Endpoint Protection

Greetings,

I am running SEP 11 and SEPM in test environment.  I am using 3 Virtual machines, one is Manager and the other two are clients.  Both of my clients are connected to the manager and I have tested (http://<SEPM_Machine_Name>:port/secar?hello,secar =OK) to confirm.  Both clients are receiving regular definition updates.  My problem is when I try to push a generic scan to both clients only one receives and executes the scan while the other client shows 'Not received'

Why would everything indicate that there is good connectivity except when I try to run a scan to this one client?

Hi,

       If you could let us know the OS on the machine in question. Is it the same on the other client machine as well where you are able to push the scan.

Secars test is fine.

do u see the green dot on the client box and on the sepm...

OS on all machines in question is MS Server 2003 x64 R2.  Yes Green dots are showing on both clients.

now we shall try to troubleshoot this.. its a 2 way process. we need to check if your SEPM is generating the command or not..

when ever u issue a command it gets stored in

E:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command

and clients pick it from here, it will be an xml file

when u select that clent and issue a cmd..does somethign gets created in here,

if so, clinet has the problem , if not manager has the problem.

xml, SIG, and DAX are created moments after issuing the command.  So far so good...

 do u see the latest defs on clients?

the same defs what manager has ?

if its waiting for defs , it wont scan until it gets it..

now issue the command..

wait for a minute.

go to the client..

open the interface..

click on scan for threats..

try to ran a scan..when u do so, it should tell that another scan is already in progress.if so ..then the cmd worked but its not showing the prompt.... its running silent..

check the cpu of rtvscan.exe ....it should be running the scan.

...as of 1 Sep on client.  Yesterday it was 31 August so it auto updated as per my policy schedule.

Tried issueing scan command from manager then went to client and clicked scan.  Locally activated scan started with no issues (Manager command never made it to client).

Didn't understand 'check the cpu of rtvscan.exe'  Please elaborate.

thanks

Can you please check the version of SEP.
Make sure that the version that you are using is atleast MR4 or later.

You can also check this document

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008100308020348


Also you can run the sylink toggle on the client that is not receving the commands & add the logs to this thread.

SEP version is MR4 MP2

Wasn't sure which toggle you meant so ran them both:

SyToggleON script stating at 13:25:42:28
SyToggleON script stating directory "C:\SyToggle"
Looking for SEP install
Current Debug Value =
Debugging has already been enabled - Skipping 'set debug'
Install found at: C:\Program Files (x86)\Symantec Antivirus
Sylink logging = ON
Sylink log location = c:\sylink.log
Stop service: "C:\Program Files (x86)\Symantec AntiVirus\smc.exe" -stop
Start service: "C:\Program FIles (x86)\Symantec Antivirus\smc.exe" -start
Script Finished

SyToggleOFF script stating at 13:26:26:71
SyToggleOFF script stating directory = "C:\SyToggle"
Looking for SEP install
Install found at: C:\Program Files (x86)\Symantec AntiVirus
Sylink logging = OFF
Stop service: "C:\Program Files (x86)\Symantec AntiVirus\smc.exe" -stop
Start service: "C:\Program Files (x86)\Symantec AntiVirus\smc.exe" -start
Script Finished

*Had to type this as I cannot cut and paste from classified sys to unclass sys.

you can download the sylink toggle utility from the download tab on the forum & use it. It will create the Sylink logs.

I did...the logs are in my previous post.  Is that not what they are supposed to look like?

Navigate to the root of C and look for sylink.log

I don't know what I'm missing here but I have run both SyToggleON and SyToggleOFF...gone to the C:\SyToggle folder and posted (above) the logs (sylink.log) exactly as they appear on the client machine.

There is no need to go into the SyToogle folder , you will see a txt file with the name sylink.log  on the Root of C

If Sylink Toogle is not creating the logs them

 

Performed Registry setup and got C:\Sylink.log to appear.  Ran SyToggle and show no data in C:\Sylink.log (0kb).  However...SyToggle folder reappeared with SyToggle.log in it.

Inside HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

set DumpSyLink (a REG_SZ value) to the file path where the log should go (e.g. c:\sylink.log).

smc.exe must be restarted after the change.