Endpoint Protection

Hi all , I have few questions would really appreciate your responses and suggestions on this is.

 

I have around 300 clients ( running SEP 12.1.6 MP3 ) that are appearing Disabled in SEPM console.  Now mostly the following three componets are showing as malfunctioning when I see the dashboard.

AutoProtect

Sonar

Download Insight

 

Now when I click on any one of these clients I see that for Antivirus definations date on the SEPM I see " Not availble " However when I tried to look physically one of the endpoints , when I opened the SEP UI I saw that it was giving the message that the PTP definations are corrupted or the installation is corrupted something like this.  However the clients was connected to SEPM and definations on it was also of recent date. When I ran the SymHelp tool on the same machine to scan for common issues it didnt return any error and indicated that definations are not corrupted whereas SEP UI is dispaying the message that Sonar definations are corrupted.

 

Now the problem is when I tried to push a new package from SEPM it rejected to install on the client becuase it was already running the newer version. I am wondering that how can I fix this and why it is coming at the first place.

we are also facing the same issue, that client needs a repair/reinstall that is the only fix that we have found so far.

Are they new install clients with no defintions on intial install? If so it may take a bit of time for the machines to download the latest defs and update and then you will see the information populate and the disabled report will disappear. 

They will also show as disabled if the feature is installed on the client but you have disabled the element by policy or not assigned a policy. 

Thanks for the Praveen , but the problem is since they are already running the newest version so if we again try to do a remote push by SEPM or deploy the package via SCCM , Client will reject it since they are already on the same version.  Manually doing repair on 300 machines is not feasible and practical to do as all machines are geographically dispersed.  However I am trying to figure out an automated script that can achieve the following.

 

1) Uninstall the existing client and then install the SEP client in a single task

 

2) Purge the existing all definations and then allow the clients to dowload newer set.

 

Let me know if you are able to fix your issue and what apprach did you use to resolve this.  Thanks

Thanks for the reply Geo , Actually the package was installed with full content. The number of disabled client is fluctuating sometimes it is more sometime less , but on average its within the range of 250 - 300

that is the exact issue we have at our hand and symantec has requested DB to reproduce the issue at ther labs. we are waiting for approval from our client to proceed further. 

 

Meanwhile, for your case I would suggested you to pick a couple of machine and try to perform a repair install with the MSI file if this doesn't fix try reinstalling.

But Praveen actually I am looking for some logical reasons as what might cause this to happen at the first place becuase the trublehsooting and logs itself doesnt reveal much.

unfortunately I couldn't spend more time in investigating this issue and the user are not available for T/S and it directly impacts the production. on the other hand we have left it the experts to come back with their suggestion. and I would probably advise you to do the same as this is a time consuming job and requires a lot efforts and resources. 

Delete a client from sepm and check the status it shows when it comes back

If issue is occurring at 300 clients then it could be from the SEPM side. I would suggest to repair the SEPM first prior to start any troubleshooting.

After that make sure liveupdate is running successfully and verify showing updated status on the Home page.

OR else there can be a possibility that SEPM definitions are corrupted. Can run Symhelp tool on the SEPM machine,.
 

Hi cheatan thanks for your reply . We have 19k machine out of which most are up to date few 4k are offline and remaining are disabled like I said above.

Hi rafeeq already did that didn't make any difference

In case it's embedded database verify database maintenance is happening in the background.

Go to Admin --> Servers --> Local Site --> Database --> Truncate transaction logs and Rebuild Indexes now.

Try to perform them manually as well.

In case it's SQL database check with SQL admin.

Hi Chetain , It is a SQL instance. 

Just make sure SQL database maintenance is also working.

Hello Chetan thanks for your reply. Would SQL DB maintaince do any diffrence , since this issue has to do with the agents itself. BTW SEPM instance is hosted on production SQL server where they have a proper plan for doing maintaince tasks for all DB instances.

Hello, I have the same issue of SymSpec.

In my organization we have 190 clients with Symantec Endpoint Protection Installed.

A week ago I upgraded the Endpoint Protection Manager to latest version (12.1.6 MP3) and a few days ago I upgraded all our clients to the same version.

As you can see from the picture, I have 96 out of 190 clients that are showing as "Disabled" in the home of SEPM. Besides that there is a "Network Threat Protection Failueres" on those 96 clients.

But if I check some of the client showing as "Disabled", the SEP on the client doesn't detect any problem.

This thing only happens from when I upgraded the clients and the SEP manager.

One thing to note is that by policy I disabled the firewall since we have a perimetric firewall, but I left enabled the Network threat protection.