Endpoint Protection

Cant You help me Please

My SEP Client connect and Manage foreign management server

I have problem with sep client 11.0.5 Win64.
1-  when Click hepl & Support >  Trobleshooting > Management > server 10.6.42.159
     (ip address 10.6.42.159 is foreign number not from my management server) My server 192.168.0.1
 2- Open SEPM >home > Top source Attack :
   

 

Attacking Host Number of Attacks Percent   10.6.42.159 10 76.9%   216.239.61.100 2 15.4%   216.239.61.104 1 7.7% Total 13 100%

2-Ceck via Dev Viewer tool we found strange device (with red colour) 

   ROOT\LEGACY_NULL\0000
   [class name]: <Unknown>
   [guid]: {8ecc055d-047f-11d1-a537-0000f8753ed1}
   [device id]: ROOT\LEGACY_NULL\0000
   [MFG string]: (null)
   [provider]: <Unknown>
   [driver data]: Not Available
   [driver version]: <Unknown>
   [hidden device]: true
   [Disabled]: false
   [PNP device]: false
   [can be disabled]: true
   [device node]: 0x1f08

someone help me please

Replace the sylink on the client

1. Copy of the file Sylink.xml from the server from C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\

2.  On the client computer , click Start > Run, type smc -stop, and click OK.

3.  Copy the Sylink.xml into the C:\Program Files\Symantec\Symantec Endpoint Protection folder, and replace any existing Sylink.xml file.

4. Click Start > Run, type smc -start, and click OK.

i try same  method before send this message (i try sylinkdrop on 1 week)

export communication setting then replace xml file using sylink drop report sucsess replace
but after 1 day my client reconnect this strange address

i have change c:\windows\system32\drivers\ect\hosts to & define my local server & client, but same fail, after one day sep client reconnect foreign address to.

ip addres managing  my client, report as  attacker host on spem.

You can create an install setting where the radio button for "Reset client server communication settings" is checked.

Then you can export an install package with this setting. Deploy this package to the machine and let us know if that works.

I think the issue you are facing could be due to corrupt information in registry for the SEPM IP address at the following registry location.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink


Aniket

Go to one working PC.Take a copy of sylik.xml and serdef.dat (Both will be in C:\Program Files\Symantec\Symantec Endpoint Protection).Replace it in the problematic client after removing the original files along with it's backup files.Reboot the PC and Try.. 

on the problomatic machine remove sylink.bak, sylink.xml, serdef.dat and serdef.dat.bak ( can  take a copy if you like)
replace all four from a client machine files which is working fine.

Thank's  i will try all method from this forum, and just wait on 24 our to ensure success or fail.

To Symantec & All Friend on this forum

I am try all method but fail. SEP Client Win64 reconnect  outside  from management server.

but essential problem location  was found, locate on SEPM Policy > Policy Components > Management Server List >Prioryity 1> 
How to Modify or Delete this List Content because Tab  Protected From Delete Or Modify.

SEP CLIENT 11.0.5 Win64 Connect to Outside Management Server

you cannot modifiy or delete the default one, if you  have added other list then uncheck inheritence from the clients group and you can edit that.

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/e2ac3b646ae21969882573c20063533f?OpenDocument 

As Refeeq told create a new management server list with proper server IP address and port no.Then assign it to the groups . 

Thanks I will tray now.. and wait 24 our ensure

Thank's To Symantec Support & All Of Friend on www.secure.symantec.com Forum.

Now my SEP client  Win64 Connect to My SEPM server with correct IP Address.

Solution :
- Renew  Management Server List Policy
- All IP/Client Excluded from Intrusion Prevension
- Add IP Host List Policy

then i see my client sucsess, connect to management server with green Indicator on system tray.

just leave small problem, after create new management server list & assign,
unable to delete default management server list policy  as old list, uncheck inherit tab modify & delete steel inactive,
May be  Corrupt Regestry Or File System, Should i running Symantec Regestry Fix tool ?. 

Thank's to All Idea & Mtehod

you can delete your Default list , when its not in use on any of the groups, the location use count should be 0 only then you can delete.

Good to hear that your issue is resolved. Please mark the post as resolved.