Video Screencast Help

About the new SymHelp tool for SEP 12.1RU2

Created: 25 Feb 2013 | 10 comments
Language Translations
SebastianZ's picture
+12 12 Votes
Login to vote

I. The Tool

Symhelp is a new version of the troubleshooting tool that replaces the legacy Symantec Support Tool.

You will find the tool on the SEP 12.1 RU2 Installation CD – the included here version is 2.1.1.74. The latest available version from Symantec at the time of this article release is 2.1.7.95. The revisions of the Symhelp tool are updated quite often (even several times a month) - if possible use the latest available from Symantec. You can download the tool either going to the following link: http://www.symantec.com/docs/TECH170752 or from the SEP Client GUI - by going into Help -> Download Support tool -> this redirects directly to the Symantec Article mentioned in the reference.

The tool is used to troubleshoot SEP Clients and SEPM Server but not only – it supports as well following Symantec programs:

Note: You can you Symhelp on SEP 12.1 RU2 installation and as well all previous versions. The old Symantec Support Tool is compatible only with all SEP 11.x version and the 12.1 versions prior to RU2 – if you try to run it on SEP 12.1 RU2 installation it will fail with the following error:

If your machine has connection to the internet every time you run the tool it will check for an update from Symantec – if such is available it will be downloaded automatically and will replace the SymHelp.exe executable. The tool will require as well the .NET installed already on the machine – for Windows 8 or Windows Server 2012 the version of .NET 3 or higher will be required. If .NET is not installed tool will prompt for this installation.

 

II. The Options

After accepting the EULA you will see the Home page of the SymHelp tool. From here we can select the type of Symantec Products we want the report run for and the type of the scan as well.

Main SymHelp GUI provides us with additional Support Resources:

- Search Knowledge Base - here we have a general selection for all product that will takes us to the product selection page (http://www.symantec.com/business/support/index?page=products) or we can specify a certain product at this stage.

- Browse Forums - here as well we can opt for all products that will takes us to home page of Symantec connect (https://www-secure.symantec.com/connect), or we can choose a specific product forum

- Open a Case Online - this selection takes us to the logon page of the MySymantec portal:

https://my.symantec.com/webapp/faces/login?appParam=support

- Contact Technical support - opens http://www.symantec.com/support/techsupp_contact_phone.jsp

- Contact Customer care - http://www.symantec.com/support/assistance_care.jsp

 

Additionally for reference there is a System Usage section that gives us information about current Memory and CPU utilisation as well as shows how much disk space is free on either local or networked drives.

 

Before running the tool we need to select product scan type, this can be one or more of the following:

- Health check - scan of installed products, will try to identify known issues

- Best practices - scan of the configuration in scope of the compliance with the best practices guidelines

- Pre-install check - scan of system readiness for product installations including the check of system requirements

- Full data collection for support

 

There are 2 more independent selections available under the "Run Threat Analysis Tools" section - this refers to tools used for identifying suspicious files and threats:

  •  Symantec Power Eraser

The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system.

SEP Power Eraser GUI gives us following options:

- Scan for Risks - additionally available for selection is "Include a Rootkit Scan" - this will require a reboot

- History - where we can check results of previous Power Eraser sessions, you can as well recover from here files that were previously detected

- Settings - enables to selected "Include a Rootkit Scan" option and set up a network configuration.

 

Reference:

http://www.symantec.com/theme.jsp?themeid=spe-user-guide

 

  •  Symantec Load Point Analysis

Load Point Analysis examines files that launch from known and specific locations on the drive and in the registry (according to the OS) in order to find out which files are likely to be not a genuine executable and possibly may pose a threat to the system. Those are then checked within the online Symantec Reputation database and given a score that may classify them as unknown files or a potential threat.

SymHelp gives us here some options for scan setting:

- Scan Load Points, Running processes and Common Directories -> this is selected by default

- Scan Program File Directories

- Scan additional files and directories

We can select this additional locations from Symantec Load Point Analysis -> Settings -> Options menu. Here we will find as well several options for Network configuration either through Automatic configuration from IE or configuration script or specified proxy server.

 

After the Load Point scan is finished we will be presented with final report on following:

- Amount of files the analysis was performed on

- Amount of files verified as good using their digital signature

- Amount of files verified as good using the Symantec Reputation Database

- Amount of files verified as bad using Symantec Reputation database

- Amount of files that needed additional check

* The report will show the amount of files that should be manualy verified by sending them to Symantec Security response -> here we have as well an option to copy these files to a local folder

* The files tab will as well contain the listing of files for manual verification. The Processes tab shows all running processes alongside with their reputation score and path to the file.

* Load Point Analysis will by default check for any existing autorun.inf files on the local or networked drives.

 

Reference:

http://www.symantec.com/docs/TECH141402

http://www.symantec.com/docs/TECH96291

 

--- Few notes and considerations to the SymHelp selection types:

* Health check and Best Practice scans can be only chosen for already installed products. If you have chosen a Symantec Product not yet installed these 2 options will be greyed-out from selection

* Pre-install check will scan the system only checking for the installation requirements in scope of SEP 12.1 Client for Local and Remote installation. The results of the scan will be then displayed in the reports section of:

- System meets the requirements for SEP 12.1: Local install

- System meets the requirements for SEP 12.1: Remote install

* If asked for Symhelp tool report by Symantec Support please run the report with option "Full data collection for support" - this will include all necessary information alongside with SEP/SEPM logs needed for investigation/troubleshooting. Providing Symantec support with only Health Check or best practices scan will give only a initial insight in the configuration but may prove not enough for the scope of troubleshooting purposes.

* When collecting the Load Point Analysis data for support, remember to check the option "Collect SEP data for Symantec Support Case" as well.

 

--- Saving the report:

After all the scans are completed we can save the report from the "Save" tab. There is currently no possibility to change the name of the report file - by default it will by computername_date_time.sdbz. We can however take a target directory for saving of our choosing. There is as well an option "Save and send to Symantec Support" - please note that using this option do not automatically open any case with Symantec Support. When saving the report this way please always inform the support team that the report has been sent using this option.

 

III. Additional switches / SymHelp from command prompt

SymHelp tool execution is possible as well directly from command prompt. There are as well several switches available for additional debugging and user visibility. These are the available symhelp.exe switches:

 

* SymHelp with advanced debugging:

Starting the Symhelp tool from command line with the -wizprod switch will give us some more options for setting up advanced debugging and issue reproduction during the report is being collected.

We can enable the default debug level by simply selecting Debug - Enabled - this can be executed by the command line switch as well. By choosing the Advanced Debug option from the selection tool will present a new windows with additional selection available - this will include:

- SNAC debugging

- SEP Debug

- SEP sylink debugging

- WPP logging

...after clicking "Next" the tool will inform that the debug has been enabled (in registry) and we can reproduce the issue - after that click "Next" for the debug to be turned off and report to be collected.

[Note]: the –deepdata switch used previously in the Symantec Support Tool for gathering of the advanced WPP debugging is no longer existing in the SymHelp. WPP Debug can be collected by going into symhelp.exe –wizprod and enabling that kind of debugging from the GUI.

 

IV. The Report

Depending on the selected scans it will take a couple or more minutes to generate the report. (Please note that for the purpose of this article I will focus mainly on the information gathered when troubleshooting SEP and SEPM installation without including several other products that can be scanned with SymHelp). After report is completed we will be given following tabs for preview:

 

1. Home - general information about the Scan Status and selected product information - the screen shown will be here a bit different depending on if we open the tab directly after scan was finished or if we open a previously saved report from drive. When opening a previously saved report - the option for new scan run will not be available at this point anymore - restart of the tool will be necessary to scan again.

 

2. Report - this section is split on 5 different tabs as follows:

- Error - "This tab displays reports that resulted in an error status. An error status indicates that an issue has been detected and requires further examination and/or action."

- Warning - "This tab displays reports that resulted in a warning status. A warning status indicates that a possible issue exists. Further action may or may not be required depending on factors that the report cannot determine."

- Missing data - "This tab displays reports that could not examine all the data needed in order to yield a report status. If one test failed to access required data this will determine the status of the report as Missing data."

- Ok - "This tab displays reports that resulted in a status of Ok. An Ok status indicates that the issue being tested for was not found and no action is required."

- All - "This tab displays all the reports for a given product regardless of status. If a specific report is known and its results sought after, it may be quicker to find the report under this tab rather than to look under each of the status specific tabs."

 

We can adjust the selection of product on the left side of the GUI in case several product were chosen to generate the SymHelp report and we want to see only the results applying to one specified product at this point.

The reports will contain both text and hyperlinks to Symantec KB Articles if such are available for the encountered problems. You will find more details to each report by expanding the details section.

Some of the examples for most common reports that we can find in the reports section:

 

  • SEP Client examples:

 

  • Symantec Endpoint Protection drivers and services need attention

Reference for solution:

Are the Symantec Endpoint Protection drivers loaded and services running?

http://www.symantec.com/docs/TECH92415

  • Security advisories for Symantec Endpoint Protection Client

 

  • The latest version of Symantec Endpoint Protection Client is installed – in case of not the latest version installed the links provided will include the newer revisions than the one installed.

 

Reference for solution:

Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control

http://www.symantec.com/docs/TECH103088

Release Notes for Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, Symantec Network Access Control 12.1

http://www.symantec.com/docs/DOC4332

  • Client to Manager communications are [not] working

Reference for solution:

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

http://www.symantec.com/docs/TECH105894

  • Windows Firewall Configuration

Reference for solution:

Symantec Endpoint Protection clients do not communicate properly with the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102803

  • Definitions corruption checks – report about the currently used revision, check performed for corrupted definition files and missing definition files.

  • SEP 12.1 Virus Definitions are not corrupt
  • SEP 12.1 BASH Definitions are not corrupt
  • SEP 12.1 Submission Control Data Definitions are not corrupt
  • SEP 12.1 IPS Definitions are not corrupt
  • SEP 12.1 Iron Revocation Definitions are not corrupt
  • SEP 12.1 Iron Settings Definitions are not corrupt
  • SEP 12.1 Iron White List Definitions are not corrupt
  • SEP 12.1.2000+ Extended File Attributes Verify Trust Definitions are not corrupt
  • SEP 12.1.2000+ SRT SP Settings Definitions are not corrupt

Reference for solution:

Potential Symantec Endpoint Protection content definition corruption

http://www.symantec.com/docs/TECH92043

  • System meets the requirements for Symantec Endpoint Protection 12.1: Local install

Reference for the included links from the detailed view:

Does the computer need to be restarted?

http://www.symantec.com/docs/TECH92413

Does the current user have local administrator rights?

http://www.symantec.com/docs/TECH91646

Is the Windows Installer service disabled?

http://www.symantec.com/docs/TECH92579

 

Reference for solution:

System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1

http://www.symantec.com/docs/TECH163806

  • System meets the requirements for Symantec Endpoint Protection 12.1: Remote install

Reference for the included links from the detailed view:

Is the Remote Registry Service enabled?

http://www.symantec.com/docs/TECH201331

Is the Server service started?

http://www.symantec.com/docs/TECH106150

Are the C$, ADMIN$, and IPC$ shares available?

http://www.symantec.com/docs/TECH91905

About the Find Unmanaged Computers function in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102582

Error: "No Network Provider accepted the given the network path"

http://www.symantec.com/docs/TECH102904

Is the Microsoft Windows Firewall blocking port 445?

http://www.symantec.com/docs/TECH106142

Does the computer need to be restarted?

http://www.symantec.com/docs/TECH92413

Is the local security setting 'Sharing and security model for local accounts' set to Guest Only?

http://www.symantec.com/docs/TECH106144

Is User Account Control enabled on the client?

http://www.symantec.com/docs/TECH9190

Does the Administrator account have a password?

http://www.symantec.com/docs/TECH106143

Is the Windows Installer service disabled?

http://www.symantec.com/docs/TECH92579

 

Reference for solution:

Best practices for upgrading to Symantec Endpoint Protection 12.1.2

http://www.symantec.com/docs/TECH163700

  • SEPM  Server examples:

 

  • Symantec Embedded Database service needs attention

Reference for solution:

Is the embedded database service running?

http://www.symantec.com/docs/TECH106152

  • The Symantec Endpoint Protection Console is [not] using its configured ports

Reference for solution:

Which Communications Ports does Symantec Endpoint Protection use?

http://www.symantec.com/docs/TECH163787

 

  • System does [not] meet the recommendations for Symantec Endpoint Protection Manager 12.1

Reference for the included links from the detailed view:

Is the local security setting 'Sharing and security model for local accounts' set to Guest Only?

http://www.symantec.com/docs/TECH106144

Does the current user have local administrator rights?

http://www.symantec.com/docs/TECH91646

Is User Account Control enabled on the client?

http://www.symantec.com/docs/TECH91902

Is the Windows Installer service disabled?

http://www.symantec.com/docs/TECH92579

Which communications ports does Symantec Endpoint Protection use?

http://www.symantec.com/business/support/index?page=content&id=TECH163787

 

Reference for solution:

System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1

http://www.symantec.com/docs/TECH163806

 

  • The latest version of Symantec Endpoint Protection Manager is [not] installed

Reference for solution:

Obtaining the latest version of Endpoint Protection or Network Access Control

http://www.symantec.com/docs/TECH103088

Release notes for Symantec Endpoint Protection 12.1.x

http://www.symantec.com/docs/DOC4332

  • Symantec Endpoint Protection Manager drivers and services are [not] running

Reference for solution:

Are the Symantec Endpoint Protection drivers loaded and services running?

http://www.symantec.com/docs/TECH92415

  • Security advisories for Symantec Endpoint Protection

Reference for solution:

Depending on the advisories found

  • The Symantec Endpoint Protection Manager communications tests have all passed

Reference for solution to:

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

http://www.symantec.com/business/support/index?page=content&id=TECH105894

  • There is no client install package configuration issue detected

 

3. SPE (SEP Power Eraser) - if the SPE scan was previously run

4. LPA - Load Point Analysis - in case this scan was run previously

5. Information - the information section will present us with the following data:

 

* General:

a) Summary - general information about the system, we will find here general information about the date and time of log collection, timezon, user and domain, physical memory on the machine, CPU model, IPv4 and IPv6 configuration as well as local drives informations

b) Customer - Customer information as provided when saving the report. This section included the issue description - this is as well provided on the tab for report save

c) Installed Symantec Products

 

* SEP Client specific information:

a) SEP Client Summary:

- Version of the SEP client

- Type of the SEP Software (Enterprise/Small Business)

- Install date of SEP software

- Servers according to sylink.xml - provides of full listing the SEPM servers available for the SEP client

 

b) Policy:

- Client Group as per policy

- Location

- Location awareness -> if enabled =1, if disabled =0

- Client Control mode -> Server (1) for Server control mode; Server (0) for Client Control Mode

- Policy Serial Number

 

c) Communications:

- Last heartbeat

- Heartbeat result

- Connection status to SEPM

- Last attempted connection

- Last successful connection

 

d) Exceptions -> listing of configured centralized and user exceptions

e) File Versions -> contains information about version of some of the SEP file systems like Symevent, Auto-Protect User Mode Interface or Liveupdate.

f) Definitions -> lists installed definitions with revision date information. Following definitions will be covered:

 

Virus Definitions 12.1.x -> SRTSP      

Proactive Threat Protection -> BASH

Intrusion Prevention -> Internet Security

Insight -> ccSubSDK_SCD

Insight -> IronRevocation

Insight -> IronSettings

Insight -> IronWhitelist

Extended File Attributes -> SymEFA

SRT SP Settings     -> SRTSPSettings

 

g) Features -> listing of installed/enabled features alongside with MSI Feature name and install state:

  • example:

Application and Device Control                         DCMain                  Installed

Firewall Protection                                               Firewall                  Installed

Intrusion Protection                                             ITPMain                 Installed

Network Threat Protection                                  NTPMain                Installed

Notes Scanner                                                       NotesSnapin          Installed

Outlook Scanner                                                   OutlookSnapin     Installed

Pop3/SMTP Scanner                                            Pop3Smtp              NotInstalled

Proactive Theat Protection Truscan                      PTPMain                Installed

Sonar Protection                                                   TruScan                  Installed

Virus and Spyware Protection                            SAVMain                Installed

Download Insight                                                                                 Installed

 

 

* SEPM Manager specific information:

a) SEPM Summary will give us information about used SEPM Version.

b) Database configurations - information about the DB type, host and username

c) Ports - list of ports used by SEPM communications, alongside with port current state:

 

6. Best practices - according to the Best Practices scan type - report splits on following tabs:

- Not recommended -"This tab displays reports that resulted in a Not Recommended status. A Not Recommended indicates that the system's configuration is counter to best practice standards and will likely have consequences that should be considered."

- Not compliant - "This tab displays reports that resulted in a Not Compliant status. A Not Compliant status indicates that the system's configuration is not according to best practice and might potentially have unwanted consequences. This status is less severe than a status of Not Recommended."

- Missing data - "This tab displays reports that could not examine all the data needed in order to yield a report status. If one test failed to access required data this will determine the status of the report as Missing data."

- Compliant - "This tab displays reports that resulted in a status of Compliant. A Compliant status indicates that the system is configured according to best practice standards."

- All - "This tab displays all the reports for a given product regardless of status. If a specific report is known and its results sought after, it may be quicker to find the report under this tab rather than to look under each of the status specific tabs."

 

Some of the common examples we can find in the best practices section:

 

 

V. References:

 

  1. Symantec Support Tool:
  • About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool

Article: TECH96291           http://www.symantec.com/docs/TECH96291

  • The Symantec Endpoint Protection Support Tool

Article: TECH105414        http://www.symantec.com/docs/TECH105414

  • About the Symantec Endpoint Protection Support Tool

Article: TECH91280           http://www.symantec.com/docs/TECH91280

  • How to run the Symantec Endpoint Protection Support Tool remotely

Article: HOWTO72599     http://www.symantec.com/docs/HOWTO72599

 

 

  1. SymHelp Tool:
  • About Symantec Help (SymHelp)

Article: TECH170735        http://www.symantec.com/docs/TECH170735

  • Symantec Help (SymHelp)

Article: TECH170752        http://www.symantec.com/docs/TECH170752

  • What command-line parameters are available for use with Symantec Help (SymHelp)?

Article: TECH170732        http://www.symantec.com/docs/TECH170732

  • Load Point Analysis and Symantec Power Eraser are not available in SymHelp

Article: TECH201415        http://www.symantec.com/docs/TECH201415

  • Unable to launch or view SymHelp

Article: HOWTO75989     http://www.symantec.com/docs/HOWTO75989

Comments 10 CommentsJump to latest comment

nwranich's picture

Very thorough documentation on the tool.  Great job.

+1
Login to vote
Chetan Savade's picture

Good article!

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Mick2009's picture

"Thumbs up!" Just linking this official article, which has a video on the topic of SPE in SymHelp:

How to run Symantec Power Eraser with the SymHelp utility
Article URL http://www.symantec.com/docs/TECH203683

With thanks and best regards,

Mick

0
Login to vote
sep_tx's picture

Very nice!

One question? 

Within LPA there are sub-options to 'Scan Program File Directories' and 'Scan additional files and directories'.  Likewise in SPE there is the sub-option to 'Scan other user profiles'.  When executing with the -lpa or -spe flags can you also control those same sub-options or does it default to scanning everything?

 

0
Login to vote
Mick2009's picture

The latest release of SymHelp includes enhanced capabilities for threat detection and removal.  For details, please see:

 

About the Threat Analysis Scan
http://www.symantec.com/docs/TECH215550

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519

Many thanks!

Mick

With thanks and best regards,

Mick

0
Login to vote
Ambesh_444's picture

Grt Job dude..Thumbs up for ur nice article. Good luck for next

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

0
Login to vote
Aeschylus's picture

Nice article for a useful tool. Thanks

0
Login to vote
Vinafuelnew's picture

First of all i need you support me to keep on access email vinafuelnew@yahoo.com of mine closed long times too

0
Login to vote
Mick2009's picture

Just adding an important note: in case SymHelp fails or crashes when running, follow these steps:

How to provide data to Symantec Support when SymHelp won't complete
http://www.symantec.com/docs/TECH203573

With thanks and best regards,

Mick

0
Login to vote
_Brian's picture

Very informative, thanks for posting.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote