Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Cisco Secure ACS v 4.1 Database was corrupted by SEP

  • 1.  Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 09:24 AM

    I have 2 servers that run ACS v 4.1. When I upgraded one from SAV to SEP, I included the following exceptions

    C:\Program Files (x86)\CiscoSecure ACS v4.1

    C:\Program Files\CiscoSecure ACS v4.1

    Within a day or two one of them stopped working. I was told that the database was corrupted by SEP. I did not see anything in the risk history.

    Does anyone have any idea what went wrong or what I may have missed?

    Thank you.



  • 2.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 09:31 AM

    I'd be curious to see how the justification for that was reached. Similar situation here but have never had any issues. No exclusions are set either.

    In any event, aside from the program directories being excluded already, check what working directories are also created and exclude those. TMP files (or similar) could be being created constantly and SEP is scanning these. I'd check mine but don't have access.



  • 3.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP



  • 4.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 10:01 AM

    One of the ACS boxes USED to be a Primary SAV and had SSC installed. I doubt it had anything to do with it.



  • 5.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 10:04 AM

    Is it only running the AV component?

    If firewall is enabled, I could see something being blocked possibly.



  • 6.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 10:13 AM

    The server has been rebuilt, but when I deploy I strip everything down to the bare essentials, No PTP no NTP, no whatever else is there. When I do a remote push I push "Basic protection for servers"



  • 7.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 10:19 AM

    I would guess that Auto-Protect would be the culprit than. If you can find out if there are any working directories that need to be excluded that should help.

    The other thing I would suggest is to disable Auto-Protect for a short period of time to see what the result is. Not ideal or even recommended but it may help to pinpoint any issues.



  • 8.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 10:35 AM

    The server has been rebuilt, but when I deploy I strip everything down to the bare essentials, No PTP no NTP, no whatever else is there. When I do a remote push I push "Basic protection for servers"



  • 9.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 02:59 PM

    If Autoprotect did in fact cause the collapse of this system, why wouldn't it have been logged or registered anywhere? I am not sure what caused this, but I don't think it was auto protect.



  • 10.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 03:10 PM

    AP only would log actions it took on malware.

    You would need to configure actual client logging of all AP events and even than this may not show that it actually corrupted something.

    You could try vpdebugging to show real time scanning

    How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

    Article:TECH102939  |  Created: 2007-01-15  |  Updated: 2012-03-13  |  Article URL http://www.symantec.com/docs/TECH102939

     

    Or even Process Monitor might help

    How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events

    Article:TECH98079  |  Created: 2009-01-14  |  Updated: 2012-10-12  |  Article URL http://www.symantec.com/docs/TECH98079

     



  • 11.  RE: Cisco Secure ACS v 4.1 Database was corrupted by SEP

    Posted Mar 13, 2013 03:14 PM

    I will check into this tomorow. I have hit my afternoon snag :-)

    Thanks