Product Query

Vulnerability Scanner can check for the presence of security software on agents. The following table discusses how Vulnerability Scanner checks security products:

Table 1. Security Products Checked by Vulnerability Scanner


ServerProtect for Windows

Vulnerability Scanner uses RPC endpoint to check if SPNTSVC.exe is running. It returns information including operating system, and Virus Scan Engine, Virus Pattern and product versions. Vulnerability Scanner cannot detect the ServerProtect Information Server or the ServerProtect Management Console.

ServerProtect for Linux

If the target endpoint does not run Windows, Vulnerability Scanner checks if it has ServerProtect for Linux installed by trying to connect to port 14942.

OfficeScan agent

Vulnerability Scanner uses the OfficeScan agent port to check if the OfficeScan agent is installed. It also checks if the TmListen.exe process is running. It retrieves the port number automatically if executed from its default location.

If you launched Vulnerability Scanner on any endpoint other than the OfficeScan server, check and then use the other endpoint's communication port.


Vulnerability Scanner loads the web page http://localhost:port/PortalProtect/index.html to check for product installation.

ScanMail™ for Microsoft Exchange™

Vulnerability Scanner loads the web page http://ipaddress:port/scanmail.html to check for ScanMail installation. By default, ScanMail uses port 16372. If ScanMail uses a different port number, specify the port number. Otherwise, Vulnerability Scanner cannot detect ScanMail.

InterScan™ family

Vulnerability Scanner loads each web page for different products to check for product installation.

  • InterScan Messaging Security Suite 5.x: http://localhost:port/eManager/cgi-bin/eManager.htm

  • InterScan eManager 3.x: http://localhost:port/eManager/cgi-bin/eManager.htm

  • InterScan VirusWall™ 3.x: http://localhost:port/InterScan/cgi-bin/interscan.dll

Trend Micro Internet Security™ (PC-cillin)

Vulnerability Scanner uses port 40116 to check if Trend Micro Internet Security is installed.

McAfee VirusScan ePolicy Orchestrator

Vulnerability Scanner sends a special token to TCP port 8081, the default port of ePolicy Orchestrator for providing connection between the server and agent. The endpoint with this antivirus product replies using a special token type. Vulnerability Scanner cannot detect the standalone McAfee VirusScan.

Norton Antivirus™ Corporate Edition

Vulnerability Scanner sends a special token to UDP port 2967, the default port of Norton Antivirus Corporate Edition RTVScan. The endpoint with this antivirus product replies using a special token type. Since Norton Antivirus Corporate Edition communicates by UDP, the accuracy rate is not guaranteed. Furthermore, network traffic may influence UDP waiting time.

Vulnerability Scanner detects products and computers using the following protocols:

  • RPC: Detects ServerProtect for NT

  • UDP: Detects Norton AntiVirus Corporate Edition clients

  • TCP: Detects McAfee VirusScan ePolicy Orchestrator

  • ICMP: Detects computers by sending ICMP packets

  • HTTP: Detects OfficeScan agents

  • DHCP: If it detects a DHCP request, Vulnerability Scanner checks if antivirus software has already been installed on the requesting endpoint.