Symantec Endpoint Protection clients do not communicate with their Manager: 400 - Bad Request in Sylink log

Article:TECH103940  |  Created: 2008-01-14  |  Updated: 2012-03-06  |  Article URL http://www.symantec.com/docs/TECH103940
Article Type
Technical Solution


Issue



Symantec Endpoint Protection clients do not maintain communication with the manager and do not get content updates.

Symptoms
Symantec Endpoint Protection clients register with the manager and list in the console correctly. They do not maintain communication with the manager and do not get content updates. Sylink log output from an affected client will indicate a "400 - Bad Request" when it tries to access Secars.  The client would communicate with the manager and display a green dot briefly and then would no longer communicate with subsequent heartbeats.

 


Error



07/12 17:39:07 [2352] http://{customer's SEPM FQDN}:8014/secars/secars.dll?h=1B2F74
07/12 17:39:07 [2352] 17:39:7=>Send HTTP REQUEST
07/12 17:39:07 [2352] 17:39:7=>HTTP REQUEST sent
07/12 17:39:07 [2352] Send Request failed.. Error Code = 12007
07/12 17:39:07 [2352] 12007=>The Server name could not be resolved.
07/12 17:39:07 [2352] Send Request failed.. Error Code = 12007
07/12 17:39:07 [2352] 12007=>

07/12 17:39:07 [2352] http://{customer's SEPM ip address}:8014/secars/secars.dll?h=1B
07/12 17:39:07 [2352] 17:39:7=>Send HTTP REQUEST
07/12 17:39:07 [2352] 17:39:7=>HTTP REQUEST sent
07/12 17:39:07 [2352] SMS return=400
07/12 17:39:07 [2352] 400=>400 Bad Request
07/12 17:39:07 [2352] HTTP returns status code=400
07/12 17:39:07 [2352] RECEIVE STAGE COMPLETED
07/12 17:39:07 [2352] COMPLETED


Environment



The customer's Symantec Endpoint Protection Manager had "Microsoft UrlScan Filter v3.1" installed. Please see the following link for a description of Microsoft UrlScan Filter

http://technet.microsoft.com/en-us/security/cc242650.aspx

 


Cause



The customer disabled Microsoft's UrlScan Filter v3.1 and the clients began to communicate without error with the manager.  UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from reaching the server.  This IIs pluggin was filtering the clients communication and causing the problem.


Solution



 Solution 1:  This problem is fixed in Symantec Endpoint Protection 11.0.2 Maintenance Release 2. For information on how to obtain the latest build of Symantec Endpoint Protection, read Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x.  Please ensure that you are using a current version of Symantec Endpoint Protection.

Solution 2:  Microsoft's UrlScan Filter may be restricting or blocking HTTP communication.  You will need to configure UrlScan Filter to not interfere with the client and manager communication or disable it to allow communication.

 


Supplemental Materials

Value1209380

Legacy ID



2008021413342848


Article URL http://www.symantec.com/docs/TECH103940


Terms of use for this information are found in Legal Notices