Troubleshooting Policy Changes

Article:TECH105907  |  Created: 2008-01-15  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH105907
Article Type
Technical Solution


Environment

Issue



Client is not getting policy changes

Symptoms
Client is not getting policy changes from Symantec Endpoint Protection Manager (SEPM)

  • Client policy does not update on when set at the Symantec Endpoint Protection Manager


 


Solution



Verifying the Symantec Endpoint Protection client is connected to the Symantec Endpoint Protection Manager

    If a client is not receiving policy changes, the first troubleshooting step is to determine if the client is actually connected to the Symantec Endpoint Protection Manager. Follow the troubleshooting steps in Troubleshooting Client/Server Connectivity to verify that the client and server are communicating properly. In most cases this will resolve any issues you might have getting policy changes distributed to clients.

    If after establishing communication between the client and server you are still not getting policy changes distributed then proceed with these other troubleshooting steps.




Verifying which group the client belongs to

    If the client is not receiving policy changes after establishing communication, you should verify that the client is in the expected client group.




Location Awareness Issues

    Symantec Endpoint Protection supports a powerful feature called location awareness. This allows a client to have different policies based on their location. If a client is not receiving an expected policy change it could be that the client is currently operating in a different location from the one being edited. Portions of the policy are general purposes and not location specific. To isolate whether the issue is a general policy distribution problem vs. a location specific policy issue, check the policy serial number.

    To check the policy serial number at the server
      1. Login to the Symantec Endpoint Protection Manager console
      2. Select the Clients button on the left margin
      3. Select the client group that contains the client that has the issue
      4. Select the Details tab in the right hand pane
      5. Copy down the policy serial number.

        Example: E0C4-01/09/2008 14:39:16 311

    To check the policy serial number in use at the client
      1. Launch Symantec Endpoint Protection from the System Tray icon or the Start menu
      2. Select View logs button
      3. Select the View Logs button to the right of Client Management and select the System Log
      4. Select the Filter from the main menu and select Show All Logs
      5. Browse for the most recent entry labelled "Applied new policy with serial number..."
      6. Compare the serial number with the serial number shown in the Symantec Endpoint Protection Manager console

        Example: E0C4-01/09/2008 14:39:16 311

    Alternately, in the Symantec Endpoint Protection client interface you can choose Help & Support then Troubleshooting, and in the Management pane, look for Policy Serial Number.

    The policy serial number changes every time the policy is modified. If the client does not have the latest policy serial number then proceed to Troubleshooting Client/Server Connectivity. If the client has the latest policy serial number but the settings are not what you expect then the most likely cause is a location specific policy issue.




Check console logs for errors writing policy changes to the Symantec Endpoint Protection Manager

    From the console machine, inspect the following log files for errors:

    %temp%\scm-ui.log
    %temp%\scm-ui.err




Verifying Policy was Updated at the Server

    The next step in isolating issues related to policy changes is to verify that the policy changes were actually compiled and updated in the server's outbox. These steps assume that you have already obtained the policy serial number using the steps above under the section "To check the policy serial number at the server."

    The following steps will verify that the server compiled the policy.

      1. At the Symantec Endpoint Protection Manager machine launch Windows Explorer and navigate to the directory whose name starts with the same four characters as the policy serial number.
        Example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\E0C43443C0A80964013FC4377115FBFB
      2. Change your Windows Explorer view to show Details including the "Date Modified" column.

    Within approximately one minute of making a policy change for this same client group, you should observe the modification date for the index2.dax, profile.dax, as well as most of the other files in this directory update to the current time. Depending on the complexity of the policy this can take slightly longer but it shouldn't take more than 2 minutes. If these files are not updating then perform the following steps to resolve the issue.

      1. Bring up a command line prompt
        1. Click Start, then Run
        2. Type cmd and press Enter
      2. Type net stop "Symantec Endpoint Protection Manager" and press Enter to stop the Symantec Endpoint Protection Manager service
      3. Type net start "Symantec Endpoint Protection Manager" and press Enter to restart the Symantec Endpoint Protection Manager service

        Note: Both "net stop" and "net start" commands are case sensitive.

    In most cases the policy files should update within a few minutes of the Symantec Endpoint Protection Manager service restarting.




Verifying Policy Serial Numbers (revisions)

    If the policy is updating properly it should be writing out the correct policy settings. It is unlikely that the server is writing out the wrong settings for the client group. In most cases it is that the user is looking at the wrong client group directory. However, if you would like to verify the policy serial number and settings you can perform the following steps. These steps assume that you have already obtained the policy serial number using the steps above under the section "To check the policy serial number at the server"

      1. At the Symantec Endpoint Protection Manager machine launch Windows Explorer and navigate to the directory who's name starts with the same four characters as the policy serial number.
        Example: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\E0C43443C0A80964013FC4377115FBFB
      2. Open index2.xml in Internet Explorer, Notepad, or your favorite XML viewer.
      3. Near the top of the XML is a section that looks similar to the following:
        <Profile Checksum="28A37EBF3507C2F727064B9975122592" SerialNumber="E0C4-01/09/2008 14:39:16 311" LastModifiedTime="09/01/2008 14:39:38" />
      4. The SerialNumber attribute should match the serial number that you obtained from the console.
         

    You can also view the Profile.xml to verify serial number and look for the particular setting change to confirm the change was made.




Verify the Health of IIS & Secars (ISAPI plugin)

    Secars is a Symantec Endpoint Protection Manager component that the client-side SyLink communicates with to download profiles and commands; as well as upload events, operational states, and command statuses.

    The easiest way to verify whether Secars is running is to issue the following command from web browser:



Verify msxml3.dll is registered

    Without the proper .dll registered the client will not be able to parse the xml files that are required to read and apply policies.

    1. Click Start, then Run
    2. Type

      regsvr32 msxml3.dll

       
    3. Click OK
    4. Click OK at the "DllRegisterServer in msxml3.dll succeeded" prompt




 



Legacy ID



2008091509580048


Article URL http://www.symantec.com/docs/TECH105907


Terms of use for this information are found in Legal Notices