Endpoint Protection

 View Only

  • 1.  Clients showing old definitions in SEPM, current definitions on the local machine

    Posted Jun 30, 2011 01:38 PM

    I have a number of clients showing up with their latest AV definitions being at 2010-10-18, however on the local client, the defs are at 2011-6-30. Has anyone seen this before? It's messing up my reports. 



  • 2.  RE: Clients showing old definitions in SEPM, current definitions on the local machine

    Posted Jun 30, 2011 02:24 PM

    this used happen with the older version of SEPM. what version you are running?



  • 3.  RE: Clients showing old definitions in SEPM, current definitions on the local machine

    Posted Jun 30, 2011 02:32 PM

    A few different things that could be causing this:

    1.) Clients aren't able to upload their logs to the SEPM due to something blocking the communication, either at a network level (like a proxy or firewall) or a configuration level (like someone changing the IIS configuration in some fashion).

    2.) Clients might be updating from LiveUpdate rather than the SEPM, giving the illusion that the communications are only broken for the download...would depend on how the LiveUpdate policy is configured.

    3.) The SEPM may be under-resourced and isn't able to keep up with the log processing, or there's a broken log jamming up the works...how many files are in C:\Program Files\Symantec\Symantec Endpoint Protection Manger\data\inbox\agentinfo and \data\inbox\client?  Is it a relatively small amount, or is it several thousand?  If you wait a few minutes then check again, is the number relatively the same, or is it growing?

    I'd recommend gathering a sylink log and checking those two folders to help give us an idea as to where the communication breakdown might be.  Here's a link to the document on creating a sylink log:

    http://www.symantec.com/business/support/index?page=content&id=TECH104758



  • 4.  RE: Clients showing old definitions in SEPM, current definitions on the local machine

    Posted Nov 16, 2011 09:48 AM

    I'm now seeing the same behavior out of my SEP 12.1 deployment.  I have approximately 2200 endpoints.  I noticed that the SEPM was reporting the clients had not received updates for about 2 weeks even though I check this information several times a week.  I rebooted the server and started checking random clients in the field on different subnets.  I checked both definition and policy information.  Some were out by a few days but nothing like the server was reporting (even being out by a few days is not what I like to see).  They all updated when I forced a policy update from the local client.  A few hours later I checked the server again and saw the "up-to-date" numbers climbing by the hundreds and just as quick it swung back to "out-of-date" again.  Now I'm looking at 63 up to date and around 1900 out of date.  SEPM can download the current updates without error.

    Is this a database issue or communication issue?  Where do I start troubleshooting?

     

    Thanks!