Endpoint Protection

 View Only

  • 1.  SAVFL agents intermittent reporting to SEPM 12.1 Console

    Posted Mar 28, 2013 10:52 AM

    We’re having a problem with intermittent reporting by SAVFL agents (v1.0.13 and above) to SEPM 12.1.  There are 13 SAVFL agents, but we only see between 3 and 11 of them on Monitors -> Logs at any one time.  And when they do appear, the IP Address is sometimes 0.0.0.0, the virus definitions are usually up to date, and the Last Scan date is always Never.  Out Linux admin assures me the scans are running, but the info doesn’t seem to be making it to the Console.  Has anyone seen this issue before, or have any troubleshooting tips?  Are there any logs/folders/files on the SEPM host that I can check to verify the logs are being received, and what’s in them (I don’t have access to the Linux hosts)?



  • 2.  RE: SAVFL agents intermittent reporting to SEPM 12.1 Console



  • 3.  RE: SAVFL agents intermittent reporting to SEPM 12.1 Console

    Posted Mar 28, 2013 11:52 AM

    What version of SEP are you running?  This was meant to be fixed in 12.1RU2 as per the release notes:

    http://www.symantec.com/docs/TECH199676

     

    For Symantec AntiVirus for Linux client reports do not reflect current information
    Fix ID: 2855262
    Symptom: For Symantec AntiVirus for Linux client reports, the "Last Scan Time" is never updated, and always shows "Never" in the computer status logs.
    Solution: Changed to update last scan time when processing security log from Symantec AntiVirus for Linux clients.


  • 4.  RE: SAVFL agents intermittent reporting to SEPM 12.1 Console

    Broadcom Employee
    Posted Mar 28, 2013 01:14 PM

    Hi,

    Thumbs up to the above advice.

    You need to upgrade to the latest version i.e. SEP 12.1 RU2

    Upgrade process from SEP 12.1 RU1 MP1 to SEP 12.1 RU2

    https://www-secure.symantec.com/connect/articles/upgrade-process-sep-121-ru1-mp1-sep-121-ru2

    & if issue is with SEP 12.1 RU2 then need to log a case with Support.

    How to create a new case in MySupport

    http://www.symantec.com/docs/TECH58873

    How to Create and Validate a SymAccount for using Symantec's MySupport

    http://www.symantec.com/docs/HOWTO31127

    How to update a support case and upload diagnostic files with MySupport

    http://www.symantec.com/docs/TECH71023



  • 5.  RE: SAVFL agents intermittent reporting to SEPM 12.1 Console

    Posted Mar 28, 2013 02:59 PM

    Yup, we're still on 12.1 RU1 MP1.  I'll upgrade and check it again.  Thanks to all!



  • 6.  RE: SAVFL agents intermittent reporting to SEPM 12.1 Console

    Posted Mar 29, 2013 05:21 AM

    Hi RBaylor,

    Definitely upgrade to SEP 12.1 RU2, but also ask your Linux admin to check the status of those 13 machines.  There is a /etc/reporterd.ini configuration file which may be set to too long a frequency (maybe once per day?) - I recommend that be hourly or so.  Ther are also logs on the Linux machiens which will record any errors the clients ar ehaving getting their details to the SEPM.  Maybe a few of them are misconfigured?  The ReporterSvc.log, sub_Parent_Inv.err, and Parent_Inv_ logs there will tell.

    Also, this article may be of interest:

    SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
    https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-4-savfl-reporter

    Hope this helps!

    Mick