PowerShell Script to Check Symantec Endpoint Protection Definition Updates

Posted on

Symantec Endpoint Protection has quite a hold on the Anti-Virus market share. Many have environments where it’s used, and may not be the administrators or even able to view data from the Symantec Endpoint Protection Manager. In light of that, I’ve written a PowerShell script to check the last update time for SEP definitions that can either be run manually or set as a scheduled task.

# Check if Symantec Endpoint Protection is installed. If not, exit.

#Check last write date of AV definitions and compare to a variable set for time – 7 days. 

# Write to the event log whether definitions are current or not

#Send email if definitions are out of date

*Things to Note*

  • As it stands, in each of the “if ($writetime” blocks there is a “write-host”. If you plan on running this as a scheduled task you’ll want to remove or comment out those lines.
  • I will also be writing this as a SCOM management pack, and an SCCM Compliance Item.

 



###################################################################
## Check Symantec Endpoint Protection Antivirus Definition Dates ##
## v1.1 ##
## Matt Hansen // 01-06-2017 ##
###################################################################

#Set Variables
$hostname = hostname
$7daysago = (get-date).AddDays(-7)
$key = 'HKLM:SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs'

#Test for registry key path and execute if neccessary
if (test-path -path $key)
{

$path = (Get-ItemProperty -Path $key -Name DEFWATCH_10).DEFWATCH_10
$writetime = [datetime](Get-ItemProperty -Path $path -Name LastWriteTime).lastwritetime
#Write-Host A min ago was $7daysago. DEFs was last written at $writetime

if ($writetime -lt $7daysago)
{Write-host "You have old defs"
Write-EventLog -LogName "Application" -Source "Symantec Antivirus" -EventId "7076" -EntryType "Warning" -Message "Symantec Definitions are older than 7 days. Last update time is was $writetime"
$notify = "yes"
}

if ($writetime -gt $7daysago)
{Write-host "You have current defs"
Write-EventLog -LogName "Application" -Source "Symantec Antivirus" -EventId "7077" -EntryType "Information" -Message "Symantec Definitions are current within 7 days. Last update time is was $writetime"
$notify = "no"

}

#Email Notify
if ($notify -eq "yes")
{
$param = @{
SmtpServer = "smtpserver@company.local"
Port = 25
UseSsl = $false
#Credential = "you@gmail.com"
From = "SymantecDefChecks@mcompany.local"
To = "administrator@company.local"
Subject = "Symantec Defintions Out-of-Date on $hostname"
Body = "Symantec Definitions are older than 7 days. Last update time is was $writetime on $hostname"
}
Send-MailMessage @param
#write-host "Email Sent"
}

}
Else {Write-host "Not installed"}

I hope this makes your day at least a little bit easier.

Thanks,

Advertisements

How to move SCVMM VMs into a Cloud

Posted on

If you’ve ever added hosts to an SCVMM instance you’ll know that there’s seeminly no easy way to move the newly imported VMs from those hosts into SCVMM clouds. I’ve found the best way to do this is by using the SCVMM command-line interface, which unfortunately has a few quirks.

Set-SCVirtualMachine is the command you’ll need to use, with the flag “-Cloud” like in the example below.

Set-SCVirtualMachine -VM “NewVM1” -Cloud “Cloud1”

Unfortunately, every time I’ve tried this I’ve gotten an error saying it can’t convert the value type correctly like as shown below.

setscvm-failure

 

For whatever reason, I’ve found that the work around here is to set both the VM and the Cloud as variables and run the command again.

$VM = Get-SCVirtualMachine “NewVM1”

$Cloud = Get-SCCloud “Cloud1” 

Set-SCVirtualMachine -VM $VM -Cloud $Cloud

setscvm-success

 

Then we have success!

 

sccloud-success

 

I’ve yet to figure out why this is, but at least it works.

I hope this makes your day at least a little bit easier.

Thanks,

SCVMM Error 2912 “The configuration registry database is corrupt (0x800703F1)”

Posted on

I recently spun up a new SCVMM environment, created my first VM, and attempted to create a template only to be faced with a job error.

Error (2912)
An internal error has occurred trying to contact the Host01 server: : .

WinRM: URL: [http://Host01.lab.local:5985], Verb: [INVOKE], Method: [LoadSubkey], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/scvmm/P2VSourceFixup?RegFileName=C:\Users\SVC_VMM\AppData\Local\Temp\tmp6AB5.tmp]

The configuration registry database is corrupt (0x800703F1)

Recommended Action
Check that WS-Management service is installed and running on server host01.lab.local. For more information use the command “winrm helpmsg hresult”. If host01.lab.local is a host/library/update server or a PXE server role then ensure that VMM agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.

 

I’ve seen this issue before and typically it’s because I go on auto-pilot and sysprep the VM by hand. That will cause an issue, go ahead and start the VM and login, shutdown and let VMM do the sysprep.

Unfortunately this time that wasn’t the problem, though it was similar. When I shut the VM down I accidentally hit “Turn Off” and it hard powered the VM down. A simple boot, login, and retry fixed the problems here.

 

I hope this makes your day at least a little bit easier.

Thanks,

SCCM 2012 R2 Reinstall Fails – Configuration Manager Requires a Dedicated SQL Server Instance

Posted on

Recently I had to reinstall an SCCM 2012 R2 instance, and came across a strange error when I ran the Prerequisite Check.

Dedicated SQL Server instance: Configuration Manager requires a dedicated SQL Server instance to host the site database. You selected the SQL Server instance that site hosts the Configuration Manager database for another site. Select a different SQL Server instance for this new site to use, or resolve the conflict by uninstalling The Other excellant site or moving to a different database SQL Server instance.

 

After some research it turns out this (in my case anyways) is due to the SCCM uninstall process not properly completing. SCCM doesn’t need it’s own SQL instance, it just requires that you only have one SCCM instance per SQL instance. To make sure this is the case, the prerequisite checker looks for a few registry keys on the SQL server that the install is looking to use. To fix this error, delete the following keys from the SQL server.

 

[HKLM\SOFTWARE\Microsoft\SMS\Operations Management\Components\SMS_SITE_SQL_BACKUP_<SITESERVERNAME>]

[HKLM\SOFTWARE\Microsoft\SMS\SMS_SITE_SQL_BACKUP_<SITESERVERNAME>]

[HKLM\SOFTWARE\Microsoft\SMS\Components\ SMS_SITE_SQL_BACKUP_<SITESERVERNAME>]

 

After they are deleted, run the prerequisite checker again and viola!

 

I hope this makes your day at least a little bit easier.

Thanks,

Upgrade SCOM 2012 R2 From Eval To Full Edition License

Posted on Updated on

By default, when SCOM 2012 R2 is installed, it uses an eval license (hence the yellow warning when you install the management server). When you go to the “Administration” workspace there is a center page link to technet to “Upgrade SCOM to full version”.

Here’s the simple way to add that product key from powershell.

import-module OperationsManager

set-SCOMLicense -ProductId “insert product key here”

stop-service cshost; stop-service omsdk; stop-service healthservice

start-service cshost; start-service omsdk; start-service healthservice

 

Alternatively, you can reboot the management server.

 

After that, to verify the key is install you can take the following steps.

Launch the Operations Manager Console > Go to “Help” and click “About” > Next to the Version information it should now say Retail. *Note that it’s okay if the Product ID is blank.

 

I hope this makes your day at least a little bit easier.

Thanks,

Disable Windows Firewall With PowerShell

Posted on

Welcome all, to the age of the gui-less windows server. As more and more people spin up labs with command-line only boxes, this command can be helpful.

Remember to only turn off your firewall in lab environments where you know you’re not exposing  yourself to additional risk.

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

 

To do this using netsh in cmd, you can use the following command.

 

netsh advfirewall set allprofiles state off

 

I hope this makes your day at least a little bit easier.

Thanks,