Endpoint Protection

I help support a monitoring product which runs in a Microsoft Windows environment that needs to the report the name of any 3rd party firewall product that is installed, the version number, and the current status of the firewall (enabled or disabled).

In a Windows XP environment, we solved this by writing a VBScript that queries the Windows Management Instrumentation (WMI) ROOT\SecurityCenter namespace. The FirewallProduct class in this namespace has properties named "displayName", "enabled", and "versionNumber" that return the information we need. Our VBScript works successfully with Symantec Endpoint Protection (11.0.4202.75) installed on the system. We can retrieve the desired information.

Now, we want to do the same thing in a Windows 7 SP1 (32-bit) environment but are not getting the same results. I learned that Win7 "ActionCenter" uses WMI namespace ROOT\SecurityCenter2 instead of ROOT\SecurityCenter. FirewallProduct class in SecurityCenter2 seems to have different properties. Using "WMI Object Browser" from Microsoft WMI Administrative Tools, I determined that FirewallProduct in SecurityCenter2 has a "displayName" property but not an "enabled" or "versionNumber" property.

We have Symantec Endpoint Protection (11.0.6300.803) installed in the Win7 SP1 environment. From what I've read on some Symantec sites, it sounds like we should be using 11.0 Release Update 7 (RU7) or later for Win7 SP1.  

Are the missing FirewallProduct properties caused by Symantec? (ie, Do we need to upgrade to a newer SEP version?)

Or, does Microsoft Win7 / WMI SecurityCenter2 simply not support those properties anymore?

Any thoughts or comments would be greatly appreciated. Maybe someone could suggest a totally different approach that does not use WMI.

btw...this is my first time posting here so I might not have this tagged properly. If not, please offer suggestions.

Windows 7 SP1 is not compatible with SEP 11.0.4. 

Upgrade to SEP 11.0.7 which is the latest.

About Endpoint Protection support for Windows 7 and Windows Server 2008 R2

http://www.symantec.com/docs/TECH94910

Teefer2 this key was created by a previous install of a older SEP version, while SEP 11.0.7 will use Enahnced Teefer3 as the firewall driver which supports all version of Windows OS. 

Firewall driver for SEP is been upgraded on SEP 11.0.7 & above

So obviously you issue related with Firewall will solved after upgrade.

https://www-secure.symantec.com/connect/forums/network-issues-sep-1106200

Upgraded to SEP11 RU7 MP2 (11.0.7200.1147) in my Win7 SP1 (x86)  system but still cannot get any info about SEP firewall from WMI in Win7.

Please see attached files:

WinXP_1.jpg - (WinXP, SEP 11.0.4202.75) -  I used WMI Object Browser (from Microsoft WMI Administration Tools) to display WMI namespace=root\SecurityCenter, class=FirewallProduct. This shows WMI properties (eg, displayName, enabled, versionNumber, etc.) with values about the SEP firewall.

Win7_1.jpg - (Win7, SEP 11.0.7200.1147) - I tried same thing on Win7 except I specified WMI namespace=root\SecurityCenter2. This time, WMI Object Browser complained that "the selected classes do not have instances" when I tried to select the FirewallProduct class. 

Win7_2.jpg - (Win7, SEP 11.0.7200.1157) - So, I tried using WMI CIM Studio (from Microsoft WMI Administration Tools) to access namespace=root\SecurityCenter2, class=FirewallProduct. This tool showed a few properties for the class, but they were empty (no values).

So my questions are:

Does Win7 not support the same WMI firewall properties as in Win XP?

Does SEP 11 not register the same information into WMI in Win7 as it does for Win XP?

These links might be of some help

https://www-secure.symantec.com/connect/forums/wmi-calls-gather-sep-client-information

Thanks for the link. Nice to see people actually read these posts and try to help!

Other associates have suggested checking the windows registry or looking at different WMI properties (as suggested in the link) to determine if a Symantec firewall product is installed.

These are good suggestions but those solutions are very specific to Symantec products. I would prefer to glean the firewall information from WMI SecurityCenter (on WinXP) or SecurityCenter2 (on Win7), if possible, because this would be vendor-agnostic. That way, it would not matter which 3rd party firewall was installed - Symantec or another vendor.

FYI...I'm pursuing this with Microsoft. It will be interesting to see what they say about this.

Hi.

I think this is a SEP issue and not related to Windows 7.

I had a lookat the root\SecurityCenter class on my WinXP machine running SEP 11 RU6 MP3 and those fields are blank as well. & I have the same blank results with SEP 11 RU7 on Win7 x86.

AFAIK, the info you are looking for is stored in the SEPM database either under SEM_AGENT or SEM_COMPUTER tables.

Your other option is to query the Registry (not ideal in my opinion, but hey, what can you do). See the Registry Tweak thread. Especially point #8 in the initial post by Vikram.

According to the Release notes for SEP 12 RU1 MP1 (article #187656), Fix ID 2687476/2711787 is supposed to register SEP correctly with the Security Center. Currently I only have v12 RU1 available and that behaves the same. Sorry.

This thread also has a good explanation on how things changed from Security Centre in WinXP to Action Centre in Win7

Excellent! I'll try to get a copy of SEP 12 RU1 MP1.

More info...

For WMI in WinXP, "enabled" property (boolean true/false) in root\SecurityCenter FirewallProduct class indicates current status of installed 3rd party firewall. For Win7, looks like new property "productState" (type CIM_UINT32) in root\SecurityCenter2 FirewallProduct can indicate firewall status, if populated properly by the firewall product.

Microsoft referred me to these links: 

- WMI schema information for root\SecurityCenter2 namespace:  http://support.microsoft.com/kb/980867

- MSDN blog post that describes ProductState property: http://social.msdn.microsoft.com/Forums/en-US/vblanguage/thread/6501b87e-dda4-4838-93c3-244daa355d7c