A Symantec Endpoint Protection (SEP) Host Integrity (HI) policy is configured with a large number of rules to check for compliance. When a compliance report is run in the SEP Manager (SEPM) and exported, it is found that some results show "Start" as the return value, instead of "Pass" or "Fail".
The event_data column within the SEPM database's AGENT_SECURITY_LOG_1/2 tables has a varbinary data length limitation of 3,000 bytes. As a result, if there are a large number of HI rules to be processed, the data may be truncated to fit. The SEPM task called SecurityMiningTask will mine the AGENT_SECURITY_LOG_1/2 tables to parse compliance results and insert that information into the SEM_COMPLIANCE_CRITERIA_1/2 tables. If the event_data column has complete information, the parsed data will show correctly within the exported report. However, if this data was truncated due to the 3,000-byte limitation then the last complete rule entry parsed will be recorded.
As an example, below are two different HI rules (denoted by the R="rule name"^S=action) within a AGENT_SECURITY_LOG entry from a SEP client. The first rule you can see has "^S=start" and "^S=pass" entries. However, the second rule has no "^S=pass", "^S=fail" or "^S=error" return value due to truncation.
R="System GUEST account is disabled"^S=start C=file_execute^T="net user meoldguest /active:no"^S=pass C=file_execute^T="net user Guest /active:no"^S=pass R="System GUEST account is disabled"^S=pass
R="Service pack Win7 SP1 or newer is installed"^S=start RT=Service Pack C=service_pack_ok^S=pass^TS=OS ignore R="Service pack Win7 SP1 or newer is installed
This affects reporting only, and does not otherwise affect the functionality of HI rules. To work around the reporting behavior, reduce the number of HI rules, and/or individual checks within the rules, until the compliance report correctly state a "Pass" or "Fail".
Subscribing will provide email updates when this Article is updated. Login is required.