Take advantage of the built-in logging capabilities in Symantec Antivirus and our handy script to retrieve TimeOfLastScan, TimeOfLastVirus and PatternFileUpdate details from client PCs.
As with most Windows applications, Symantec Antivirus uses the Windows Registry to store its product and other volatile information. One nice thing about Symantec Antivirus is that it writes date and time values (for example, the date and time when it ran the last full scan) in the Hexadecimal format on the client computers.
While the purpose behind storing values in Hexadecimal format isn't completely clear, what is apparent is that it becomes difficult when there is no tool or scripting way available to decode these values.
I have seen a lot of Antivirus admins looking for a way to fetch "TimeOfLastScan", "TimeOfLastVirus" and "PatternFileUpdate" values from multiple computers and decode them.
Today we're going to show you how you can use the script available with this article to collect this information and then decode these values. By decoding these values you can know:
- The last time a full antivirus scan was performed on a client computer.
- The last time a virus was found on a particular computer.
- The last time a pattern file update occurred on a particular computer.
The Symantec Antivirus client writes the last time it ran a full scan, the last time it found a virus and the last time a computer received the antivirus definition file at the below registry location on the client computers:
For the 32-bit version of Symantec Antivirus client:
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV
For the 64-bit Symantec Antivirus client:
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV
In the above registry location, there are three registry entries as listed below:
- TimeOfLastScan: Stores the last date and time a full scan was completed.
- TimeOfLastVirus: Stores the last date and time a virus was found on a computer.
- PatternFileDate: Stores the information about the last date and time the pattern file was updated.
If you look at the values of these registry entries, you see they appear in a format that can't be easily read. For example, if you look at the "TimeOfLastScan" registry entry value, you see something like this:
It is in Hexadecimal format. This is also shown in the below registry screenshot taken from a Symantec Antivirus Client:
Using the script available with this article, you can collect the above information in a CSV format for all or just selected computers. The script not only collects the information, it also generates a log file to help you investigate any failures that occur with any of the computers while the script runs.
Requirements for the script
Before you can successfully collect the required information from the computers mentioned in the computers.txt file, please make sure the following statements are true for destination computers:
- The Symantec client is installed
- Remote Registry is enabled
- The computer is reachable, of course!
Steps for Running the Script
- Download the script here.
- Identify a computer from which all the other computers the script will run on are reachable.
- Create a folder with the name C:\SymantecCheck on the computer.
- Unzip/decompress the script files to C:\SymantecCheck folder.
- Edit computers.txt in Notepad and put the computer names for which you want to retrieve the TimeOfLastScan, TimeOfLastVirus and PatternFileDate values. The format of Computers.TXT should look like the following:
- Go to the command prompt and run the C:\SymantecCheck\GetSymantecValues.CMD script.
- The script will then run for all the computers mentioned in the computers.txt file as shown in the below screenshot:
- Once the script is finished, a report file with the name SymantecReport.CSV is generated as displayed in the below screenshot:
As shown in the report above, it also lists the Product Version installed on each computer. The values returned, other than the production version, is in the Hexadecimal format. You must convert these values to Decimal values to know the actual date and time. This is explained in the last part of this article.
Checking the Script Log
The script also creates a log file with the name ProcessingLog.LOG in the same directory. For any computer upon which the script fails to run, the information about the failure will be logged in the log file as shown in the below screenshot:
If you don't see any values for a specific computer, check the log file to make sure the computer was reachable when the script ran for that computer. The registry values returned from the remote computers are logged in the log file first before they are appended in the report file (CSV).
Converting Hexadecimal value to Actual Date and Time
Once the values are available in the Hexadecimal format for all the computers, you need to use the below link provided by Symantec to convert these values to a human-readable format:
For example, the value shown for the TimeOfLastScan registry entry is "2B040804056000." The first two octets are considered as "Year," "04" is considered as the "month," and "08" is considered as the "day." The remaining octets are "time." This is also shown in the below screenshot taken from a Symantec client for the registry entry TimeOfLastScan.
In the above screenshot, 2B is converted to 43 which is year 2013 based on the calculation shown at the Symantec link mentioned above. 04 is a month. Converting 04 into decimal will provide the same value (e.g. 04).
You can either use the HexToDec function in Microsoft Excel or Windows Calculator to convert these octets to decimal.
We hope you find this script useful. If you run into any issues with the script, feel free to drop me an email or post a comment here.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at firstname.lastname@example.org.
Follow ServerWatch on Twitter and on Facebook
This article was originally published on Tuesday Feb 11th 2014