none
SEP and SCOM

    Question

  • Hi. My organization has this weird audit requirement to monitor SEP(Symantec Endpoint Protection) full scan not completed within the last 2 weeks. To my SCOM knowledge, I know there should probably be 2 ways to go about doing this;

    1. log file monitoring based on event logs (Event ID 2: scan complete)

    2. custom script

    However I don't think i can configure the monitoring to check if the scan was done last 2 weeks if i do it by no.1. As such I am seeking advice on this and if anyone has any idea on the custom script. 

    P.s I tried to search for SEP management pack as well but can't seem to find any link to download. Not sure if the MP would help anyway.

    Thanks in advance!

    Monday, February 11, 2019 5:09 AM

All replies

  • SEP has numerous interesting information stored in registry, under the  HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Public-Opstate key; including more specifically one entry named LastSuccessfulScanDateTime which should provide you with exactly what you need.

    More info : https://support.symantec.com/en_US/article.HOWTO75109.html

    Monday, February 11, 2019 7:50 AM
  • Thanks. After many trials and errors on the powershell script, finally got what I need. 

    I'll come back here if I can't figure out how to create a monitoring rule with powershell script. 

    Monday, February 11, 2019 10:23 AM