Lucene search

K

Symantec AntiVirus Scan Engine Detection

Symantec AntiVirus Scan Engine installe

Show more
Refs
Code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(31857);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/10");

  script_name(english:"Symantec AntiVirus Scan Engine Detection");
  script_summary(english:"Checks the version of Symantec AntiVirus Scan Engine.");

  script_set_attribute(attribute:"synopsis", value:
"An antivirus application is installed on the remote host.");
  script_set_attribute(attribute:"description", value:
"Symantec AntiVirus Scan Engine, a TCP/IP service with a programming
interface to allow integration with third-party products, is installed
on the remote host.");
  script_set_attribute(attribute:"see_also", value:"https://support.symantec.com/en_US/article.DOC2277.html");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:antivirus_scan_engine");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"asset_inventory_category", value:"software_enumeration");
  script_set_attribute(attribute:"agent", value:"windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

#
include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("install_func.inc");

app = "Symantec AntiVirus Scan Engine";

# Figure out where the installer recorded information about it.

list = get_kb_list_or_exit("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");

installstring = NULL;
product_name  = NULL;

foreach name (keys(list))
{
  prod = list[name];
  if (prod && "Symantec AntiVirus Scan Engine" >< prod || "Symantec Scan Engine" >< prod || "Symantec Protection Engine" >< prod)
  {
   installstring = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Uninstall\/.+)\/DisplayName$", replace:"\1", string:name);
   installstring = str_replace(find:"/", replace:"\", string:installstring);
   product_name = prod;
   break;
  }
}

# default product name if none found in uninstall registry key
if (isnull(product_name)) product_name = "Symantec Scan Engine";

port = kb_smb_transport();

registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

# SPE uses the same key as SSE, default to SSE if we dont have a Name
key = "SYSTEM\CurrentControlSet\Services\SYMCScan\DisplayName";
product_name = get_registry_value(handle:hklm, item:key);
if (isnull(product_name)) product_name = "Symantec Scan Engine";

key = "SYSTEM\CurrentControlSet\Services\SYMCScan\ImagePath";
path = get_registry_value(handle:hklm, item:key);

if (!isnull(path))
{
  path = str_replace(find:'"', replace:'', string:path);
  item = pregmatch(pattern:"^(.*\\)[^\\]+$", string:path);

  if(isnull(item) || isnull(item[1]))
    exit(1, "Unable to parse path from '" + key + "'.");

  path = item[1];
}

if (isnull(path) && isnull(installstring))
{
  RegCloseKey(handle:hklm);
  close_registry();
  audit(AUDIT_NOT_INST, app);
}

# try finding path through uninstall registry entry
if (isnull(path))
  path = get_registry_value(handle:hklm, item:installstring + '\\InstallLocation');

RegCloseKey(handle:hklm);
close_registry(close:FALSE);

if (!path)
 audit(AUDIT_NOT_INST, app);

if (path[strlen(path)-1] == '\\') exe = path + "symcscan.exe";
else exe = path + "\symcscan.exe";

ver = hotfix_get_fversion(path:exe);
hotfix_check_fversion_end();

if (ver['error'] == HCF_NOENT)
  audit(AUDIT_UNINST, app);
else if (ver['error'] != HCF_OK)
  audit(AUDIT_VER_FAIL, exe);

version = join(ver['value'], sep:'.');

set_kb_item(name:"SMB/symantec_scan_engine/Installed", value:TRUE);

set_kb_item(name:"Symantec/"+product_name+"/Version", value:version);
set_kb_item(name:"Symantec/"+product_name+"/Path", value:path);

# This will either set - Symantec/Symantec AntiVirus Scan Engine/Version
#>. or >.>.  Symantec/Symantec Scan Engine/Version

register_install(
  app_name:app,
  vendor : 'Symantec',
  product : 'AntiVirus Scan Engine',
  path:path,
  version:version,
  extra:make_array('Product', product_name),
  cpe:"cpe:/a:symantec:antivirus_scan_engine");

report_installs(app_name:product_name, port:port);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
14 Apr 2008 00:00Current
0.7Low risk
Vulners AI Score0.7
21
.json
Report