Frequently asked questions about Symantec Critical System Protection 4.5

Article:TECH112737  |  Created: 2005-01-13  |  Updated: 2008-01-17  |  Article URL http://www.symantec.com/docs/TECH112737
Article Type
Technical Solution


Issue



This document provides answers to frequently asked questions about Symantec Critical System Protection (Symantec CSP) 4.5.


Solution



Questions about the management console
  • Why doesn't the SCSP Management Console show any of the Symantec CSP agents that I just installed?
    If you recently installed or reinstalled the agent, this problem may happen if you did not restart the agent computer after installation. To fix the problem, restart the computer.
  • What are the v## and r## at the end of the policy name?
    The management console appends two numbers to the policy name when it displays a policy on the screen.

    The v## number is the minimum Symantec Critical System Protection Agent version that is necessary to support the policy. The policy can be applied only to agents that are this version or later.

    The r## number is the revision number of the policy.
  • Why does Symantec CSP show changes after I click the Refresh button in the management console?
    The Refresh button refreshes the screen with information from the management server in order to display any changes that you already made. This enables you to verify that the changes you made to the agent or agent group were implemented. The Refresh button does not make any configuration changes.
  • Why does the right-click menu on the management console sometimes stop working?
    After you move an agent from one group to another and then right-click the agent or group to display a menu, Symantec CSP may not display the menu. This situation is due to a problem with Java™ that results in disabling the menu.

    To enable the menu, select "server" on the management console to which you are connected, and click Refresh. If this does not fix the problem, log out of the management console and then log onto the management console. The menu now displays when you do a right-click.
  • Can Symantec CSP management authentication be synchronized with Windows NT authentication?
    Symantec CSP authentication for users who log on to the management server cannot be synchronized with other types of authentication.
  • Does Symantec CSP include JRE?
    Yes, Symantec provides a copy of the Java Runtime Environment (JRE) with the Symantec CSP, and maintains the JRE with Symantec CSP product updates. The Symantec Critical System Protection Management Console is a Java application. JRE listens on ports that the user defines.
  • How do I change the management server name or IP address on an agent?
    To change the management server name or IP address at the agent computer, run the Agent Configuration Tool, sisipsconfig.exe, with the -h option.
    If the tool does not respond or displays an error about access rights, the tool may not be enabled. By default, the Symantec CSP protection policies prevent processes such as the agent configuration tools from modifying Symantec CSP resources.

    If you want to change the server name or IP address because you used the wrong IP address or name during installation, the Agent Configuration Tool is already enabled. When you use the wrong IP address or name during installation, the agent cannot register with the management server. When the agent cannot register, it uses the Null policy. You can run the agent configuration tools because the Null policy does not block activity.

    If you already applied a new policy to the agent, the tool is enabled only if you configured the policy to give privileges to the agent configuration tools, to permit a Policy Override, or to disable all prevention in the policy. If you did none of these and the computer runs on the Windows platform, restart the computer into Safe mode and then run the tool with the -h option.

    For more information about enabling the Agent Configuration tool, read Cannot run the agent configuration tools in Symantec Critical System Protection 4.5.
  • Does Symantec CSP lose event data when the agent computer is off-line?
    No, the event data is not lost. Initially, the agent driver stores the events and other activity in log files on the local computer. When the agent computer is not connected to the network or otherwise cannot connect to the manager, the agent keeps that data and other activity information in the logs. When the agent re-establishes a connection to the management server, it sends the data and other activity information.
    When the log files become large, the value of the Enable Log Rotation parameter determines how they are handled on any particular agent computer. By default on some computers, an agent log file is rotated when the size of the log file reaches 100 megabytes. By default on other computers, the agent stops recording events and other activities in the log files when the agent computer runs out of disk space. For more information, read "Viewing and configuring Configuration properties" on page 38 in the Symantec Critical System Protection 4.5 Administrator's Guide.


Questions about the management server
  • How does Symantec CSP manage event data?
    Initially, the agent driver stores the events in a log on the local computer. The agent service sends this log data to the management server, where it is dynamically added to the server database.
    Symantec CSP provides options that enable you to limit the log size, rotate the log files, purge the log data, and so on. The log rotation options are configurable by individual agent or Agent Group and can be limited by time or size.

    For more information, read "Viewing and configuring Configuration properties" on page 38 and "Configuring log settings" on page 142 in the Symantec Critical System Protection 4.5 Administrator's Guide.
  • Why did the management server start using 100% of the CPU?
    The management server uses 100% of the CPU when the computer's disk space is low. You can confirm that this is the situation by verifying that the management server's log file has many "OutOfMemory exception" error messages.

    To fix the problem, make more disk space available and then restart the management server.

  • The management server stopped responding. Could the database be full?
    A full database can cause the management server to stop responding. To find out whether the database is full, look at the knldiag log file at \sisdb\data\wrk\SISDB\knldiag

    If the database is becoming full, the log file displays warning messages such as the following:

    2003-09-24 20:40:36      0xD80 WRN     6 Kernel_E  80 % of data base occupied,
    1280 pages free
    2003-09-24 20:40:36      0xD80 WRN     6 Kernel_E  90 % of data base occupied,
    640 pages free
    2003-09-24 20:40:36      0xD80 WRN     6 Kernel_E  95 % of data base occupied,
    320 pages free

    2003-09-24 20:40:37      0xD74         7 Kernel_E DB usage fell below 95 %,
    320 pages free
    2003-09-24 20:40:37      0xD74         7 Kernel_E DB usage fell below 90 %,
    640 pages free

  • How do I increase the database size?
    Symantec CSP 4.5 uses an autoextender to automatically increase the size of the database. When the database becomes nearly full, the extender increases the size of the database by adding a new volume that is the same size as the last volume added.

    For information about the autoextender, read Increasing the database size for Symantec Critical System Protection 4.5.


Questions about the agent
  • Why does the agent service not start after installation?
    Symantec CSP requires that you restart the computer after installing the agent. Otherwise, the agent service does not start and the driver does not work properly.
  • Why are there no messages in the Event Monitor after I reinstall the agent?
    This problem happens when some Symantec CSP files remain from the previous installation of the agent. The new installation may use some of the previous installation's log state information. As a result, the agent may not send new log messages to the management server.

    To fix this problem, uninstall the agent, remove any remaining Symantec CSP files that are in the Agent directory, and then reinstall the agent.
  • How much CPU bandwidth is required?
    Under normal operating conditions, the Symantec CSP 4.5 agent requires less than 3% of the computer's CPU capacity.
  • Why do the agent configuration tools display an "access denied" error message?
    The protection policies include protection to prevent processes from modifying Symantec Critical System Protection resources.

    You can configure the policies to enable access for the agent configuration tools.

    For more information, read the "Giving privileges to run the configuration tools" in Appendix B, "Customizing Windows prevention policies" in the Symantec Critical System Protection 4.5 Administrator's Guide.

    For other methods, read Cannot run the agent configuration tools in Symantec Critical System Protection.

  • What are the X11 connect error messages in the agent.err file of a Solaris agent?
    You may see the following error message in the agent.err file on the Solaris platform. This error message does not indicate a problem. The agent is functioning normally. You can safely ignore this error message.

    java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the
    value of the DISPLAY variable.
            at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
            at sun.awt.X11GraphicsEnvironment.
    (X11GraphicsEnvironment.java:126)
            at java.lang.Class.forName0(Native Method)
            at java.lang.Class.forName(Class.java:130)
            at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment
    (GraphicsEnvironment.java:62)
            at sun.awt.motif.MToolkit.(MToolkit.java:70)
            at java.lang.Class.forName0(Native Method)
            at java.lang.Class.forName(Class.java:130)
            at java.awt.Toolkit$2.run(Toolkit.java:712)
            at java.security.AccessController.doPrivileged(Native Method)
            at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:703)
            at java.awt.Toolkit.getEventQueue(Toolkit.java:1479)
            at java.awt.EventQueue.invokeLater(EventQueue.java:757)
            at javax.swing.SwingUtilities.invokeLater(SwingUtilities.java:1142)
            at javax.swing.Timer.post(Timer.java:538)
            at javax.swing.TimerQueue.postExpiredTimers(TimerQueue.java:193)
            at javax.swing.TimerQueue.run(TimerQueue.java:229)
            at java.lang.Thread.run(Thread.java:536)


Other documents for frequently asked questions

What kind of protection does Symantec CSP provide?
For information about the protection that Symantec CSP provides, such as how Symantec CSP provides Day 0 protection and how it protects against memory resident viruses, read Frequently asked questions about how Symantec Critical System Protection 4.5 protects your computer.

Questions about policies
For information about policy distribution, applying policies, and problems after applying policies, read Frequently asked questions about Symantec Critical System Protection 4.5 policies.

Questions about installation
For information about installing Symantec CSP, read Frequently asked questions about Symantec Critical System Protection 4.5 installation.

Questions about working with product upgrades
For information about configuring Symantec CSP to permit or deny upgrades to the computer software or operating system, read Frequently asked questions about configuring Symantec Critical System Protection 4.5 for upgrades to other products.







Legacy ID



2005051315435753


Article URL http://www.symantec.com/docs/TECH112737


Terms of use for this information are found in Legal Notices