Introduction
Starting in Inventory Solution 8.1 RU6, the features to monitor the health of Symantec Endpoint Protection (SEP), to Start Agent services via a Task, is now available. These features assist in ensuring that your endpoints managed by ITMS are properly protected by gathering inventory data and running reports or viewing dashboards and taking corrective action as needed. This release provides the foundation for later functionality that will intergrate delivering the SEP agent to managed computers.
SEP Agent Health
This functionality is available starting in version 8.1 RU6 of Inventory Solution. Subsequent releases, such as 8.1 RU7 and 8.5 will also contain this functionality. At this time the supported platforms are those supported by ITMS for Windows and Mac computers.
Data Collection
- Inventory Plug-in is required
- Inventory Solution licenses should be available for targeted systems
‘SEP Agent’ checkbox should be selected in Advanced Options of Inventory policy or task
The following data is collected by Inventory Solution for Symantec Endpoint Protection. These 3 data classes provide information that is useful in checking the health and status of your SEP installs.
- SEP Agent – Inv_SEP_Agent – This data existed in previous version but has been extended.
- Installed SEP Agent Details – Inv_Installed_SEP_Agent_Details – This is a new data class
- SEP Agent Service Details – Inv_SEP_Agent_Service_Details – This is a new data class
What new information is collected from target systems
- Current and Preferred SEPM groups
- Device infected or not (not collected on Mac)
- SEP Antivirus protection disabled or enabled (not collected on Mac)
- SEP Firewall protection disabled or enabled (not collected on Mac)
- Date and time of last Antivirus Scan (not collected on Mac)
- Date of Virus definitions that are used by client
- Revision number of Virus definitions that are used by client
- SEP service name
- SEP service status
- SEP startup type (not collected on Mac)
- SEP service last exit code (not collected on Mac)
Computer Details Flipbook
In ITMS, within the Symantec Management Console, when viewing a computer you can use the flipbook dashboard to view the Health fo the SEP agent.
RED – Overall SEP Agent Health is calculated based on statuses of all metrics. Possible values are Healthy, Needs attention, and Untracked.
GREEN – Health status of these metrics is evaluabed based on rules.
BLUE – Health status of these metrics is not evaluated, only displayed.
If no Inventory data is gathered, ‘No data available’ will be displayed. For example on a Mac computer where inventory collection is limited for SEP.
How overall SEP health status is calculated:
|
All other statuses
|
At least one status is Healthy
|
At least one status is Untracked (No Data available)
|
At least one status is Needs attention
|
|
Healthy
|
Healthy
|
Healthy
|
Needs Attention
|
|
Needs Attention
|
Needs Attention
|
Needs Attention
|
Needs Attention
|
|
Untracked (No Data available)
|
Healthy
|
Untracked
|
Needs Attention
|
Health Evaluation Settings
This page, found in the Symantec Management Console under Settings > All Settings > Integrations > Symantec Endpoint Protection > Settings > SEP Agent Health Evaluation Settings, allows you to set how the health is calculated for SEP running in your environment.
NOTES:
- Infected Status is healthy, if SEP client is not infected
- SEP Agent Service state is healthy, if it is running
NOTE:
- The Applies To section for targets is available when a new custom settings rule is created, but not available for the Default Settings. This allows you to have different settings depending on what systems are targeted. For example Macs may require different settings and would have a different set of rules.
- Custom evaluation settings may be created and targeted to computer groups
- Prevent targeting same computer to different evaluation settings
- Default settings do not have a target and apply to all computers that are not targeted to any of the custom settings
- If settings rule is enabled, SEP status is evaluated (Healthy or Needs attention) on targeted computers according to defined settings
- If settings rule is disabled, SEP status is not evaluated and targeted computers are shown as Untracked
- Settings page are also accessible from Computer Details and Computer Summary ‘SEP Agent Health’ flipbooks
Computer Summary flipbook
This page shows a summary of all computers in the ITMS system relating to SEP health statuses. This is useful for an overall picture of the health of the environment.
Start SEP Agent service task
Under Jobs and Tasks in the Symantec Management Console a new category named SEP Management is available. This provides a task that can start the SEP Agent service on targeted computers.
NOTE: For 8.1 RU6, the only option is to START the SEP service. Other functionality for the task is forthcoming in subsequent versions. Like any task, a target can be applied to the task. Note that this is a client-side task so it requires the Symantec Management Agent to be installed.
A convenience feature is available that allows you to start the service simply by pushing a start button. This is available from both the SEP Agent Health Computer Summary and Computer Details flipbooks. The Start button only appears on the Computer status if the service is not running, and it will only appear on the Summary if one or more computers have a service not running.
COMPUTER:
SUMMARY:
Good things to know
- In case if the inventory agent is installed on client computer where ‘Control SEP Service State’ task is running, SEP related information will be collected and reported to NS after task start SEP service.
- On Windows clients, in case if by some reason SEP service is disabled, we do not start it and ‘Control SEP Service State’ task fails with return code 4
- In case if task is targeted to computer where SEP service is running, it does nothing.
Conclusion
These are the first steps in providing greater functionality in ITMS (Endpoint Management) for managing the SEP installs in the environment. In an increasingly dangerous cyber environment it is vital to ensure the health of security software used to keep endpoints safe. Future functionality is currently planned to include Software Management capabilities (these include automatic features as SEP can be deployed via Software Management currently, but done manually), service stop and restarts, and possibly additional details captured via inventory as the need arises.