Endpoint Protection

Clients are on Server 2008 R2 either 64-bit or 32-bit. Endpoint version 12.1. Some servers are in a VM farm and some are physical servers. All servers are for the function of one vendor for a mulit agency system.

I have created 2 policies, one for 64-bit and one for 32-bit. Both policies are Antivirus and Antispyware Protection only. Per the vendor I created a Exclusion policy to exclude any scan from scanning their software or folders. All clients are in a managed group so they all get the same policy.

In the manager, all clients have the most current Policy serial number. All show Online. I believe I have settings in the Communication and LiveUpdate to affect the servers as little as possible.

So here is my issue...I have 29 servers, the manager reports that between 6 - 9 servers are Disabled. I go to that server and the client is running, has the green ball to indicate no errors, the Definition files are current but the status is Off and reports as disabled.

I enable the client from the Manager and it stays that way for hours or days then again, the client is disabled. I cannot figure out why or how clients are becoming disabled.

I really need to figure this out because everytime an issue arises on the servers, the vendor points the finger at Endpoint.

Any suggestions would greatly be appreciated.

Thanks

Debra

click on hyper link... what component is disabled?

I'd like to echo the above comments ("Thumbs Up" guys ) in that you should determine which component of SEP is reporting as disabled.

As far as the pie chart on the HOME section of the SEPM console goes, a client is marked as disabled if any component is disabled.  This, unfortunately, even includes instances when a particular SEP component is meant to be disabled (in this case the Firewall):

http://www.symantec.com/docs/TECH204587

Assuming this is the same issue, then please log a support case with Symantec.  I've raised this a couple of times previously, and the more people that mention it the higher the rating it'll likely receive in Symantec's to-do list:

https://www-secure.symantec.com/connect/forums/ru4-sep-firewall-status
https://www-secure.symantec.com/connect/forums/ru2-difference-sep-firewall-behaviour-changed

A workaround would be to uninstall the Firewall component if it is not needed (as is probably the case on your servers).

Gentlemen,

I have attached a screen shot of what my clients are showing. Are you asking me to click on a hyper link? From where do I do that from? 

Due to the vendor request I only have Antivirus and Antispyware enabled. No Firewall or Threat Protection.

Thank you

Debra

Attachment(s)

Endpoint Disabled.doc   119 KB 1 version

The group that the machine is in on the SEPM does it have an antivirus and antispyware policy allocated to it? 

Try to in one server

smc -stop than smc -start

That looks like the SEP11 client, when you stated in the OP that you were running a version of v12.1.

Also regarding the hyperlink, we were asking you to bring up the list on the SEPM so you can see what components are being reported as disabled (the same place where you find out the list disabled endpoints).

#EDIT#

Just to clarify, we can see from the screenshot that you're running SEP11, not 12.1.  We can also see that you do not have the firewall component installed.

At this point, I'd recommend checking out what the SEPM thinks is disabled on this client, and if upgrading the client affects the results.

I'd also recommend ensuring that the version of SEP11 on this client is actually supported on the server too (i.e. SEP11RU7 or later if SP1 for Win2k8R2 is installed, as it really should be).

So now I am totally confused. When these clients were first installed we were on v11. Since then I have updated Endpoint manager to v12 which I just confirmed in my Manager. When I updated to v12 I created new policies for both the 64-bit and 32-bit. I thought I had pushed the policies out to the servers. This particular server I took the screen shot from I did a fresh install of the client last Thursday. I only have one install for each. I have spot checked clients on servers and they are v12. 

If the clients in the Manager all have the correct and most current Policy serial number, why are some showing v11 ? Shouldn't they be v12?

Per the vendor I do not have the Firewall policy enabled. Per the vendor all they recommend is Antivirus and Antispyware componants.

Thanks 

Debra

Sooo, on the client machine, can you open up the SEP client (double click on the system tray icon) and click Help -> About, and verify what version it is running?

It sounds as if you have upgraded the SEPM (management server) and not upgraded the clients, and that you are still pushing out an old client installer for new server builds.

#EDIT#

Just to clarify, upgrading the SEPM does not automatically upgrade the clients.  The upgrade of clients must be switched on as described in the below article and in the documentation included with the software:

http://www.symantec.com/docs/TECH166317

Yes, I understand that. I created new policies for v12. I pushed that out to all clients. I don't understand if all clients are showing the most current Policy serial number, why some are still v11. Yes, I know where to check what version the clients are, that is how I am determining some are v12, some are v11. 

Thank you 

Debra

The reason for the article link is also to help illustrate that the assignment of policies is separate to the upgrade options.

On the SEPM Console, do you have anything assigned in the "Install Packages" tab of the groups in which your servers reside?  And if so, what do the clients report as to their "Deployment Status" (which is viewed by double-clicking on the client record in the SEPM)?

If the 12.1 upgrade packages are correctly assigned and accepted by the clients, is it possible these machines haven't been restarted yet?

#EDIT#

Obviously, I'd recommend against upgrading these without proper planning and testing.  I'm just trying to help you determinw why some are being marked as "Disabled" by the SEPM.

Incidentally, we're still awaiting the screenshot from the SEPM itself where is says some clients are disabled.  Hopefully the screenshot will also show what components it thinks is disabled (presumably at this point it's the TruScan component which is not supported in x64 nor server OSs).

#EDIT2#

Hmmmmm, scratch that.  The TruScan component is part of the whole Proactive Threat Protection side of things, which wasn't present in your earlier screenshot.  I'd still be curious to see what the SEPM thinks is disabled though

SMLatCST,

Thank you....I think I have found a big part of my issue due to your direction to the Tech link.

Even though I made v12 policies, the v11 policies were also part of the Install Packages. 

I will follow the direction of the very informative Tech link but my one question is...if I delete the v11 policies and leave just the v12, and these are pushed out to the servers, will this force or require a reboot?

These servers can't be rebooted at this point.

Thanks

Debra

No reboot is not required if you just applied the new policies from SEPM, But if have applied the new packager to clients so that clients can upgrade to the new 12x version then reboot is required for complete up gradation.

Everyone,

With all the advice and suggestions I have received, I have determined that the 6 clients that are disabled do in fact still have the v11 client. So there lies one of my problems.

I just need to figure out why these clients, despite being upgraded with the same install as the servers that are on v12, won't update from v11 to v12.

I have even uninstalled the client, rebooted the server, installed and rebooted again.

Thanks to you all, I have half the problem solved :-)

Debra

You're welcome, I thought the screenshot didn't match up to your initial description is all 

If you've tried manually upgrading, then I'd suggest you try exporting new client installers from your SEPM to determine if there are any issues with your existing install packages.  More info on how to do so below:

http://www.symantec.com/docs/TECH204046

I'd pick the "Save Package" option and run install manually if I were you...

Hi

Can you check whether the Tamper Protection is disabled on client side

Regards