Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Current (sempub) and other problems with SEPM

Created: 18 Jan 2008 • Updated: 02 Mar 2009

Dear All,

I've been "playing" with SEP this whole week. To be honest I am also playing with my job... :)
Somehow, I've managed to get to the stage that I will present to you in the following text, but the path to it wasn't easy or clear at all. Therefore I must express my deepest disappointment with this product.
As this topic is not created for sending criticism to Symantec (not that I don't have so many reasons to create one...), I will in short explain the problems I've been fighting with so far and the problem that bothers me currently.
Any input is more than appreciated.

I work in an enterprise with 250+ computers (notebooks, desktops) located in 3 distant geographical locations. So far, we've been using SAC 10.0.2 and we've been moderately satisfied with it (that's another story), but the system worked in an acceptable manner - there were no big or unsolvable issues. As I don't have available the appropriate testing environment, I was forced to install SEP into production from the start.
For the reason of bandwidth consumption, 2 SEPM were installed and one GUP. Both of the SEPM instances are installed on a DC, as those servers were SAC10 servers anyway.
First problem I have run into was the unavailability to migrate groups and settings. There were no way to migrate the data from the localhost. I was constantly informed that the server cannot be contacted, or something like that. The managed migrate groups from one to another (not a big issue, but it was kind of time consuming).
Second issue was related to Live Update Administrator. This one was exhausting. When you install LUA and try to access it, you get the Tomcat (404) error, the information that lua cannot be found on a localhost. It turns out that PG LUA service was not installed. After many hours of problem solving I was shocked with the cause of the problem. We have a password policy in a domain, but I guess that LUASrvUser, which needs to be created during installation of LUA, probably has not password complex enough to pass the policy. This user has to be a restricted user, as PG otherwise wont run. The workaround is to create a domain user with this username and to place it into Allow To Logon Locally in the domain controller security policy. After this run the installation. The service will be created, but the password for the account that will run the service wont be correct. Change the password, start LUA PG and restart LUA Apache service and LUA should work correctly.
There are some other issues that I wont discuss here, as they are not so important.

The current problem (at least for me it is a problem) is the process SEMPUB. In the document http://www.symantec.com/business/support/endpoints... on page 14 I have found the following:
Process name: sempub.exe
Used by: SEPM
Purpose: Publish content updates and related files so clients can retrieve
When it runs: After new updates are downloaded by the SEPM
This is either not true or the 4 hours (the scheduled live update checks are set to 4 hours) in my time zone lasts about 480 times shorter, because the process sempub is executed every 30 seconds.The process then executes several javaw.exe processes which generates the CPU load of 25 to 40 %. All client groups are set to pull the policies every 15 minutes. During every sempub execution an (unknown) exception is raised and shown in the lower part of the SEPM when the site is selected in the administrative part. The exception is always the same and it looks like:
2008-01-18 14:10:09.609 SEVERE: Unknown Exception in: com.sygate.scm.server.task.PackageTask
java.lang.NullPointerException
at com.sygate.scm.util.GUIDGenerator.convertGUIDToHyphenFormat(GUIDGenerator.java:92)
at com.sygate.scm.server.publisher.compiler.logicaobject.AvPolicyCompiler.getAVScheduledScan(AvPolicyCompiler.java:1668)
at com.sygate.scm.server.publisher.compiler.logicaobject.AvPolicyCompiler.getAVAdminDefinedScanOptions(AvPolicyCompiler.java:1488)
at com.sygate.scm.server.publisher.compiler.logicaobject.AvPolicyCompiler.getAVAdminDefinedScanOptionsLink(AvPolicyCompiler.java:389)
at com.sygate.scm.server.publisher.compiler.logicaobject.AvPolicyCompiler.compile(AvPolicyCompiler.java:272)
at com.sygate.scm.server.publisher.compiler.Spa50ProfileCompiler.buildAVPolicy(Spa50ProfileCompiler.java:951)
at com.sygate.scm.server.publisher.compiler.Spa50ProfileCompiler.compile(Spa50ProfileCompiler.java:773)
at com.sygate.scm.server.task.PackageTask.updateProfile(PackageTask.java:675)
at com.sygate.scm.server.task.PackageTask.updateGroup(PackageTask.java:628)
at com.sygate.scm.server.task.PackageTask.getChildGroups(PackageTask.java:826)
at com.sygate.scm.server.task.PackageTask.getChildGroups(PackageTask.java:827)
at com.sygate.scm.server.task.PackageTask.getChildGroups(PackageTask.java:827)
at com.sygate.scm.server.task.PackageTask.checkGroupDirectory(PackageTask.java:556)
at com.sygate.scm.server.task.PackageTask.run(PackageTask.java:247)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)
The identical situation is on both servers with SEPM.

Anybody has the same problem, or the idea what to do next?

Thank you very much in advance.

Regards.