Results 1 to 7 of 7

Thread: How do I determine if NAV is installed remotely via registry?

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    119

    How do I determine if NAV is installed remotely via registry?

    I am stumped. I have been scouring on google for a few hours now trying to figure out how to do this.

    My problem. I am trying to figure out a better way to do "Nav Sweeps," to ensure that we have antivirus installed on computers across our network. The typical method of doing this is exporting the list via Symantec Systems Center (hereafter SSC). Then comparing the list to a scan done across the network of all active nodes. (Subtracting printers, hubs, switches, etc.) Once these two lists are compiled we throw them together in Access to get the list of objects that do not occur in both lists. Meaning nodes that do not have NAV installed.

    Then after all that you try to do remote installs via SSC. All this is great, atleast it seems. I'm not sure if its the software, or a possible miscue via our scanner, but some new computers just seem to popup. People dont always seem to follow proper procedures by consulting the right people to install the computer, simply hook them up, and they get infect. / end mini rant

    OK thats some background! *breathe*

    I'm trying to figure out how to create a batch file that looks at registry settings, and if the correct key is installed, does nothing. If the key is NOT installed, it will place the IP address / computer name / something that we can come back to later to identify this computer.

    And this would need to be run over a large network. This is possible, atleast I'm telling myself, or am I simply asking too much?? I would like to accomplish this by writing it myself if possible. I just need to be pointed in the right direction. Specifically the "if this is there, then do this" portion, which is particularly fuzzy.

    Right now the best source I have found is http://www.robvanderwoude.com, and I have been able to modify a batch file to atleast export the registry settings of the computers, however I do not want the registry settings, just an IP, name, or something if it DOESN'T have the key installed.

    Can this be done? Can someone point me in the right direction, (or whack me over the head with a 2x4)??

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    i think thats a rather awkard way of doing it and just because the reg key is present dosn't mean that it's running.

    i would check to see if the process is running using pslist.exe (process lister) from systernals.com:

    net view >nv.txt
    for /F "tokens=1" %%X in (nv.txt) do pslist -t %%X

    you say you want to write it yourself so i'll stop here

    BTW the process is called rtvscan

    so |find "rtvscan"
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Depending upon which version of SAV you have, there is an audit feature that essentially goes out and does what TEdob has suggested to do. In SAV 8.1, the console offers this feature. There are a few drawbacks such as it cannot deal with W98 clients.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

    Thats the link to the Symantec Knowledge Base article about the audit. Basically it reads to me like its a ping sweep, when it finds a positive it tries the netbios services to see if the client is installed. This seems to bring back alot of false positives.

    However that is DEFINATELY a better way than what we were doing. From the list that doesn't have NAV installed we can hit them with a scan or do something farther if we need to. Thanks TH13.

    Tebob, there are a couple of us working on this, he has the batch file specified now we need to figure out remote queries and we are there.

    Thanks for the help. I'll give updates as we make progress.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, false positives are one of the issues with the tool. I use the SAV console to manage 60,000 nodes and trust me, I get a pile of false positives. The problem is that in order to truly get good results, you need to be able to login to the nodes with admin credentials. Now, unless every node has a local admin account that is the same (which would be a horrible thing) or every node is a member of AD (so as to use the AD admin credentials) false positives are unavoidable. Also, the audit tool doesn't like older MS OSes such as Win98.

    I have put in some feature requests with Symantec hoping that they will implement my suggestions on how to greatly reduce the number of false positives that come up in the audit tool. If they do implement my model, I will post it here to let others who have to deal with the pains of AV management.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    Here is what we have so far.

    @echo off
    SET IP=%1

    pslist \\%IP% winlogon | FIND /I "WINLOGON" >NUL
    IF ERRORLEVEL 1 echo "Not Windows Client"
    IF ERRORLEVEL 1 GOTO END
    IF ERRORLEVEL 0 GOTO SCAN

    :SCAN
    pslist \\%IP% rtvscan | FIND /I "Rtvscan" >NUL
    IF ERRORLEVEL 1 echo "Nav not running on %IP%"
    IF ERRORLEVEL 1 GOTO END
    IF ERRORLEVEL 0 echo "NAV running on %IP%"

    :END

    Sure its simple but I promise I haven't worked on it all day. Actually I've been doing research on different parts of the code, whilst a co worker of mine has been writing the code.

    What we can't figure out is how to get this to run over say a Class B sized network, and to actually get a working %IP% switch. If you remove the %IP%, and input your IP address with that it will work.

    This code would be SO clever if we can figure out how to automate the IP writing in there, and run it network wide, because it automatically leaves out anything that isn't a windows client. (We run 2k across the board so we found something that would be on the computer whether it was logged on or locked)

    A little more help?

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    A little more progress today. Only worked on it the last 15 minutes of work. We created another batch file called nav run, simply listed the appropriate ip address's, and used the call command, then sent the data to a text file.

    the format is

    call nav xxx.xxx.xxx.xxx
    call .... etc... to however many ip address's you have

    Also input to where it would list the IP address if its not a windows client. The neat thing about this is it detects if its a windows client so long as you have rights to the computer whether it is logged on or not. Thats why we were searching for something common to logged on or not across the board. I just need a better way to run it across the network, anyone have any ideas? Tebob? TH13? I think this could be helpful for you as well TH13, its rather slow I'll admit, but its possible to tweak the code (I hope?!?!), and this won't generate false positives so long as a computer is on, it will say not windows client otherwise.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •