Endpoint Protection

Hi all,

Witch  SNAC Enforcers (LAN and Gateway) we can do a lot of very nice things, for example we can check that there is a firewall or antivirus on a client...
for other vendors its depends but when we check that there is a SEP/SNAC client... we can alsow check and start FW and AV... ussing command line

so the question is...
how to start AV or FW (Network Treat Protection) on SEP/SNAC Client from command line (CLI)?

of course "smc -start" doesnt solve a problem, I need to start FW or AV, not a SEP engine itself.
so anybody know how to do it?

kind Regards and thanks for help
Dawid Fusek
IT Security Consultant
COMP SA

 

SMC-stop n Start , should do the trick to stop n start the complete SEP Package

AFAIK, If you want to disable individual components, you can use the settings of each component.
If you stop Symantec Endpoint protection service, then AV will be stopped

Coz All the components are interlinked with SMC Process.

yep, its part of workaround, but for a while we disable all security features on the client which is not a very secure sollution for me.
But is a workaround, if You know any command line to start some feature only (like av or fw) gimme an info,

thanks
Dave 

Are you looking for such a document?

This document will give you some MSI command line options which help you for installing sep with certain features

MSI command line reference for Symantec Endpoint Protection 11.0

 

its nice document AravindKM but it not reffer to my question/problem,

I need to check that SEP with SNAC firewall and antivirus is running and if not start it separetaly or both (for example to start only AV if it is not running or to start only FW if it is not running).

this doc is rader useful to deploying or modificying SEP/SNAC installations, its useful but I need something to enable (start) SEP firewall or antivirus probably from commandline (maybe there is another way to do it?)

reg
Dave

For disabling NTP from SEPM console

<o p=""> </o>

1.In the console, click Clients, and then under View Clients, select the group

that includes computers for which you want to enable/disable NTP.

2 In the right pane, select the Clients tab.

3 Do one of the following actions:

■ In the left pane, under View Clients, right-click the group for which you

want to enable Auto-Protect.

■ In the right pane, on the Clients tab, select the computers and users for

which you want to enable Auto-Protect, and then right-click the selection.

4 Click one of the following commands:

■ Run Command on Group > Enable Network threat protection

■ Run Command on Clients > Enable Network threat protection

Same way you can disable it also

More informations regarding command line options you can find in Appendix A of admin guide.. 

I hope this is wat u are expecting, u can use the following in cmd prompt
i hope you have not enabled Password requirement to do the same.

I think by stopping SMC alone, AV will still function. (u can test by using eicar)
SMC _STOP

If you want to stop AV alone the use
net stop "symantec Antivirus"

so AravindKM, I need a sollution to do a command line commands not a commands via SEPM Console :)

Acertian, which version of SEP U test? in MR5 and probably MR4 there is no Symantec AntiVirus Service (there is a service Symantec Endpoint Protection)...and there is no strict one service to Network Treat Protection (I dont know such one),
so We have situation when we just can't start a service to FW(NTProt) and AV (if service called Symantec Endpoint Protection is started) AV can be disabled (teoretically, in fact I never test it is true disabled :P)

list of services in SEP Agent MR5 (5003):
1. Symantec Endpoint Protection (formally Symantec AntiVirus)
2. Symantec Event Manager (formally ccEvtMgr)
3. Symantec Management Client (formally SmcService)
4. Symantec Network Access Control (formally SNAC)
5. Symantec Settings Manager (formally ccSetMgr)

my question was... 
how to start AV Engine or FW (NTProt) Engine in SEP separetally from command line commands, so how to convert to commands action like this:
1. on SEP Agent GUI U click on Antivirus Protection Options and choose Enable Antivirus and Antispyware Protection
2. on SEP Agent GUI U click on Network Threat Protection Options and choose Enable Network Threat Protection

slowly Im going to beleve that there is no such command that can be send via cli...

regards
Dave

 For your Firewall and AV ( file system autoprotect)  just create a script to change these reg values.

 In the registry, check the value at HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\SMC\smc_engine_status. If it's 0 (zero) NTP is disabled, if it's 1 (one) NTP is enabled.

File System Auto-Protect

HKEY_LOCAL_MACHINESOFTWARESymantecSymantec EndpointProtectionAVStoragesFilesystemRealTimeScan

OnOff : 1- means enabled 0 - means disabled

I tested this in MR4
In that case try using Net Stop "Symantec Endpoint Protection" to stop AV alone and check the same.. i'm not sure though., i'll try to upgrade and check
 

 Net Stop "Symantec Antivirus" will stop SEP service

For the Firewall Teefer2 Miniport service is responsible but it does not accept stop or puase command it only accepts Start command..
So for the firewall 

Try this
to turn off

Vikram Kumar,

good to know this 2 values, but...
do You test it?

I change smc_engine_status from regedit... wait 5mins... nothing happens :( its just a value that service/application write but it looks like nothing check this value when its run (or no), so no changes are made until U do "smc -stop"  and then "smc -start", but as I said before I dont want to:
- doing smc -stop on clients
- doing it as a script on clients
- i have customers with a lot of clients... (5000+)

so its not a sollution Vikram, hmm, but there have to be a possibility to do same command as SEPM Console do to a client when admin click on a client and send command to enable or disable NTProt or AVProt, hmm, but how? its a command, but maybe not a commandline command ??

kind regards
Dave