PowerShell Script to Check Symantec Endpoint Protection Definition Updates

Posted on Updated on

Reading Time: 2 minutes

Symantec Endpoint Protection has quite a hold on the Anti-Virus market share. Many have environments where it’s used, and may not be the administrators or even able to view data from the Symantec Endpoint Protection Manager. In light of that, I’ve written a PowerShell script to check the last update time for SEP definitions that can either be run manually or set as a scheduled task.

# Check if Symantec Endpoint Protection is installed. If not, exit.

#Check last write date of AV definitions and compare to a variable set for time – 7 days. 

# Write to the event log whether definitions are current or not

#Send email if definitions are out of date

*Things to Note*

  • As it stands, in each of the “if ($writetime” blocks there is a “write-host”. If you plan on running this as a scheduled task you’ll want to remove or comment out those lines.
  • I will also be writing this as a SCOM management pack, and an SCCM Compliance Item.

 



###################################################################
## Check Symantec Endpoint Protection Antivirus Definition Dates ##
## v1.1 ##
## Matt Hansen // 01-06-2017 ##
###################################################################

#Set Variables
$hostname = hostname
$7daysago = (get-date).AddDays(-7)
$key = 'HKLM:SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs'

#Test for registry key path and execute if neccessary
if (test-path -path $key)
{

$path = (Get-ItemProperty -Path $key -Name DEFWATCH_10).DEFWATCH_10
$writetime = [datetime](Get-ItemProperty -Path $path -Name LastWriteTime).lastwritetime
#Write-Host A min ago was $7daysago. DEFs was last written at $writetime

if ($writetime -lt $7daysago)
{Write-host "You have old defs"
Write-EventLog -LogName "Application" -Source "Symantec Antivirus" -EventId "7076" -EntryType "Warning" -Message "Symantec Definitions are older than 7 days. Last update time is was $writetime"
$notify = "yes"
}

if ($writetime -gt $7daysago)
{Write-host "You have current defs"
Write-EventLog -LogName "Application" -Source "Symantec Antivirus" -EventId "7077" -EntryType "Information" -Message "Symantec Definitions are current within 7 days. Last update time is was $writetime"
$notify = "no"

}

#Email Notify
if ($notify -eq "yes")
{
$param = @{
SmtpServer = "smtpserver@company.local"
Port = 25
UseSsl = $false
#Credential = "you@gmail.com"
From = "SymantecDefChecks@mcompany.local"
To = "administrator@company.local"
Subject = "Symantec Defintions Out-of-Date on $hostname"
Body = "Symantec Definitions are older than 7 days. Last update time is was $writetime on $hostname"
}
Send-MailMessage @param
#write-host "Email Sent"
}

}
Else {Write-host "Not installed"}

I hope this makes your day at least a little bit easier.

Thanks,

5 thoughts on “PowerShell Script to Check Symantec Endpoint Protection Definition Updates

    greavette said:
    July 31, 2017 at 4:10 pm

    Hi, thanks very much for making this script available. I’m following up on a comment made in this post “•I will also be writing this as a SCOM management pack”. Did you ever create that SCOM management pack?

    Thank you.

      mshansen01 responded:
      November 17, 2017 at 9:16 am

      I did, I will try and get it posted on TechNet Gallery before the end of the year.

    snehdeep said:
    November 8, 2017 at 1:56 am

    I am looking for SCCM Compliance Report Scripts …

      mshansen01 responded:
      November 17, 2017 at 9:19 am

      That would actually be pretty easy. All you would have to do is take out the “#Email Notify” section, and use the rest of the script as a powershell discovery script in an SCCM compliance item. For your compliance rule you would just use a string and say must equal “no”. Since in the way it’s written “no” equals do not notify. You could change the write-host at the end of those blocks to make it easier to understand if you wanted. Otherwise, that should work out fine.

    alaa elmahdy said:
    September 14, 2019 at 3:33 am

    The Keywas changed to :
    ‘HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs’

Leave a Reply