Endpoint Protection

Hello,

We have a problem where a number of our clients are not updating their status in the SEPM. For example, the definition dates in the SEPM show as being out of date or in some cases as not having a definition at all. If we look at the client then it is fully up to date and is showing the symantec shield with a green dot in it.

In some cases we can get up-to-date information form the client by telling it to update content in the SEPM client commands however this does not always work.

Can anyone tell me what is happening here and how to fix it? We are running SEP 11.0.6200

Thanks

does the SEPM console shows the latest contact with SEP i.e. last heartbeat contact of client the latest?

is it happening with only few machines?

hi.

Kindly follow this process and checked

https://www-secure.symantec.com/connect/downloads/image-installation-system-problem

Hello,

Yes, Its only happening to a few clients. Around 50 in a 800 client estate.

The last check-in date and time are updating fine so it seems communication is there but not all data is being updated.

does deleting the client from SEPM console make the client to update it's correct information?
 

can you post the sylink log from one such ( out of 50)client?

I haven't tried deleting a client form the SEPM but I will give that a try now.

Where will I find the Sylink log file?

you need to enable the logging

check this link

http://www.symantec.com/business/support/index?page=content&id=TECH102412

Thanks. I've enabled logging but how long should i leave it before uploading the log to here?

try deleting the HWID. It will be regenerated. This has helped us, though just a workaround, we have to show some improvement ;)

collect it for 15-20 mins after smc restart.

Ok heres the log file. It looks like it hasnt done anythign since i restarted the smc.

Attachment(s)

debug_9.txt   4 KB 1 version

Please check if you have a lot of .DAT/.TMP/.ERR files into SEPM\data\inbox subfolders (especially Agentinfo). If yes, it means clients are reporting their logs to the SEPM, but the manager is not able to process them.

See http://www.symantec.com/docs/TECH154391

Some improvements were made as well in the latest builds regaring DAT files processing (http://www.symantec.com/docs/TECH103087)

This can also appear if you have a lot of clients (few thousands) and your communication mode is set to PUSH (Symantec recommand to switch to PULL mode for big environement, with 1 hour heartbeat interval - http://www.symantec.com/docs/TECH92051):
http://www.symantec.com/docs/TECH94711

Thanks for the reply. In the agentinfo folder I have 21 files. content folder has 174 subfolders ending in .tmp and the rest seem Ok.

We only have 900 clients and we are using pull mode with a 1hr heartbeat.

I've just searched rather than browsing the subfolders and I have 157 err files in there in different subfolders. does this look like there is a problem then?

I've also checked the debug log on the client which i took the original debul log form and this has not updated since i restarted the smc. surely this should have updated by now?

.ERR are log files sent by clients to report their status and that SEPM was not able to process. Therefore, correct information about real client status (definition up-to-date, etc.) might be inside these files and explain why you have out-of-date information in the console.

You can open ERR files with notepad and try to identify which machine it is coming from. There might be some errors in SEPM logs as well that describe what's wrong with such files (you would need to open a ticket with the Support for such troubleshooting).

This can usually appear if you have an older version of SEP client managed by a newer SEPM release.

Try to update the client and see if it helps.

This problem is occur due to defintion file corruption. Kindly find the below link. It will help to clear the corrupted defintion. Try it on one system if it working then try on other

http://www.symantec.com/business/support/index?page=content&id=TECH103176&actp=search&viewlocale=en_US&searchid=1320508122368
 

try the below document if systems are not manage by Server

https://www-secure.symantec.com/connect/downloads/solution-doc-manage-unmanaged-system-sep-1106005

when you referr to client versions are you talking about full releases (i.e. version 10, 11, 12) or incremental releases (I.E Version 11 RU6)

We have an 11.0.6200 server which manages clients running from version 11.0.4 to 11.0.7

Also, what folder should i be looking at for the errors? Does each folder relate to anything specific? most of my errors are in the AVMan folder however theres no computer information within the files. Just random numbers it would seem.

More information...

we've deleted a number of clients form the SEPM and when they are reporting back in they are showing the correct information.

This is obviously a big problem as it is invalidating any security reports we run. what would be causing this and how can we ge tthe information to be updated consistently?

Check if the impacted machines are running SEP 11.0 MR4/RU5. If that's the case, update them to newer release, as it may fix your problem.

We have seen the same behaviour with RU7 clients also.

it is debug log, can you post the sylink.log?

Is this a SQL database setup or embedded database? I've seen this before where a buildup of dat files caused poor reporting. One of the things to check in that case if the version of BCP.EXE, making sure the version matches up with the version of SQL you are using.

Here is a debug log of one of the affected client.

We are using the built in database and not SQL.

Attachment(s)

debug_10.txt   57 KB 1 version

Also, I've just realised that were running clients which are 11.0.7 yet our server is 11.0.6. could this be the problem?

Its clearly not an issue for all our clients however it is for some.