Endpoint Encryption

 View Only
Back to discussions
Expand all | Collapse all

Indicators on the client that SEE is functioning correctly

  • 1.  Indicators on the client that SEE is functioning correctly

    Posted Sep 09, 2013 11:50 AM

    Hello all,

     

     I've received a requirement to verify that SEE is functioning on clients and to report this back using SCCM.  This means that I need to determine the presence and function of SEE on end clients based either on:

    • Registry keys on the end computer
    • Registry values corresponding to functioning clients on the SEE Server (does this exist?)
    • Files stored on an endpoint that would indicate a functioning install of SEE
    • Disk formatting or other indicators that would verify SEE
    • WMI values on end clients

    Are there any values I could find related to these that would indicate a healthy and functioning instance of SEE on laptops?  We're talking about 6,000 machines, and are trying to integrate this data into SCCM reporting, not the reports you get from the Symantec server.

    Thanks guys



  • 2.  RE: Indicators on the client that SEE is functioning correctly

    Posted Sep 09, 2013 01:59 PM

    Hi Stephen,

    I'm doing the SAME. EXACT. THING.

    Do we work for the same company? :-)

    I'm writing a healthcheck script that will validate executables, services, processes and registry settings.  It will fix registry settings to our defaults (in the event of a bad install).  Also, it will create a new WMI class to store the encryption status so we can write it to SCCM 2012.

    Monitored Executable: C:\PROGRAM FILES\SYMANTEC\SYMANTEC ENDPOINT ENCRYPTION CLIENTS\EACOMMUNICATORSRV.EXE

    Monitored Service: EAFRCLIMANAGER

    Monitored Processes: EACOMMUNICATORSRV.EXE, EAFRCLIMANAGER.EXE, EAFRCLISTART.EXE

    Registry settings are little tricky as you will need to take ownership AND grant read permissions on the following (make sure you restore to original after querying):

    HKLM\Software\Encryption Anywhere\Framework
    HKLM\Software\Encryption Anywhere\Framework\Client Database
    HKLM\Software\Encryption Anywhere\Hard Disk
    HKLM\Software\Encryption Anywhere\Hard Disk\Client Database
    HKLM\Software\Encryption Anywhere\Hard Disk\EAFS
    HKLM\Software\Encryption Anywhere\Hard Disk\EAFS\Disk0

    Once permissions are set, I retrieve the following values:

    KEY: HKLM\Software\Encryption Anywhere\Framework
    VALUE: ProductVersion
    VALUE: ProductBuild

    KEY: HKLM\Software\Encryption Anywhere\Framework\Client Database
    VALUE: ServerLocation - this is the URL to the web service that handles requests to the SEE db (format is http://SERVER:PORT/GECommunicationWS.asmx)
    VALUE: ServerName -- this is the Server Name in FQDN format

    KEY: HKLM\Software\Encryption Anywhere\Hard Disk\EAFS\Disk0
    VALUE: StatusEncrypted -- comma-delimited list of drives that are encrypted
    VALUE: StatusDecrypted -- comma-delimited list of drives that are decrypted
    VALUE: StatusEncryptionInProgress -- comma-delimited list of drives that are encrypting
    VALUE: StatusDecryptionInProgress -- comma-delimited list of drives that are decrypting

    KEY: HKLM\Software\Encryption Anywhere\Hard Disk\Client Database
    VALUE: LastContactTimestamp  -- last check-in in hex format of # of days/hours/mins since 01/01/1970 (e.g., 0x522DD226 is 9/9/13 1:49PM EST)
    VALUE: NoContactDaysMax -- we have ours set to lockout the machine if no contact after 45 days
    VALUE: NoContactLockoutWarningDays -- and we start warning users 15 days before the lockout expiration

    Would love to hear other suggestions from anyone else!  I want to make my health-check tool as comprehensive as possible.

    Good luck to you,

    Roland Thomas