Endpoint Protection

Good afternoon,

After wading through numerous threads without finding a solution to my problem i'd thought i'd try making my own post.

My problem is; despite the GUP's being setup. They don't always recieve a full update (judging by file size within the groupupdate folder). sometimes the filesize of a days updating will equate to 1kb. When they do recieve a substantial update the other computers within the subnet do not update.

The facts:

SEPM is 11.0.6300.803

SEP is 11.0.6300.803

We have four offices with only around 70 users. the SEPM is kept at our HQ with the rest of our servers, the other three offices are connected through an MPLS cloud. Due to the lack of bandwidth i decided to set a dedicated XP machine at each office to serve as a GUP.

SEPM Policies

I have tried numerous variations, but the current setup is as follows.

HQ has it's own policy which covers all of our servers and PC's within the HQ. The HQ is set to Push and all the computers/servers within this group update fine.

The other branches have individual polices setup, each policy is set to Pull, with a heartbeat set at 1 hour and randomisation at 5 minutes. these policies are identical except for the GUP details which are specified via a different IP address.

I have download sylink monitor and left it running on the SEPM. I have noticed an error message that keeps cropping up regarding a "host integrity check" being disabled.

When running sylink on a SEP client that isn't a GUP. I've noticed that it doesn't even attempt to connect to the specified GUP IP.

I am probably doing something stupid.

Any help would be appreciated.

Thank you

Ben

SEPM Logs below:

<SSAHostInfo>
<NetworkIdentity UserDomain="ABD.LOCAL" LogonUser="administrator" HostDomain="ABD.local" HostName="proclaim" HostDesc=""/>
<SSAProduct Version="11.0.6300.803"/>
<SSAOS Version="5.2.3790" Desc="Windows Server 2003 family Standard Edition" Type="50659842" ServicePack="Service Pack 2" Language="9"/>
<Processor ProcessorType="x86 Family 6 Model 15 Stepping 6" ProcessorClock="1595" ProcessorNum="4"/>
<Memory Size="3220049920"/>
<Disk Letter="C:\" Size="73394139136"/>
<BIOS Version="PTLTD  - 6040001"/>
<TpmDevice Id="0"/>
<SSAProfile Version="5.0.0" SerialNumber="7CB2-07/12/2011 15:50:54 031"/>
<SSAIDS Version="" SerialNumber=""/>
<SSAUTC Bias="0"/>
<DNSs><DNS Address="192.168.10.202"/><DNS Address="192.168.10.11"/></DNSs>
<SSANICs><SSANIC Ip="192.168.10.25" Mac="00-19-99-1a-59-d0" Gateway="192.168.10.1" SubnetMask="255.255.255.0"/></SSANICs><Firewall OnOff="0" Installed="0"/>
</SSAHostInfo>
<RebootRequired Status="0"></RebootRequired>
<InstalledFeatures><Feature Id ="256"/></InstalledFeatures>
</SSAInfo>

07/13 14:04:54 [1716] <mfn_PostAgentInfo>Volatile op-state damper: 0, Interval passed: 328
07/13 14:04:54 [1716] <mfn_PostAgentInfo>Free memory difference: 84082688, Threshold: 151931895
07/13 14:04:54 [1716] <mfn_PostAgentInfo>Free disk space difference: 1022640128, Threshold: 8224881855
07/13 14:04:54 [1716] <PostEvent>going to post event=EVENT_SYLINK_QUERY_COMMANDSTATUS
07/13 14:04:54 [1716] <PostEvent>done post event=EVENT_SYLINK_QUERY_COMMANDSTATUS, return=0
07/13 14:04:54 [1716] <IndexHeartbeatProc>===UPLOAD STAGE===
07/13 14:04:54 [1716] <PostEvent>going to post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG
07/13 14:04:54 [1716] <PostEvent>done post event=EVENT_SERVER_READY_TO_UPLOAD_EVENT_LOG, return=0
07/13 14:04:54 [1716] <IndexHeartbeatProc>===PREPARE EVENT LOG STAGE===
07/13 14:04:54 [1716] <PrepareEventLog>initialized technology extension processing ok
07/13 14:04:54 [1716] <PrepareEventLog>Allow total logs to send=0
07/13 14:04:54 [1716] <IndexHeartbeatProc>Communication Mode=0(Push Mode)
07/13 14:04:54 [1716] <IndexHeartbeatProc>Enter Push Session
07/13 14:04:54 [1716] <IndexHeartbeatProc>Setting the session timeout on Profile Session (for MaintainPushConnection) to 320000
07/13 14:04:54 [1716] <MaintainPushConnection:>Push Connecton!
07/13 14:04:54 [1716] ************CSN=27443
07/13 14:04:54 [1716] <mfn_MakeGetPushUrl:>Request is: action=128&hostid=EB3B9953C0A80A1900506EFC25CF67AA&chk=7EA2D80A39DDD097F6C3311447175DE5&ck=C77C009B63788C9D75F7330D7AC6F8A7&uchk=5E5382C4276B910EB0C34553AF8D503C&uck=E8CA22C832C662B85C957A5A2BF70ECA&groupid=DEFBEEA6C0A80A19000FBFA2A531B6FB&mode=0&as=27443
07/13 14:04:54 [1716] <MaintainPushConnection:>http://192.168.10.25:8014/secars/secars.dll?h=625C562490F1F075E98BBF9D0C58578FEDDEFBC14FF3560781E23A7EA53D81F712C9D7ECB74D60C65B41D2B9A21B765280997F9A8C1F392631C4E5FBD9B8C58C804D600FFC2F465DD11502869D5A39D650B7D84D6A255A6AF1B5B6FFFA1BDCD780F1A3F75B4F1456D7086A2CA49C6A7A918333B0BB25B62333E4C29C0F504256B5245CD68469C5F24C0E03CA9E0179782E68E13237C55D9301F2D2E84B9675608F760C90072F65071651D63909ECF6270683994D0EC8006659A1780B200810EF4A204A1496A7C96B83D44B0223268F26FF0D92986735143E6C847A760FEC958922097A71194D81D1EDD794959404F6A55EBB0B19D76B924801DC8AABB7C03DF740652CF87631DA05FD8BC291E6FCB6EB
07/13 14:05:12 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:05:12 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:06:14 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:06:14 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:07:16 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:07:16 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:08:18 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:08:18 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:09:20 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:09:20 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:10:15 [1716] AH: (InetWaiting) time out. Timeout period: 320000
07/13 14:10:15 [1716] Throw Internet Exception, Error Code=4294967287;Internet Session Timeout
07/13 14:10:15 [1716] <MaintainPushConnection:>COMPLETED
07/13 14:10:15 [1716] <ScheduleNextUpdate>Manually assigned heartbeat=5 seconds
07/13 14:10:15 [1716] HEARTBEAT: Check Point 8
07/13 14:10:15 [1716] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED
07/13 14:10:15 [1716] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0
07/13 14:10:15 [1716] <IndexHeartbeatProc>====== IndexHeartbeat Procedure stops at 14:10:15 ======
07/13 14:10:15 [1716] <IndexHeartbeatProc>Set Heartbeat Result= 2
07/13 14:10:15 [1716] <IndexHeartbeatProc>Sylink Comm.Flags: 'Connection Failed' = 0, 'Using Backup Sylink' = 0, 'Using Location Config' = 0
07/13 14:10:15 [1716] Use new configuration
07/13 14:10:15 [1716] HEARTBEAT: Check Point Complete
07/13 14:10:15 [1716] <IndexHeartbeatProc>Done, Heartbeat=5seconds
07/13 14:10:15 [1716] </CSyLink::IndexHeartbeatProc()>
07/13 14:10:15 [1716] <CheckHeartbeatTimer>====== Heartbeat loop stops at 14:10:15 ======
07/13 14:10:21 [1716] <CheckHeartbeatTimer>====== Heartbeat loop starts at 14:10:21 ======
07/13 14:10:22 [1716] <GetOnlineNicInfo>:Netport Count=1
07/13 14:10:22 [1716] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="192.168.10.25" Mac="00-19-99-1a-59-d0" Gateway="192.168.10.1" SubnetMask="255.255.255.0"/></SSANICs>
07/13 14:10:22 [1716] <CalcAgentHashKey>:CH=DEFBEEA6C0A80A19000FBFA2A531B6FB1proclaimABD.localE47F60E70D5F300C45B8BEE2A537209F
07/13 14:10:22 [1716] <CalcAgentHashKey>:CHKey=7EA2D80A39DDD097F6C3311447175DE5
07/13 14:10:22 [1716] <CalcAgentHashKey>:C=DEFBEEA6C0A80A19000FBFA2A531B6FB1proclaimABD.local
07/13 14:10:22 [1716] <CalcAgentHashKey>:CKey=C77C009B63788C9D75F7330D7AC6F8A7
07/13 14:10:22 [1716] <CalcAgentHashKey>:UCH=DEFBEEA6C0A80A19000FBFA2A531B6FB0administratorABD.LOCALproclaimABD.localE47F60E70D5F300C45B8BEE2A537209F
07/13 14:10:22 [1716] <CalcAgentHashKey>:UCHKey=5E5382C4276B910EB0C34553AF8D503C
07/13 14:10:22 [1716] <CalcAgentHashKey>:UC=DEFBEEA6C0A80A19000FBFA2A531B6FB0administratorABD.LOCALproclaimABD.local
07/13 14:10:22 [1716] <CalcAgentHashKey>:UCKey=E8CA22C832C662B85C957A5A2BF70ECA
07/13 14:10:22 [1716] <DoHeartbeat>HardwareID=E47F60E70D5F300C45B8BEE2A537209F
07/13 14:10:22 [1716] <DoHeartbeat>CHKey=7EA2D80A39DDD097F6C3311447175DE5
07/13 14:10:22 [1716] <DoHeartbeat>CKey=C77C009B63788C9D75F7330D7AC6F8A7
07/13 14:10:22 [1716] <DoHeartbeat>UCHKey=5E5382C4276B910EB0C34553AF8D503C
07/13 14:10:22 [1716] <DoHeartbeat>UCKey=E8CA22C832C662B85C957A5A2BF70ECA
07/13 14:10:22 [1716] <DoHeartbeat> Set heartbeat event
07/13 14:10:22 [1716] Use new configuration
07/13 14:10:22 [1716] <CSyLink::IndexHeartbeatProc()>
07/13 14:10:22 [1716] <IndexHeartbeatProc> Got ConfigObject to proceed the operation.. pSylinkConfig: 01C48418
07/13 14:10:22 [1716] <IndexHeartbeatProc>====== Reg Heartbeat loop starts at 14:10:22 ======
07/13 14:10:22 [1712] <CSyLink::mfn_DownloadNow()>
07/13 14:10:22 [1712] </CSyLink::mfn_DownloadNow()>
07/13 14:10:23 [1716] HEARTBEAT: Check Point 1
07/13 14:10:23 [1716] Get First Server!
07/13 14:10:23 [1716] HEARTBEAT: Check Point 2
07/13 14:10:23 [1716] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
07/13 14:10:23 [1716] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
07/13 14:10:23 [1716] HEARTBEAT: Check Point 3
07/13 14:10:23 [1716] <IndexHeartbeatProc>Setting the session timeout on Profile Session to 30000
07/13 14:10:23 [1716] HEARTBEAT: Check Point 4
07/13 14:10:23 [1716] <IndexHeartbeatProc>===Get Index STAGE===
07/13 14:10:23 [1716] ************CSN=27444
07/13 14:10:23 [1716] <mfn_MakeGetIndexUrl:>Request is: action=12&hostid=EB3B9953C0A80A1900506EFC25CF67AA&chk=7EA2D80A39DDD097F6C3311447175DE5&ck=C77C009B63788C9D75F7330D7AC6F8A7&uchk=5E5382C4276B910EB0C34553AF8D503C&uck=E8CA22C832C662B85C957A5A2BF70ECA&hid=E47F60E70D5F300C45B8BEE2A537209F&groupid=DEFBEEA6C0A80A19000FBFA2A531B6FB&mode=0&hbt=300&as=27444&cn=[hex]70726F636C61696D&lun=[hex]61646D696E6973747261746F72&udn=[hex]4142442E4C4F43414C
07/13 14:10:23 [1716] <GetIndexFileRequest:>http://192.168.10.25:8014/secars/secars.dll?h=0C380676E418B415AF9B5842B2EB6FA8F79772F566E353D5E6A8F80B2CA73265ABFD2A4E13953F436626C8CEB80C6F7BF3BF6C4FE2C8FE092F6B58BB90863637BE4475EF91BECC1093F8530CA10A4C02882D0B729D72EB1DB45E14FD86C26595C12FBCA3D6F564F5032E6202BBD19B307ADAB7F78354E7FC9C648076472C1E9555965AAB8D31F9D82CE3CB59FA39672CC2556626124F4326B1B0670996535CA8B39F5CF8371A9F56D8064A8C75C7D345EC9802F8F7DDD2019B523286E23E7B44CF5BCA28D5E782A82CE09057D040FB97DAE0531C7886F67836C203E10D39BEA5929B2E26EF8130D1B65B1B63E551B601FEAFE4D4590000CF007ED228235C6EAD45F7CAC7DBF70615DFB1797A902EB95380D8E80004C5E30E61619DF57F750B9B0851A6C123D058DFA619D067D1FD584C94D48B6EC77234CF3CB003141F223420DC33BF450467C91F8DC8C33A206E46F2B665BC6BBD74BB8D49BD0138D9BE0597714B13262354B30B9E64813523C8F533D9EFA74C8C7E76BACEA5ED9EE3545642C7EE82EEFC2E69AFDA6C1A756F421387
07/13 14:10:23 [1716] <GetIndexFileRequest:>SMS return=200
07/13 14:10:23 [1716] <ParseHTTPStatusCode:>200=>200 OK
07/13 14:10:23 [1716] <FindHeader>Sem-HashKey:=>7EA2D80A39DDD097F6C3311447175DE5
07/13 14:10:23 [1716] <GetIndexFileRequest:>Loading the current mode:1
07/13 14:10:23 [1716] <FindHeader>Sem-LANSensor:=>0
07/13 14:10:23 [1716] <FindHeader>Sem-Signatue:=>18425CDB766757A1C2E7043F9ABA1CB2F4FC9B668B59C413BB4EEF6A6F04CA7418E32B621358C2D30C6A030115E28595874D62F3E3F39FFB589048536A21A7B42B239896BBA955C6167B0D9448D01076322C94916B3FD281149D04EF1AD3A8B7A9CF4EC214BAD873C98700F51C1D3EEA31FDF519C708C0634AFB79FF8681197C
07/13 14:10:23 [1716] <mfn_DoGetIndexFile200>Content Lenght => 628
07/13 14:10:23 [1716] SignIf::VerifySignature(data, dataLen, sig, sigLen) => Verification Successful..
07/13 14:10:23 [1716] <mfn_DoGetIndexFile200>Index File: <?xml version="1.0" encoding="UTF-8" ?><GroupIndex SiteID="0EF27E03C0A80A19005CD7F9CEBE7342" ServerID="EFF83DEDC0A80A1901171D9366E9380E" GroupID="7CB28398C0A80A19004B3E4F58BBACF1" GroupCheckSum="842CEA790A323210858413531" LastModifiedTime = "13/07/2011 13:41:25"> <Profile Checksum="25E894A1A1CA89118AC94C0341D35154" SerialNumber="7CB2-07/12/2011 15:50:54 031" LastModifiedTime="12/07/2011  16:04:23"/> <ConfigFile Checksum="77B69319A442AA104DDFE32D627B6A90" LastModifiedTime="11/07/2011  15:33:29"/> <IDSFile Checksum="F4151B76076E4A1C183A0021707C7877" LastModifiedTime="11/07/2011  15:33:30"/> <SylinkFile Checksum="BED61B5A0065C03A7556BD59EC490084" LastModifiedTime="12/07/2011  16:04:23"/> <LSProfile Checksum="21B3199E9EDAAB11C8E81B3E5AFE7E35" SerialNumber ="7CB2-07/12/2011 15:50:54 031" LastModifiedTime ="12/07/2011  16:04:23"/>
 <LiveUpdate>
  <File Checksum="DEFF0A80B2E2933D72A01872B1C1E8C0" DeltaFlag="1" FullSize="130218894" LastModifiedTime="1310560854752" Moniker="{C60DC234-65F9-4674-94AE-62158EFCA433}" Seq="110712033"/>
   <File Checksum="538F8D390BF00B08F270F43AC6EF9064" DeltaFlag="1" FullSize="131976593" LastModifiedTime="1310560503890" Moniker="{1CD85198-26C6-4bac-8C72-5D34B025DE35}" Seq="110712033"/>
 </LiveUpdate>
</GroupIndex>
07/13 14:10:23 [1716] <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
07/13 14:10:23 [1716] <GetIndexFileRequest:>COMPLETED
07/13 14:10:23 [1716] <IndexHeartbeatProc>GetIndexFile handling status: 0
07/13 14:10:23 [1716] <IndexHeartbeatProc>Switch Server flag=0
07/13 14:10:23 [1716] HEARTBEAT: Check Point 5.1
07/13 14:10:23 [1716] <IsInClientIPorOnLink> NextHop is equal to192.168.10.25,return TRUE
07/13 14:10:23 [1716] <mfn_GetOutIP> Out IP is:192.168.10.25
07/13 14:10:23 [1716] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
07/13 14:10:23 [1716] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=20
07/13 14:10:23 [1716] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
07/13 14:10:23 [1716] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=1
07/13 14:10:23 [1716] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {1CD85198-26C6-4bac-8C72-5D34B025DE35} Seq:110712033
07/13 14:10:23 [1716] <PostEvent>going to post event=EVENT_SERVER_ONLINE
07/13 14:10:23 [1716] <PostEvent>done post event=EVENT_SERVER_ONLINE, return=0
07/13 14:10:23 [1716] <ScheduleNextUpdate>Reset Heartbeat factor index, hearbeat=300 seconds
07/13 14:10:23 [1716] HEARTBEAT: Check Point 6
07/13 14:10:23 [1716] <mfn_PostAgentInfo>===REQUESTING PLUG-IN OP-STATE: AVMan
07/13 14:10:23 [1716] <mfn_PostAgentInfo>===REQUESTING PLUG-IN OP-STATE: GUP
07/13 14:10:23 [1716] <mfn_PostAgentInfo>===REQUESTING PLUG-IN OP-STATE: LUMan
07/13 14:10:23 [1716] <mfn_PostAgentInfo>===REQUESTING CMC OP-STATE ===
07/13 14:10:23 [1716] <PostEvent>going to post event=EVENT_SERVER_REQUIRES_CLIENT_SESTATE
07/13 14:10:23 [1716] <PostEvent>done post event=EVENT_SERVER_REQUIRES_CLIENT_SESTATE, return=0
07/13 14:10:23 [1716] ReasonDescForFailure*** = Host Integrity check is disabled.
07/13 14:10:23 [1716] ReasonDescForFailure*** = Host Integrity check is disabled.
07/13 14:10:23 [1716] *** = <SSAInfo NameSpace="rpc" AgentID="EB3B9953C0A80A1900506EFC25CF67AA" ComputerID="93F07811C0A80A1900506EFC094DCA84" HardwareKey="E47F60E70D5F300C45B8BEE2A537209F" GroupID="7CB28398C0A80A19004B3E4F58BBACF1">
<AgentHIInfo Status="3" ReasonCode="105" ReasonDescForFailure="Host Integrity check is disabled."/>

Hello,

Host Integrity is pointing to SNAC. I believe, you do not have SNAC installed, correct?

Upon checking the Logs, we found:

07/13 14:10:15 [1716] AH: (InetWaiting) time out. Timeout period: 320000

07/13 14:10:15 [1716] Throw Internet Exception, Error Code=4294967287;Internet Session Timeout

07/13 14:10:15 [1716] <MaintainPushConnection:>COMPLETED

Is there a proxy on the server?

Possible Causes: Legacy proxy settings in the registry still persist after environmental changes on client machine.

Solution:

The legacy proxy settings can be removed by performing the following steps:

1.   Open the registry (Start->Run->type "regedit").

2.  Go to

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\connections

3.  Delete the registry keys "DefaultConnectionSettings" and "SavedLegacySettings".

4.  Reboot the machine.

Note:  These registry keys will automatically regenerate after reboot of machine.

Also, this also could be caused due to incorrect proxy server information in the following registry location:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings

Removing the incorrect proxy info from this key and then rebooting allowed the client to communicate normally.

One important thing to keep in mind is that any incorrect proxy information must also be removed from the following two locations as well:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

If the settings are not removed from these two keys, they will repopulate the Internet Settings key after every reboot.

Remove the incorrect proxy information from all 3 registry locations noted above, then reboot.

Is your GUP updated? 

the gup will create a shared folder so that others can take the updates from..

look for that folder and its size ;and also check in the LU policy ; if you have selected the option to bypass GUP if its not reachable and get connect to SEPM ??

from the client are u able to telnet Port 2967 (GUP machine) ?

Thank you for your swift replies.

Mithun Sanghavi,

within the following reg location.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion

I do not have a \connections directory? could this be because it might be group policy managed?

As for SNAC. Im guessing it isn't installed as i have no idea what it is. Are you able to enlighten me?

Thanks!

___________________________

Hi Rafeeq.

The GUP's sometimes update and sometimes they do not. for example, one GUP has a 125mb update for today, the other has a 1kb update. The LU policy prevents the SEP clients from bypassing the GUP.

I will try to telnet the port tomorrow when i'm at the other office.

Thank you again for taking the time to reply to my question.

I just noticed a SNAC service running on the SEPM server. This would indicate that we have SNAC installed. I'll try enabling it.

Right, the connections were group policy managed so i have added SEPM's IP to the ignore list and ran a gupdate /force.

We point the server through a firewall using the proxy settings. the same goes for all clients using SEP. As the GUP's do recieve updates and the SEPs recieve updates when we are not using GUP's i can't see how this would be an issue. although i could be wrong.

any recommendations?

Hello,

SNAC = Symantec Network Access Control, which is a Different product which you need to purchase with the Symantec Endpoint Protection 

Do not Enable or start the SNAC service from services.msc till you have purchased it and have installable for the same.

Enabling Symantec Network Access Control

If you purchased Symantec Endpoint Protection with Symantec Network Access Control, follow these additional steps to enable Symantec Network Access Control.

To enable Symantec Network Access Control

1. If Symantec Endpoint Protection Manager Console is open, close it.
2. Insert the Symantec Network Access Control CD.
3. In the installation panel, click Install Symantec Network Access Control.
4. Click Install Symantec Endpoint Protection Manager.
5. On the Management Server Upgrade dialog, click Next.
6. Click Continue.
7. When the Server Upgrade Status log shows Upgrade Succeeded, click Next.
8. Click Finish.
9. Log on to the Symantec Endpoint Protection Manager console.
10. On the Policies tab, click Host Integrity.
11. In the right pane, click Host Integrity Policy.
12. Under Tasks, click Assign the Policy.
13. In the Assign Host Integrity Policy window, check the group to which you want to assign the policy.
14. Click Assign, and then click Yes to confirm the change.

Symantec Network Access Control is now enabled in Symantec Endpoint Protection Manager and on the clients in the group that you created.

Here are most of the Symantec Forums Solved Threads

1) How to add SNAC to SEPM 11.0.4014.MR4 MP1

https://www-secure.symantec.com/connect/forums/how-add-snac-sepm-1104014mr4-mp1#comment-2095671

2) Symantec SNAC Network Provider

https://www-secure.symantec.com/connect/forums/symantec-snac-network-provider#comment-3796641

3) Best way to install SNAC

https://www-secure.symantec.com/connect/forums/best-way-install-snac

4) SEP to SNAC

https://www-secure.symantec.com/connect/forums/sep-snac#comment-2938461

Hi Mithun Sanghavi,

So do you need SNAC to make use of GUP's?

NO.

You don't need SNAC for GUP to work,

Hello,

After reading your Original comment, you said;

"My problem is; despite the GUP's being setup. They don't always recieve a full update (judging by file size within the groupupdate folder). sometimes the filesize of a days updating will equate to 1kb. When they do recieve a substantial update the other computers within the subnet do not update."

.....

...........

...............

I have download sylink monitor and left it running on the SEPM. I have noticed an error message that keeps cropping up regarding a "host integrity check" being disabled.

When running sylink on a SEP client that isn't a GUP. I've noticed that it doesn't even attempt to connect to the specified GUP IP."

Answers:

1) When you install GUP, clients reporting to the GUP for updates would take delta definitions only.

2) "host integrity check" being disabled comes due to SNAC which is not activated and there are no definitions for the same available. Again, you don't have to worry as SNAC is not installed.

3) How to confirm if Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

Hello,

No, you don't need SNAC for GUP to work.

SNAC is a different component just like AV/AS, Proactive Threat Protection, Network Threat Protection.

Looking at the sylink log I feel that the client does not have the correct policy,

Can you just recheck the policy, and the GUP and clients do they share the same policy?

Thank you for those articles.

one of the sylink logs for one of the branches states the following (this is new as of today):

Request> http://192.168.30.78:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/110712033/xdelta110712002.dax

07/13 14:00:18 [3568] <CSyLink::mfn_DownloadNow()>

07/13 14:00:18 [3568] </CSyLink::mfn_DownloadNow()>

07/13 14:01:19 [3568] <CSyLink::mfn_DownloadNow()>

07/13 14:01:19 [3568] </CSyLink::mfn_DownloadNow()>

07/13 14:01:26 [3572] AH: (InetWaiting) time out. Timeout period: 120000

07/13 14:01:26 [3572] Throw Internet Exception, Error Code=4294967287;Internet Session Timeout

_________________________________________________________________________

I have yet to run sylinkmonitor or log on the other branches, i have only just set it up now. I will let it run tonight and check it in the morning.

So SEP clients only take Deltas? do they ignore the Zip?

Thanks for you input Kavin,

Each branch has its own group, each group contains the branch computers (sep clients) and a GUP. so the same LU policy is being applied.

after checking, as i have made so many policy changes, some of the SEP clients do not have the latest policy. However the computer the Sylink log file came from does use the same policy version as the GUP within that group.

I'm starting to go a bit cross eyed

we will need to make sure that the clients and GUP machine shre the same policy, and still if the client is not updated , can you please provide the sylink from the system that has the same policy like GUP and I might be able to provide you better suggestion, also make sure the bandwidht limitation is set to unlimited in the GUP policy.

Hi Kavin,

I will grab a sylink log tomorrow of a machine that shares the same policy version.

I've currently set the bandwidth limit to 40kbs but for testing purposes i will select unlimited.

Cheers.

i have seen this issue with other customers, GUP Bandwidth Throttling has some issues. Configuring it to unlimited resolves the issue. check if the GUP are on RU6 MP3. If not then upgrade them to RU6 MP3.

Hi Robocop.

The GUP's are using the same clients as the rest. 11.0.6300.803. - is this RU6 MP3? Sorry if that's a daft question.

I just looked at last nights sylog file for the branch that a SEP that seems to be contacting the GUP:

HTTP error? issues with IIS perhaps? Or does this mean pointing the traffic through the firewall in the proxy settings could be causing an issue? and if it is causing the problem it doesn't explain how the SEP's in this group updated two days ago. - very strange.

<CHttpConnector::SendRequest()>
07/13 17:37:38 [3572] Request> http://192.168.30.78:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/110712033/xdelta110712002.dax
07/13 17:37:56 [3568] <CSyLink::mfn_DownloadNow()>
07/13 17:37:56 [3568] </CSyLink::mfn_DownloadNow()>
07/13 17:38:57 [3568] <CSyLink::mfn_DownloadNow()>
07/13 17:38:57 [3568] </CSyLink::mfn_DownloadNow()>
07/13 17:39:37 [3572] AH: (InetWaiting) time out. Timeout period: 120000
07/13 17:39:37 [3572] Throw Internet Exception, Error Code=4294967287;Internet Session Timeout
07/13 17:39:37 [3572] CInternetException: CHttpConnector::SendRequest:
07/13 17:39:37 [3572] </CHttpConnector::SendRequest()>
07/13 17:39:37 [3572] </CHttpFileDownload::Do()>
07/13 17:39:37 [3572] <LUDownloader::GetContentToFile> completed.
07/13 17:39:37 [3572] <CHttpFileDownload::~CHttpFileDownload()>
07/13 17:39:37 [3572] </CHttpFileDownload::~CHttpFileDownload()>
07/13 17:39:37 [3572] <LUThreadProc>LU file download failed due to HTTP error:0
07/13 17:39:37 [3572] <LUThreadProc> Sufficient disk space available on C:\ to download content {C60DC234-65F9-4674-94AE-62158EFCA433} 110712033

Hi All,

After switching to unlimited, another GUP in a different group recieved a full update. (thank you for that little tip)

"#content#{C60DC234-65F9-4674-94AE-62158EFCA433}#110712033#Full!zip" 125mb. it did seem to slow the network a little bit but only for 5 minutes or so which is fine.

I will crack a sylog on one of the clients within that group today.

Cheers

Quick update.

Just tried a telnet to a gup from our ISA server and it failed to connect. (screenshot attached) The port isn't being blocked through our firewall.

also, in the sylink log i found: LU file download failed due to HTTP error:0 and now on another gup i'm getting an HTTP error 407.

iles\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1107120331.TMP
07/14 10:52:07 [3572] <CHttpFileDownload::CHttpFileDownload()>
07/14 10:52:07 [3572] </CHttpFileDownload::CHttpFileDownload()>
07/14 10:52:07 [3572] <CHttpFileDownload::Do()>
07/14 10:52:07 [3572] <CHttpFileDownload::getRemainingBytesToDownload()>
07/14 10:52:07 [3572] Remaining bytes to download: 130218894
07/14 10:52:07 [3572] </CHttpFileDownload::getRemainingBytesToDownload()>
07/14 10:52:07 [3572] <CHttpConnector::SendRequest()>
07/14 10:52:07 [3572] Request> http://192.168.40.54:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/110712033/Full.zip
07/14 10:52:07 [3572] Unable to query return content length for SendRequest, 122
07/14 10:52:07 [3572] </CHttpConnector::SendRequest()>
07/14 10:52:07 [3572] </CHttpFileDownload::Do()>
07/14 10:52:07 [3572] <LUDownloader::GetContentToFile> completed.
07/14 10:52:07 [3572] <CHttpFileDownload::~CHttpFileDownload()>
07/14 10:52:07 [3572] </CHttpFileDownload::~CHttpFileDownload()>
07/14 10:52:07 [3572] <LUThreadProc>LU file download failed due to HTTP error:407
07/14 10:52:07 [3572] <LUThreadProc> Sufficient disk space available on C:\ to download content {C60DC234-65F9-4674-94AE-62158EFCA433} 110712033
07/14 10:52:07 [3572] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint

Would anyone from Symantec technical support be able to dial in to have a look?

Ok

Sorry to keep posting and posting. but we had a little success.

As you can see below, a client updated from a GUP without error. now, we haven't touched anything apart from changing it to unlimited.

Should i just let it rest and see if it sorts itself out now? how is this possible if i am unable to telnet the sepm from the GUP or telnet the GUP from the SEP client?

07/14 10:00:47 [1844] Request> http://192.168.30.78:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/110712033/xdelta110712002.dax

07/14 10:00:47 [1844] Unable to query return content length for SendRequest, 122

07/14 10:00:47 [1844] </CHttpConnector::SendRequest()>

07/14 10:00:47 [1844] <CHttpFileDownload::read()>

07/14 10:00:47 [1844] </CHttpFileDownload::read()>

07/14 10:00:47 [1844] </CHttpFileDownload::Do()>

07/14 10:00:47 [1844] <LUDownloader::GetContentToFile> completed.

07/14 10:00:47 [1844] <CHttpFileDownload::~CHttpFileDownload()>

07/14 10:00:47 [1844] </CHttpFileDownload::~CHttpFileDownload()>

07/14 10:00:47 [1844] <UpdateLUFileList:>Updating existing Download File List with : {C60DC234-65F9-4674-94AE-62158EFCA433}110712033

07/14 10:00:47 [1844] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Target Seq:110712033 Full version:0 Delta Base Seq:110712002

07/14 10:00:47 [1844] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED

07/14 10:01:24 [1836] <CSyLink::mfn_DownloadNow()>

07/14 10:01:24 [1836] </CSyLink::mfn_DownloadNow()>

07/14 10:02:27 [1836] <CSyLink::mfn_DownloadNow()>

07/14 10:02:27 [1836] </CSyLink::mfn_DownloadNow()>

07/14 10:03:28 [1836] <CSyLink::mfn_DownloadNow()>

07/14 10:03:28 [1836] </CSyLink::mfn_DownloadNow()>

07/14 10:03:51 [1844] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0

07/14 10:03:51 [1844] <ProcessLUDownloadedFile> Download LU file succeeded. FileName: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1107120331107120027.TMP Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Seq: 110712033

07/14 10:03:51 [1844] <LUThreadProc>LU file download succeceded with HTTP status:200 and with return status:0

Hi Mithun,

After all you were correct. being routed through our ISA server through the proxy settings was the cause of the issue.

I can see where you were going with your post now. HTTP 407 was a bit of a give away really. as the local machines do not require this setting i created a new OU on AD and moved the local branch machines into it and removed the proxy setting from the group policy.

also, since changing it to unlimited the GUP's now recieve the updates without issue. 

Thank you for all of your help. Now i just need to fix the problems on ISA.

Cheers