Endpoint Protection

I have a SEPM server still on 11, the embedded database was corrupt. I thus uninstalled it and reinstalled it on the same server. I used the keystore.jks and Domain ID of existing server; I can see that all clients are appearing on the new installed server. Latest virus definition has already been downloaded on the server, but problem is that none of the clients are updating. Can you please help me out. There is 30 client and I don't want to end up having to sylink each of them.

Thanks,

Arvind

What is the exact version of your SEPM 11? Also, have you tried to push a policies and your clients reflecting the same policy number?

Regards,

JM

Please enable the sylink loggin on one of the client upload here

http://www.symantec.com/business/support/index?page=content&id=TECH104758

Open the client interface - help and support and troubleshooting, do you see server name or server offline?

Does SEPM server are updated ?

Symantec Endpoint Protection Manager 11.x is not updating 32 or 64 bit virus definitions.

If you want proper commuincation between clients and SEPm you need Sylink Watcher or Sylink Monitor.

it will tell you that sylink reflect there policies for client to SEPm.

Before that  you need to tamper Protection feature disabled before following these steps. (Tamper Protection does not need to be disabled on a SEP 11 client.) If Tamper Protection is not disabled, it will block the following Registry key modifications. To disable Tamper Protection, open the SEP 12.1 client, click Change settings, click Configure Settings (next to Client Management), click Tamper Protection, remove the checkmark from "Protect Symantec security software from being tampered with or shut down", and click OK.

1. Click Start > Run
2. Type in: regedit and click OK
3. Navigate to:  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC
4. Double-click smc_debuglog_on
5. Change the Value data to 1 and click OK
6. Navigate to:  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
7. Click Edit > New > String Value
8. Name the new value: DumpSylink
9. Double-click DumpSylink
10. In the Value data field, specify the file name (Sylink.log) and desired location for the log file. Example: C:\Sylink.log
11. Click OK
12. Close the Registry Editor window
13. Click Start > Run
14. Type in: smc -stop and click OK
15. Wait until the SEP icon disappears from the system tray. (Approximately thirty seconds.)
16. Click Start > Run
17. Type in: smc -start. Click OK. Sylink debug logging is now enabled; the sylink.log file will appear in the location specified in step 10.

Hi,

Exact version of SEPM is 11.0.5. The SEPM already has latest definition.

Please find extract of sylink log. Error I am getting is 'Signature verification FAILED for Index File Content..'

03/21 13:57:57 [2308] 13:57:57=>Send HTTP REQUEST
03/21 13:57:57 [2308] 13:57:57=>HTTP REQUEST sent
03/21 13:57:57 [2308] <GetIndexFileRequest:>SMS return=200
03/21 13:57:57 [2308] <ParseHTTPStatusCode:>200=>200 OK
03/21 13:57:57 [2308] <FindHeader>Sem-HashKey:=>E620948FB2838738460207DE0AE6B99D
03/21 13:57:57 [2308] <FindHeader>Sem-LANSensor:=>0
03/21 13:57:57 [2308] <FindHeader>Sem-Signatue:=>8F7ADC48DBC83FED33E566931064F0950AAD68532800F8AA90F0BEA0A26E8851AEB0DC7472E0586FB678121F50F5C80A0B9634CC4AE85DB7A49EDF93762BDDDE45A1695162BF3A16D2AD907EC7F5923F53849EDA3B852A086C093C5215B524A36FAB674E80F278A2BC2716A2C3D4DB582F5F432D2A5C0891B1C439141257BC97
03/21 13:57:57 [2308] <mfn_DoGetIndexFile200>Content Lenght => 1347
03/21 13:57:57 [2308] <mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content..
03/21 13:57:57 [2308] <GetIndexFileRequest:>RECEIVE STAGE COMPLETED
03/21 13:57:57 [2308] <GetIndexFileRequest:>COMPLETED
03/21 13:57:57 [2308] <IndexHeartbeatProc>GetIndexFile handling status: 101
03/21 13:57:57 [2308] <IndexHeartbeatProc>Switch Server flag=0

What can I do?

Arvind

Hi Arvind,

Did you try replace sylink,xml one or two system ?

See this articles

Symantec Endpoint Protection Signature verification FAILED for Index File Content

Signature verification FAILED for Index File Content - Clients are green in the SEPM, but show offline.

Hi,

I still have the folders in "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent" for the old SEPM; if I replace the new folders with the old ones will the clients be able to connect successfully.

Arvind

As per articles it's resolved the issue but you can take the backup current file.

Solution 1

1. Open Symantec Endpoint Protection Manager console.
2. Click Clients (This is labeled Computers in the Small Business Edition.)
3. Click on the group where the problem clients are located.
4. Delete any clients that are not getting updates.
   1. Right-click the client.
   2. Select Delete from the menu.

Solution 2

1. Follow the steps in article TECH106288 to Export Communications Settings and replace the Sylink file using SylinkDrop.exe.
   Note: If signature verification fails for a large group of clients, please see article TECH93740.

The client will now show in the Symantec Endpoint Protection Manager on the next heartbeat and start updating again.

Alternatively you can go to the client and force a check-in.

1. Open the client interface from the client.
2. Click Help and Support > Troubleshooting > Update.