Symantec Registry Keys

registry_keys.md

Registry Key Entries

Registry key entries are found in the following location:

  • Hive: HKLM\SOFTWARE
  • File: C:\Windows\System32\config\SOFTWARE

All registry subkeys are placed in the following location: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion, or under HKLM\SOFTWARE\Wow6432Node\Symantec... on a 64-bit OS.

Key Name Description
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV VirusEngine DLL of virus engine
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV LocalMAC MAC address of the computer
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV MyProcessID Proccess ID of ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV LogFileRollOverDays Number of days logs are kept
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV WorstInfectionType "Severity of the worst detection that was made:
0 = (Severity 0) Viral
1 = (Severity 1) Non-viral malicious
2 = (Severity 2) Malicious
3 = (Severity 3) Antivirus - Heuristic
5 = (Severity 5) Hack tool
6 = (Severity 6) Spyware
7 = (Severity 7) Trackware
8 = (Severity 8) Dialer
9 = (Severity 9) Remote access
10 = (Severity 10) Adware
11 = (Severity 11) Jokeware
12 = (Severity 12) Client compliancy
13 = (Severity 13) Generic load point
14 = (Severity 14) Proactive Threat Scan - Heuristic
15 = (Severity 15) Cookie
9999 = No detections"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV TimeOfLastVirus The last time a virus was detected on the client computer (GMT)
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV TimeOfLastScan The last scan time for this agent (GMT).
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupItemPurgeAgeLimit Maximum days to hold onto backup items
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupItemPurgeEnabled To enable backup item purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupPurgeBySizeDirLimit Maximum size in Megabytes of the backup folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupPurgeBySizeEnabled To enable Sizing of backup folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingEnabled Enable forwarding of quarantine to central server:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingPort Port of forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingProtocol Protocol of forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingServer Path to forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeAgeLimit Maximum days to hold onto quarantine files
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeBySizeDirLimit Maximum size in Megabytes of the quarantine folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeBySizeEnabled To enable Sizing of quarantine folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeEnabled To enable quarantine purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedItemPurgeAgeLimit Maximum days to hold onto repaired items
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedItemPurgeEnabled To enable repaired item purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedPurgeBySizeDirLimit Maximum size in Megabytes of the repaired folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedPurgeBySizeEnabled To enable Sizing of repaired folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\QRecords(10 digit numerical folder) FName Name of file that was quarantined
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate AVRunningStatus Registers whether Virus and Spyware Protection is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LatestVirusDefsDate Virus Definition date in use by client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LatestVirusDefsRevision Virus Definition Revision number in use by client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate Infected "Registers whether the client computer is infected with one or more risks that are detected by Virus and Spyware Protection.
0 = Not infected
1 = Infected"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate snac_enabled Registers whether Symantec Network Access Control is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate FWRunningStatus Registers whether firewall protection is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LastServerIP Registers the IP address of the most recent Symantec Endpoint Protection management server that the client connected to.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate ComputerID Computer ID
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate RebootReason "Registers the reason for a restart of the client computer.
0=No reboot required.
1=Reboot required for threat remediation.
2=Reboot required for product patch.
3=Reboot required for content update.
4=Reboot required for install completion.
5=Reboot required by SEP manager command.
6=Reboot required due to catastrophic install failure.
7=Reboot required for driver config change."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate ASRunningStatus "Registers whether Virus and Spyware Protection is enabled or disabled.
Note: This subkey appears to be redundant with the following subkey."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployStatus "Registers details about the status of client software download, installation, upgrade, or patch.
This is an integer sent by the client to represent the current deployment status. It can be generated by the client itself or by the installer.
302448896=Symantec Endpoint Protection Manager indicated an upgrade package for the client.
302448897=The client decided to accept the upgrade package.
302448898=The client decided to reject the upgrade package.
302449152=The client has requested package information for the upgrade.
302449153=The client has received package information for the upgrade.
302449408=The client hasn't allowed the download of the upgrade package to start.
302449409=The client has successfully downloaded and verified the upgrade package.
302449664=The client failed to apply the upgrade package.
302449665=The client failed to patch the delta.
302449666=The client failed to launch the upgrade installer.
302449667=The client successfully launched the final upgrade installer.
302449920=The client is requesting the full version of the upgrade package due to the delta's failure.
302456832=Install successful.
302460928=Install repair successful.
302465024=Uninstall successful.
302469120=Install failed and rolled back.
302469121=Install failed due to insufficient disk space.
302469122=Install failed due to a launch condition.
302469123=Install failed; a consumer product was found.
302469124=Restart pending.
302456833=Files copied.
302469125=Install failed; a legacy enterprise edition was found.
302469126=Install failed due to non-elevated privileges.
302469127=Install failed due to an incompatible operating system."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate InstallType "Registers the type of installed client.
0=Standard
1=Embedded or VDI
2=Dark network"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployMessage This is a freeform, detailed message sent by the client to elaborate on the deployment status.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployPreviousVersion Registers the four-part version number of the Symantec Endpoint Protection client software that was previously installed on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployTargetVersion Registers the four-part version number of the Symantec Endpoint Protection client software that is planned for future installation on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployRunningVersion Registers the four-part version number of the Symantec Endpoint Protection client software that is currently installed on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployTimestamp The time of the deployment action.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LastSuccessfulScanDateTime Date and Time of last successful scan
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\ACDefs AC Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\BASHDef BASH Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\ccSubSDK_SCD_Defs ccSubSDK_SCD Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\EDRDefs EDR Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\EfaVTDefs SymEFA Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\HIDefs HI Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IPSDefs Internet Security Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronRevocationDefs IronRevocation Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronSettingsDefs IronSettings Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronWhitelistDefs IronWhitelist Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\PCHDefs PCH Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs APSCandShim56 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs DEFWATCH_10 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs NAVCORP_70 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs SRTSP Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SMDefs SMR Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SRTSPSettingsDefs SRTSPSettings Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\STICDefs STIC Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\STICDefs STIC_SCAN Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SymPlatformDefs SymPlatform Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\TDADDefs TDAD Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC CurLocation Currrent location of device
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC EnableDebug802.1x This debug setting is used to help isolate EAP 802.1x issues. The registry key causes the 802.1x EAP information to write to the standard debug.log file.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_debug_level "smc_debug_level affects the logging of virus and spyware events:

• 2 - system debugger
• 4 - transaction logs
• 6 - everything"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_debug_log_level "smc_debug_log_level affects the logging of firewall events:

• 0 - debug
• 1 - info
• 2 - warning
• 3 - fatal"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_engine_status To check if Network Threat Protection is installed and is Turned ON.
0 – means turned OFF
1- turned ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper EnableScriptDebug The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. Then you can review the script for troubleshooting.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink DumpSylink Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server. The following debug setting is an alternative to running the SylinkWatcher/SylinkMonitor tool to log client-server communication.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink HardwareID To know the Hardware ID for the Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink PolicyMode Client is communicating with SEPM or is OFFLINE
1 – means communicating
0- means offline
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink Preferredgroup Which Group the client is pointing to
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink SerialNumber Policy Serial Number on Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE ExtendedDebug Extended TSE debugging for Network Threat Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident AutoLocationDump This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard debug.log file.

Finding the current info, including definition dates, for Endpoint Protection in the registry
Symantec Endpoint Protection –Few Registry Tweaks..

No comments:

Post a Comment