Discovery gathers about a product and how it is obtained.
- Product Name
- Endpoint Protection
- Publisher Page
- Category
- Release
- TKU 2010-May-1
- Change History
- Reports & Attributes
- Publisher Link
- Symantec
Product Description
Symantec Endpoint Protection Client (formerly Symantec AntiVirus) detects and removes viruses and spyware, prevents virus-infected emails from spreading and performs a full system deep scan to remove existing viruses, spyware and other threats. It also includes email and instant message scanning that detects, removes or blocks infected attachments.
Known Versions
- 5
- 7
- 8.0
- 8.0.1
- 8.1
- 8.1.1
- 8.5
- 8.6
- 9.0
- 9.0.1
- 9.0.2
- 9.0.3
- 9.0.5
- 10.0
- 10.1
- 10.1.5
- 10.2
- 11.0
Software Pattern Summary
| Product Component | OS Type | Versioning | Pattern Depth |
|---|---|---|---|
| Symantec Endpoint Protection Client | Windows | WMI Query, Registry, Package | Grouped |
Platforms Supported by the Pattern
The pattern definition identifies instances of Symantec Endpoint Protection Client (formerly Symantec Antivirus) running on Microsoft Windows.
Identification
Software Instance Triggers
| Trigger Node | Attribute | Condition | Argument |
|---|---|---|---|
| DiscoveredProcess | cmd | matches | regex'(?i)\brtvscan\.exe$' |
Simple Identification Mappings
The following components/processes are identified using the combination of pattern definitions and simple identity mappings which map other known (but deemed less important in terms of application modeling) processes.
| Name | Command |
|---|---|
| Symantec Endpoint Protection Client | regex'(?i)\bRtvscan\.exe$' |
| Symantec Endpoint Protection Client process | regex'(?i)\bSymCorpUI\.exe$' |
| Symantec Antivirus Definition Watch | regex'(?i)\bdefwatch\.exe$' |
| Symantec Antivirus vpc32 | regex'(?i)\bsymantec antivirus\\vpc32\.exe$' |
| Norton Security Process | regex'(?i)\bccSvcHst\.exe$' |
Versioning
Version information for the product is currently collected using one of three possible methods. All these methods are tried in an order of precedence based on likely success and/or depth of the version information that can be gathered.
WMI Query Versioning
The CIM_DataFile class in the root\CIMV2 namespace on Windows platform is responsible for the storage of information about the files present on the host. The version of Symantec Endpoint Protection Client executable can be obtained by running the following WMI query supplied with the command line of 'Rtvscan.exe' binary:
- SELECT Version FROM CIM_DataFile where Name='<process_cmd>'
Note that:
This command will not work unless the trigger process has a fully qualified path
All backslashes must be escaped (e.g. the path must be given as c:\\Program Files, not c:\Program Files)
Registry Versioning
If WMI query versioning fails, the pattern attempts to get versioning information from the following Windows registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ProductVersion
Package Versioning
Versioning is obtained by reading package information on Windows. The package name that is searched for commences with one of the following:
- Symantec Endpoint Protection
- Symantec AntiVirus
Versioning is achieved to either x.x.x or x.x.x.x depth using this approach.
Application Model Produced by Software Pattern
Software Pattern Model
One pattern has been created with the Symantec Endpoint Protection Client (rtvscan.exe) process as its trigger process as this is the process which runs all the time when Symantec Endpoint Protection Client (or Symantec Antivirus) is installed.
SI Type
The type of the created Software Instance is set to "Symantec AntiVirus" by default, but will be changed to "Symantec Endpoint Protection Client" if the "Symantec Endpoint Protection" package is found on the host or the version encountered is 11 or greater.
SI Depth
The pattern that has been written for Symantec Endpoint Protection Client (or Symantec Antivirus) is a grouped Software Instance whose key is based on product version.
Relationship Creation
The following processes, if found running on the host, are associated to the created Software Instance:
- SymCorpUI.exe
- ccApp.exe
- ccSvcHst.exe
Differences to 6.x approach
There is no simple identifier for the Symantec / Norton Antivirus Common Client App (ccapp.exe) process.
Subject Matter Expertise
Testing
The simple identifiers and pattern definition were tested to ensure identification and product versioning was achieved using a local installation of Symantec AntiVirus Corporate Edition version 8 & 9 installed on windows XP Professional and Windows 2003 hosts and a local installation of Symantec Endpoint Protection Client version 11. In addition to local installations, Foundation record data from Windows 2003 hosts was also used for testing.
Information Sources
Open Issues
| TOP |
|---|
Created by: Rebecca 13:07, 30 October 2007 (GMT)
Reviewed by: Luke 16:43, 29 November 2007 (GMT)
Updated by: Rebecca 10:50, 17 May 2010 (GMT)
Reviewed by: Chris 11:27 17 May 2010 (GMT)
Tideway Blog