Retrieving Symantec Antivirus Scanning Details from Client PCs
As with most Windows applications, Symantec Antivirus uses the Windows Registry to store its product and other volatile information. One nice thing about Symantec Antivirus is that it writes date and time values (for example, the date and time when it ran the last full scan) in the Hexadecimal format on the client computers.
While the purpose behind storing values in Hexadecimal format isn't completely clear, what is apparent is that it becomes difficult when there is no tool or scripting way available to decode these values.
I have seen a lot of Antivirus admins looking for a way to fetch "TimeOfLastScan", "TimeOfLastVirus" and "PatternFileUpdate" values from multiple computers and decode them.
Today we're going to show you how you can use the script available with this article to collect this information and then decode these values. By decoding these values you can know:
- The last time a full antivirus scan was performed on a client computer.
- The last time a virus was found on a particular computer.
- The last time a pattern file update occurred on a particular computer.
The Symantec Antivirus client writes the last time it ran a full scan, the last time it found a virus and the last time a computer received the antivirus definition file at the below registry location on the client computers:
For the 32-bit version of Symantec Antivirus client:
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV
For the 64-bit Symantec Antivirus client:
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV
In the above registry location, there are three registry entries as listed below:
- TimeOfLastScan: Stores the last date and time a full scan was completed.
- TimeOfLastVirus: Stores the last date and time a virus was found on a computer.
- PatternFileDate: Stores the information about the last date and time the pattern file was updated.
If you look at the values of these registry entries, you see they appear in a format that can't be easily read. For example, if you look at the "TimeOfLastScan" registry entry value, you see something like this:
It is in Hexadecimal format. This is also shown in the below registry screenshot taken from a Symantec Antivirus Client:
Using the script available with this article, you can collect the above information in a CSV format for all or just selected computers. The script not only collects the information, it also generates a log file to help you investigate any failures that occur with any of the computers while the script runs.
Requirements for the script
Before you can successfully collect the required information from the computers mentioned in the computers.txt file, please make sure the following statements are true for destination computers:
- The Symantec client is installed
- Remote Registry is enabled
- The computer is reachable, of course!
Read more on "Data Center Management Spotlight" »