I. The Tool
Symhelp is a new version of the troubleshooting tool that replaces the legacy Symantec Support Tool.
You will find the tool on the SEP 12.1 RU2 Installation CD – the included here version is 2.1.1.74. The latest available version from Symantec at the time of this article release is 2.1.7.95. The revisions of the Symhelp tool are updated quite often (even several times a month) - if possible use the latest available from Symantec. You can download the tool either going to the following link: http://www.symantec.com/docs/TECH170752 or from the SEP Client GUI - by going into Help -> Download Support tool -> this redirects directly to the Symantec Article mentioned in the reference.
The tool is used to troubleshoot SEP Clients and SEPM Server but not only – it supports as well following Symantec programs:
Note: This version of the Symhelp tool might be run on both SEP 12.1 RU2 installation and as well all previous versions. The older Symantec Support Tool is compatible only with all SEP 11.x versions and the 12.1 versions prior to RU2 – if you try to run it on SEP 12.1 RU2 installation it will fail with the following error:
If your machine has connection to the internet every time you run the tool it will check for an update from Symantec – if such is available it will be downloaded automatically and will replace the SymHelp.exe executable. The tool will require as well the .NET installed already on the machine – for Windows 8 or Windows Server 2012 the version of .NET 3 or higher will be required. If .NET is not installed tool will prompt for this installation.
II. The Options
After accepting the EULA you will see the Home page of the SymHelp tool. From here we can select the type of Symantec Products we want the report run for and the type of the scan as well.
Main SymHelp GUI provides us with additional Support Resources:
- Search Knowledge Base - here we have a general selection for all product that will takes us to the product selection page (http://www.symantec.com/business/support/index?page=products) or we can specify a certain product at this stage.
- Browse Forums - here as well we can opt for all products that will takes us to home page of Symantec connect (https://www-secure.symantec.com/connect), or we can choose a specific product forum
- Open a Case Online - this selection takes us to the logon page of the MySymantec portal:
https://my.symantec.com/webapp/faces/login?appParam=support
- Contact Technical support - opens http://www.symantec.com/support/techsupp_contact_phone.jsp
- Contact Customer care - http://www.symantec.com/support/assistance_care.jsp
Additionally for reference there is a System Usage section that gives us information about current Memory and CPU utilisation as well as shows how much disk space is free on either local or networked drives.
Before running the tool we need to select product scan type, this can be one or more of the following:
- Health check - scan of installed products, will try to identify known issues
- Best practices - scan of the configuration in scope of the compliance with the best practices guidelines
- Pre-install check - scan of system readiness for product installations including the check of system requirements
- Full data collection for support
There are 2 more independent selections available under the "Run Threat Analysis Tools" section - this refers to tools used for identifying suspicious files and threats:
The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system.
SEP Power Eraser GUI gives us following options:
- Scan for Risks - additionally available for selection is "Include a Rootkit Scan" - this will require a reboot
- History - where we can check results of previous Power Eraser sessions, you can as well recover from here files that were previously detected
- Settings - enables to selected "Include a Rootkit Scan" option and set up a network configuration.
Reference:
http://www.symantec.com/theme.jsp?themeid=spe-user-guide
- Symantec Load Point Analysis
Load Point Analysis examines files that launch from known and specific locations on the drive and in the registry (according to the OS) in order to find out which files are likely to be not a genuine executable and possibly may pose a threat to the system. Those are then checked within the online Symantec Reputation database and given a score that may classify them as unknown files or a potential threat.
SymHelp gives us here some options for scan setting:
- Scan Load Points, Running processes and Common Directories -> this is selected by default
- Scan Program File Directories
- Scan additional files and directories
We can select this additional locations from Symantec Load Point Analysis -> Settings -> Options menu. Here we will find as well several options for Network configuration either through Automatic configuration from IE or configuration script or specified proxy server.
After the Load Point scan is finished we will be presented with final report on following:
- Amount of files the analysis was performed on
- Amount of files verified as good using their digital signature
- Amount of files verified as good using the Symantec Reputation Database
- Amount of files verified as bad using Symantec Reputation database
- Amount of files that needed additional check
* The report will show the amount of files that should be manualy verified by sending them to Symantec Security response -> here we have as well an option to copy these files to a local folder
* The files tab will as well contain the listing of files for manual verification. The Processes tab shows all running processes alongside with their reputation score and path to the file.
* Load Point Analysis will by default check for any existing autorun.inf files on the local or networked drives.
Reference:
http://www.symantec.com/docs/TECH141402
http://www.symantec.com/docs/TECH96291
--- Few notes and considerations to the SymHelp selection types:
* Health check and Best Practice scans can be only chosen for already installed products. If you have chosen a Symantec Product not yet installed these 2 options will be greyed-out from selection
* Pre-install check will scan the system only checking for the installation requirements in scope of SEP 12.1 Client for Local and Remote installation. The results of the scan will be then displayed in the reports section of:
- System meets the requirements for SEP 12.1: Local install
- System meets the requirements for SEP 12.1: Remote install
* If asked for Symhelp tool report by Symantec Support please run the report with option "Full data collection for support" - this will include all necessary information alongside with SEP/SEPM logs needed for investigation/troubleshooting. Providing Symantec support with only Health Check or best practices scan will give only a initial insight in the configuration but may prove not enough for the scope of troubleshooting purposes.
* When collecting the Load Point Analysis data for support, remember to check the option "Collect SEP data for Symantec Support Case" as well.
--- Saving the report:
After all the scans are completed we can save the report from the "Save" tab. There is currently no possibility to change the name of the report file - by default it will by computername_date_time.sdbz. We can however take a target directory for saving of our choosing. There is as well an option "Save and send to Symantec Support" - please note that using this option do not automatically open any case with Symantec Support. When saving the report this way please always inform the support team that the report has been sent using this option.
III. Additional switches / SymHelp from command prompt
SymHelp tool execution is possible as well directly from command prompt. There are as well several switches available for additional debugging and user visibility. These are the available symhelp.exe switches:
* SymHelp with advanced debugging:
Starting the Symhelp tool from command line with the -wizprod switch will give us some more options for setting up advanced debugging and issue reproduction during the report is being collected.
We can enable the default debug level by simply selecting Debug - Enabled - this can be executed by the command line switch as well. By choosing the Advanced Debug option from the selection tool will present a new windows with additional selection available - this will include:
- SNAC debugging
- SEP Debug
- SEP sylink debugging
- WPP logging
...after clicking "Next" the tool will inform that the debug has been enabled (in registry) and we can reproduce the issue - after that click "Next" for the debug to be turned off and report to be collected.
[Note]: the –deepdata switch used previously in the Symantec Support Tool for gathering of the advanced WPP debugging is no longer existing in the SymHelp. WPP Debug can be collected by going into symhelp.exe –wizprod and enabling that kind of debugging from the GUI.
IV. The Report
Depending on the selected scans it will take a couple or more minutes to generate the report. (Please note that for the purpose of this article I will focus mainly on the information gathered when troubleshooting SEP and SEPM installation without including several other products that can be scanned with SymHelp). After report is completed we will be given following tabs for preview:
1. Home - general information about the Scan Status and selected product information - the screen shown will be here a bit different depending on if we open the tab directly after scan was finished or if we open a previously saved report from drive. When opening a previously saved report - the option for new scan run will not be available at this point anymore - restart of the tool will be necessary to scan again.
2. Report - this section is split on 5 different tabs as follows:
- Error - "This tab displays reports that resulted in an error status. An error status indicates that an issue has been detected and requires further examination and/or action."
- Warning - "This tab displays reports that resulted in a warning status. A warning status indicates that a possible issue exists. Further action may or may not be required depending on factors that the report cannot determine."
- Missing data - "This tab displays reports that could not examine all the data needed in order to yield a report status. If one test failed to access required data this will determine the status of the report as Missing data."
- Ok - "This tab displays reports that resulted in a status of Ok. An Ok status indicates that the issue being tested for was not found and no action is required."
- All - "This tab displays all the reports for a given product regardless of status. If a specific report is known and its results sought after, it may be quicker to find the report under this tab rather than to look under each of the status specific tabs."
We can adjust the selection of product on the left side of the GUI in case several product were chosen to generate the SymHelp report and we want to see only the results applying to one specified product at this point.
The reports will contain both text and hyperlinks to Symantec KB Articles if such are available for the encountered problems. You will find more details to each report by expanding the details section.
Some of the examples for most common reports that we can find in the reports section:
- Symantec Endpoint Protection drivers and services need attention
Reference for solution:
Are the Symantec Endpoint Protection drivers loaded and services running?
http://www.symantec.com/docs/TECH92415
- Security advisories for Symantec Endpoint Protection Client
- The latest version of Symantec Endpoint Protection Client is installed – in case of not the latest version installed the links provided will include the newer revisions than the one installed.
Reference for solution:
Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control
http://www.symantec.com/docs/TECH103088
Release Notes for Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, Symantec Network Access Control 12.1
http://www.symantec.com/docs/DOC4332
- Client to Manager communications are [not] working
Reference for solution:
Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity
http://www.symantec.com/docs/TECH105894
- Windows Firewall Configuration
Reference for solution:
Symantec Endpoint Protection clients do not communicate properly with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102803
- Definitions corruption checks – report about the currently used revision, check performed for corrupted definition files and missing definition files.
- SEP 12.1 Virus Definitions are not corrupt
- SEP 12.1 BASH Definitions are not corrupt
- SEP 12.1 Submission Control Data Definitions are not corrupt
- SEP 12.1 IPS Definitions are not corrupt
- SEP 12.1 Iron Revocation Definitions are not corrupt
- SEP 12.1 Iron Settings Definitions are not corrupt
- SEP 12.1 Iron White List Definitions are not corrupt
- SEP 12.1.2000+ Extended File Attributes Verify Trust Definitions are not corrupt
- SEP 12.1.2000+ SRT SP Settings Definitions are not corrupt
Reference for solution:
Potential Symantec Endpoint Protection content definition corruption
http://www.symantec.com/docs/TECH92043
- System meets the requirements for Symantec Endpoint Protection 12.1: Local install
Reference for the included links from the detailed view:
Does the computer need to be restarted?
http://www.symantec.com/docs/TECH92413
Does the current user have local administrator rights?
http://www.symantec.com/docs/TECH91646
Is the Windows Installer service disabled?
http://www.symantec.com/docs/TECH92579
Reference for solution:
System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1
http://www.symantec.com/docs/TECH163806
- System meets the requirements for Symantec Endpoint Protection 12.1: Remote install
Reference for the included links from the detailed view:
Is the Remote Registry Service enabled?
http://www.symantec.com/docs/TECH201331
Is the Server service started?
http://www.symantec.com/docs/TECH106150
Are the C$, ADMIN$, and IPC$ shares available?
http://www.symantec.com/docs/TECH91905
About the Find Unmanaged Computers function in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102582
Error: "No Network Provider accepted the given the network path"
http://www.symantec.com/docs/TECH102904
Is the Microsoft Windows Firewall blocking port 445?
http://www.symantec.com/docs/TECH106142
Does the computer need to be restarted?
http://www.symantec.com/docs/TECH92413
Is the local security setting 'Sharing and security model for local accounts' set to Guest Only?
http://www.symantec.com/docs/TECH106144
Is User Account Control enabled on the client?
http://www.symantec.com/docs/TECH9190
Does the Administrator account have a password?
http://www.symantec.com/docs/TECH106143
Is the Windows Installer service disabled?
http://www.symantec.com/docs/TECH92579
Reference for solution:
Best practices for upgrading to Symantec Endpoint Protection 12.1.2
http://www.symantec.com/docs/TECH163700
- Symantec Embedded Database service needs attention
Reference for solution:
Is the embedded database service running?
http://www.symantec.com/docs/TECH106152
- The Symantec Endpoint Protection Console is [not] using its configured ports
Reference for solution:
Which Communications Ports does Symantec Endpoint Protection use?
http://www.symantec.com/docs/TECH163787
- System does [not] meet the recommendations for Symantec Endpoint Protection Manager 12.1
Reference for the included links from the detailed view:
Is the local security setting 'Sharing and security model for local accounts' set to Guest Only?
http://www.symantec.com/docs/TECH106144
Does the current user have local administrator rights?
http://www.symantec.com/docs/TECH91646
Is User Account Control enabled on the client?
http://www.symantec.com/docs/TECH91902
Is the Windows Installer service disabled?
http://www.symantec.com/docs/TECH92579
Which communications ports does Symantec Endpoint Protection use?
http://www.symantec.com/business/support/index?page=content&id=TECH163787
Reference for solution:
System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1
http://www.symantec.com/docs/TECH163806
- The latest version of Symantec Endpoint Protection Manager is [not] installed
Reference for solution:
Obtaining the latest version of Endpoint Protection or Network Access Control
http://www.symantec.com/docs/TECH103088
Release notes for Symantec Endpoint Protection 12.1.x
http://www.symantec.com/docs/DOC4332
- Symantec Endpoint Protection Manager drivers and services are [not] running
Reference for solution:
Are the Symantec Endpoint Protection drivers loaded and services running?
http://www.symantec.com/docs/TECH92415
- Security advisories for Symantec Endpoint Protection
Reference for solution:
Depending on the advisories found
- The Symantec Endpoint Protection Manager communications tests have all passed
Reference for solution to:
Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity
http://www.symantec.com/business/support/index?page=content&id=TECH105894
- There is no client install package configuration issue detected
3. SPE (SEP Power Eraser) - if the SPE scan was previously run
4. LPA - Load Point Analysis - in case this scan was run previously
5. Information - the information section will present us with the following data:
* General:
a) Summary - general information about the system, we will find here general information about the date and time of log collection, timezon, user and domain, physical memory on the machine, CPU model, IPv4 and IPv6 configuration as well as local drives informations
b) Customer - Customer information as provided when saving the report. This section included the issue description - this is as well provided on the tab for report save
c) Installed Symantec Products
* SEP Client specific information:
a) SEP Client Summary:
- Version of the SEP client
- Type of the SEP Software (Enterprise/Small Business)
- Install date of SEP software
- Servers according to sylink.xml - provides of full listing the SEPM servers available for the SEP client
b) Policy:
- Client Group as per policy
- Location
- Location awareness -> if enabled =1, if disabled =0
- Client Control mode -> Server (1) for Server control mode; Server (0) for Client Control Mode
- Policy Serial Number
c) Communications:
- Last heartbeat
- Heartbeat result
- Connection status to SEPM
- Last attempted connection
- Last successful connection
d) Exceptions -> listing of configured centralized and user exceptions
e) File Versions -> contains information about version of some of the SEP file systems like Symevent, Auto-Protect User Mode Interface or Liveupdate.
f) Definitions -> lists installed definitions with revision date information. Following definitions will be covered:
Virus Definitions 12.1.x -> SRTSP
Proactive Threat Protection -> BASH
Intrusion Prevention -> Internet Security
Insight -> ccSubSDK_SCD
Insight -> IronRevocation
Insight -> IronSettings
Insight -> IronWhitelist
Extended File Attributes -> SymEFA
SRT SP Settings -> SRTSPSettings
g) Features -> listing of installed/enabled features alongside with MSI Feature name and install state:
Application and Device Control DCMain Installed
Firewall Protection Firewall Installed
Intrusion Protection ITPMain Installed
Network Threat Protection NTPMain Installed
Notes Scanner NotesSnapin Installed
Outlook Scanner OutlookSnapin Installed
Pop3/SMTP Scanner Pop3Smtp NotInstalled
Proactive Theat Protection Truscan PTPMain Installed
Sonar Protection TruScan Installed
Virus and Spyware Protection SAVMain Installed
Download Insight Installed
* SEPM Manager specific information:
a) SEPM Summary will give us information about used SEPM Version.
b) Database configurations - information about the DB type, host and username
c) Ports - list of ports used by SEPM communications, alongside with port current state:
6. Best practices - according to the Best Practices scan type - report splits on following tabs:
- Not recommended -"This tab displays reports that resulted in a Not Recommended status. A Not Recommended indicates that the system's configuration is counter to best practice standards and will likely have consequences that should be considered."
- Not compliant - "This tab displays reports that resulted in a Not Compliant status. A Not Compliant status indicates that the system's configuration is not according to best practice and might potentially have unwanted consequences. This status is less severe than a status of Not Recommended."
- Missing data - "This tab displays reports that could not examine all the data needed in order to yield a report status. If one test failed to access required data this will determine the status of the report as Missing data."
- Compliant - "This tab displays reports that resulted in a status of Compliant. A Compliant status indicates that the system is configured according to best practice standards."
- All - "This tab displays all the reports for a given product regardless of status. If a specific report is known and its results sought after, it may be quicker to find the report under this tab rather than to look under each of the status specific tabs."
Some of the common examples we can find in the best practices section:
V. References:
- Symantec Support Tool:
- About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool
Article: TECH96291 http://www.symantec.com/docs/TECH96291
- The Symantec Endpoint Protection Support Tool
Article: TECH105414 http://www.symantec.com/docs/TECH105414
- About the Symantec Endpoint Protection Support Tool
Article: TECH91280 http://www.symantec.com/docs/TECH91280
- How to run the Symantec Endpoint Protection Support Tool remotely
Article: HOWTO72599 http://www.symantec.com/docs/HOWTO72599
- https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
- SymHelp Tool:
- About Symantec Help (SymHelp)
Article: TECH170735 http://www.symantec.com/docs/TECH170735
Article: TECH170752 http://www.symantec.com/docs/TECH170752
- What command-line parameters are available for use with Symantec Help (SymHelp)?
Article: TECH170732 http://www.symantec.com/docs/TECH170732
- Load Point Analysis and Symantec Power Eraser are not available in SymHelp
Article: TECH201415 http://www.symantec.com/docs/TECH201415
- Unable to launch or view SymHelp
Article: HOWTO75989 http://www.symantec.com/docs/HOWTO75989