The first checks that it execute is related to the arguments passed to the JS file itself. The file starts by declaring a lot of variables and functions but the main function is called “HIMain” which will initialize some variables and execute some checks. Once the file in hand i begun my analysis to understand what’s going on behind the scene. So basically every time the host integrity check is triggered the “cscript.exe” process is launched to execute a JavaScript file containing all the constraints and policy verification.Īfter applying the necessary modification to the registry and relaunching the “Host Integrity Scan” from the SEP console. How to debug the Symantec Endpoint Protection client The Host Integrity script file AVScript.js can now be found in the Symantec Endpoint Protection folder once Host Integrity has run. Then you can review the script for troubleshooting. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. How Host Integrity worksīasically this feature allows an administrator to enforce a set of constraints on a client machine and make sure that they are always compliant.Īnother interesting article popped up in my search titled “How to debug the Symantec Endpoint Protection client” it contained what i needed to advance in this research. You use Host Integrity policies to define, enforce, and restore the security of clients to secure enterprise networks and data. Host Integrity ensures that client computers are protected and compliant with your company’s security policies. Here is a definition from the documentation Asking google reveals that this is related to a feature in Symantec Endpoint Protection called “Host Integrity”. Which indicates that there is a job titled “AgentHIScript”. The next thing that peeked my interest was the “Job:AgentHIScript”. Searching for this file on disk yields no results as it gets deleted once the process is terminated. And immediately we can see that a JavaScript file is being called from disk and executed. So i turned back to the command line arguments from the logs to get a better understanding. The issue i faced was that this process is not persistent and it only stays for a couple of seconds.
0 kommentar(er)
