Endpoint Protection

Hi,

We have around 300 group. The groups contain machines from diffrent remote branches. one particular client machine in a group seem to change ip address frequently. initially, i thought the machine was wrongly put in a diffrent group but when the machine was moved to correct group, it again changed the ip which belonged to a different group(ip range). The common thing which was found was that all this machine have a common computer name. Is this any bug ? Please help..

Regards,

Anish

If the machine itself is changing its own IP address I don't see here any relation to SEP.

What's the network configuration on that machine? Dynamic IP?

Actually, the ip address changes to a different network. furthermore, the ip address are all assigned with static ip's.

Regards,

Anish

Are you able to connect to each of those IP addresses?

The most common casue for a single SEP Client record to repeatedly change its information is when several machine have been built using the same disk image (so that they all report into the SEPM with the same HWID).  It also sounds as if whoever deployed the image may have neglected to change the machine name too 

I'd recommend hopping onto each of these IP addresses to verify.  If this is the case, then please follow the below article on resolving the issue:

http://www.symantec.com/docs/TECH163349

#EDIT#

Of course, another cause is that the machine in question is multi-homed, is this possible?

Hi,

You are correct. The machine name is same for all the client which is changing the ip address. Will changing the computer name be a solution to this ?

Regards,

Anish

Hello,

Do you have check that machine MAC Address are same or different ?

Hi Manish,

The mac address is same for all this machine as can be seen from the sep manager console. But how could diffrent machines have the same mac id? It was also found that the computer name is not same for all the machines, even computre hname seems to be changed.

Regards,

Anish

Hello,

No, MAC address are different every machine .

Do you have try to reinstall sep client or Remove HWID for that machine

Hi,

Tried reinstalling one such machine which is present in my office(my group) but to no help.

Regards,

Anish

Will removing the hardware id solve this issue?

Also, does it require to manually login to each affected machines to remove this hwid ?

We are not under a domain and hence cannot run any gpo.

Regards,

Anish

hello,

Will removing the hardware id solve this issue?

You may be try

Also, does it require to manually login to each affected machines to remove this hwid ?

You can login Manually affected machine and check that's host name and ip same or not may be it's DNS issue

Hi,

How should i remove the hardware id'd for this machine's?

Regards,

Anish

Hello,

You can follow above provided KB TECH163349

Hi,

Should hwid be deleted from this location?

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
HardwareID=""

Regards,

Anish

How the policy assigned there, ip base or computer base?

Have you registered the ip in your DHCP Server?

yes you can delete

Please follow the instructions in the article I linked earlier (repeated below):

http://www.symantec.com/docs/TECH163349

The article provides steps and an executable tool, that will remove the HWID from the cloned machines.  

Attached to the article is the "RepairClonedImage" tool.  Run this on the machines that were cloned to rmove the HWID.  After the tool is run, the next time the machines check into the SEPM they should generate a new SEP Client record and report separately.  While these client records are individual and unique (because of teh new HWIDs) they will all be reporting the same machine name until you change them).

The article also provides instructions (Step 2) on how to run the RepairClonedImage tool on clients remotely using the CDW, which can be very useful.

I've collated your questions and provided answers here:

1. Changing the machine name will not resolve the issue, but should be done anyway.  The resolution is to run the RepairClonedImage tool on the machines in question.  Changing the machine name is to ensure standard practice is followed.
2. Whenever any of the machines sharing the HWID check in, they replace all the details of the client record within the SEPM.  Therefore, the MAC address you see within the SEPM for the client is that of the last one to check in, and not a combined list of the MAC addresses of all the machines linked to this record.
3. Removing the HWID will resolve the issue.  The article I linked in my first post tells you how to do this remotely without logging into the target machine (repeated above )
4. Removing the reg key you identified is not enough in SEP12.1.  Please see the below article for all the various places the HWID is kept.  The RepairClonedImage tool removes all these for you.
   http://www.symantec.com/docs/HOWTO54706

Thanks,

RepairClonedImage when executed on the affecetd machine seems to have solved the problem.

Regards,

Anish

Hi,

Delete all instances of sephwid.xml on file system. Possible locations (usually only in the PersistedData folder):

1. C:\Program Files\Common Files\Symantec Shared\HWID\     (if it is migrated from 11.x);
   C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData\
     (Replace "Documents and Settings\All Users\Application Data" with "ProgramData" on Vista/Win7/2008+)
   C:\Windows\Temp\
   C:\Documents and Settings\<userName>\Local Settings\Temp\
   C:\Users\<userName>\AppData\Local\Temp\     (on Vista/Win7/2008)
2. Remove all copies of communicator.dat from the file system. Possible locations:
   C:\Windows\Temp\
   C:\Documents and Settings\<userName>\Local Settings\Temp\communicator.dat
   C:\Users\<userName>\AppData\Local\Temp     (on Vista/Win7/2008+)
    
3. Delete HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
    
4. Delete HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostGUID

Reference: http://www.symantec.com/docs/HOWTO54706