Endpoint Protection

 View Only
  • 1.  Users have a requirement to see when the last full scan was run

    Posted Aug 07, 2020 01:40 PM
    Hi team;
    we have a new requirement were certain users have to be able to see when the last full scan was run.
    At this time we do have a password on when opening the sep client.

    question as follows.
    • Can we have separate passwords and policies based on the user who open the sep client. 
    • Can Sepm be set to send out to the individual user who was last logged in a scan report when the last full scan is run

    Regards

    ------------------------------
    S.R
    ------------------------------


  • 2.  RE: Users have a requirement to see when the last full scan was run

    Posted Aug 10, 2020 04:28 AM
    Edited by Torb Aug 11, 2020 03:24 AM
    The users can also see if a scheduled scan has started/stopped in the Windows Eventviewer. Asking the few users that needs it to look into eventvwr migh be less hassle.


    ------------------------------



  • 3.  RE: Users have a requirement to see when the last full scan was run

    Posted Aug 11, 2020 01:58 PM
    Since the scan logs are local on the users computers, a quick PowerShell script will parse out the relevant information for the user to see the local scan information.  Note, this requires at least PowerShell 5, and I have a hard-coded path to a specific version of SEP which you will need to edit.

    Function Convert-FromHexDate ($HexDate)
    {
    <#
    .SYNOPSIS
    Converts Hex Date (in Epoch time) in SEP Log to a human readable date.
    .DESCRIPTION
    #>
    $Year = [int]("0x" + $HexDate.substring(0,2)) + 1970
    $Month = [int]("0x" + $HexDate.substring(2,2)) + 1
    $Day = [int]("0x" + $HexDate.substring(4,2))
    $Hour = [int]("0x" + $HexDate.substring(6,2))
    $Minute = [int]("0x" + $HexDate.substring(8,2))
    $Second = [int]("0x" + $HexDate.substring(10,2))
    return Get-Date -Year $Year -Month $Month -Day $Day -Hour $Hour -Minute $Minute -Second $Second
    }

    $pathToLogs = 'C:\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5569.2100.105\Data\Logs\AV\*.Log'
    $headerForCsv = "Time", "Event", "3", "4", "Computer", "User", "7", "8", "9", "10", "11", "12", "13", "Description"

    $lines = (Select-String -Path $pathToLogs -Pattern "Scan").Line | ConvertFrom-Csv -Header $headerForCsv

    $lines = $lines | Select Time, Event, Computer, User, Description
    $output = [System.Collections.ArrayList]::new()

    foreach($line in $lines)
    {
    $line.Time = Convert-FromHexDate $line.Time
    if($line.Event -eq "2"){$line.Event = "GL_EVENT_SCAN_STOP"}
    elseif($line.Event -eq "3"){$line.Event = "GL_EVENT_SCAN_START"}
    $output.Add($line) | Out-Null
    }
    $output