Endpoint Protection

Hi,

i have noticed few issues on my SEPM console after upgrading from 12.1 RU4 MP1b  to 12.1. RU5.

1. Security status - this has been showing "Attention needed" right after the upgrade

2. Monitors tab - > Summary,  always shows no data

3. try populate any report - all data presides before the upgrade and non after upgrade

4. Stopped receiving all emails from the SEP server although none of these settings changed

My Environment: Server 2003 Standard on a standalone box, with SQL 2005 DB on another standalone box. i haven't noticed any error during or after upgrade neither do i receive any error while logging into the SEPM console.

Any help would be really appreciated.

1. Security status - this has been showing "Attention needed" right after the upgrade-> Click on view details and check which component is having the problem.

2. Monitors tab - > Summary,  always shows no data

-> this is past 12 hours report only may be there are no events to check from past 12 hours.check site status it should say its good.

3. try populate any report - all data presides before the upgrade and non after upgrade

-> Do you remember what was the log retention period? Logs might have been purged when you did the upgrade.

4. Stopped receiving all emails from the SEP server although none of these settings changed

- > what kind of emails? what was the notification set? 

1. All the components here show up in green and within the thresold limits. still it shows "Attention Needed"

2. This i have kept it at 24 hours, except site status all others show as " No Information"

3. Log settings screenshot below. if its is Purged settings then i should not see older information correct ? but it is the new information that is not being populated here.

populated few reports for your understanding , see the screenshots .

generated report after upgrade

Report before the upgrade date to till date

4. I have email alert set for Notifications and few daily reports. all these reports were unable to send to the receipients. upon checking the SMTP setings under server properties all settings are correct but sending test email fails. not sure what is causing this error. i tested Telnet from my SEP server to my smtp server and it is open.

New risk is different, just to check if these are getting recorded

Try the Eicar notification

http://www.symantec.com/business/support/index?page=content&id=TECH104580

run this on one machine

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24461

this should populate the new risk section and also the monitor section, for why mails not being sent. check the logs under Tomcat\logs folder

Lets look at one thing at a time, most pressing is the reports. Am in doubt that any of the client information is getting stored in the DB or not. Is there a way i can check this on DB directly?

Tied the EICAR on my own machine and the AV deteced and deleted the file. however even after two hours of this, till now i do not see any thing on the new risk report or the monitor section.

Yes Srini, thats correct I do not belive that new events are getting inserted.

are you able to pull out new virus defs info , clients scan timings are those getting populated after upgrade?

can you help me with how to check those two ?

Go to Monitors - logs - computer status . do you see if any new events like virus definition date? or client check in time are these latest?

Can you try restarting SEPM service once...

Hi,

I could see clients having received the latest definitions reported in Computer Status also today's date for last time check in date.

But i still can't see any reports on risk till now. it says "No Data".

forgot to mention: i did a system restart yesterday and all services are running as expected.

Email issue: this has been sorted with the help of my exchange team ( they changed the authentication process )

was this done?

go to Admin > Servers > localhost > Edit Database Properties > Log Settings, and uncheck "Delete EICAR events" in the Risk Log Settings section. 

Yes

Wow, I see I'm not the only one not impressed so far.

Since the ugprade, we can't get AV defs, logs are iffy - sometimes I see nothing new since the upgrade days ago, other times I see data. Email alerts are sporadic. Errors in the logs say "can't connec to server" and so on, yet there I am, in the SEPM, running the console on the SEPM as well as from my desktop. But we are stuck at 11/02/2014 virus defs (others seem to be doing ok) and weird other issues, hard to explain.

I also think the console timeout stinks like old used cat litter. I will decide how much time I can be in the console - or at least I did until this upgrade. I'm the only one who can access this stuff, it's locked down tight - password protected, the servers locked down, you name it, it's secure here, and yet with all this trouble - all the defs problems, logging and reporting issues I'm struggling to work with the console keeps timing out.

When one is ADHD and doing 10 things at their place of work, managing SEP and other security among them, one has to go back and forth and this stupid console timeout thing is for the birds in a secure environment. Can they please stop trying to protect people from themselves? I know enough to handle what I handle, I realize some are using SEP/SEPM and have no clue about security or even servers, but let those of us with over 25 years experience decide how the console behaves please.

Not that I wish bad luck on anyone, but it's sort of reassuring to see "I'm not alone" in my thinking that the upgrade to 12.1.5 should have been delayed for us........... it's caused a lot of trouble on this end and with me being "IT" for network, severs and security since our admin retired, I can't easily afford these issues.

Sorry i couldn't update earlier.

Had to log a case with Symantec to look into this, all they did was repair SEPM install first which didn't help with any of the issues i had.
then they manually ran Upgrade.bat ( schema update), this seem to have fixed my reports issue.

However "Security Status" is still at attention needed. If we disable "percentage of computers with NTP off" then the status is showing good, enable it back it shows attention needed even though the client threshold is still within the limits mentioned.

They have collected logs and further investigate on this. ( i believe i have seen this similar issue prior to 12.1.4 ?)

Hi Srinivas Rodda,

You've mentioned above that the Email issue has been resolved by your exchange team. May we check what exactly the exchange team when in fact there's no changes on your SEPM Email Server settings. What do you mean by ( they changed the authentication process )?

thanks,

Rinoa

I am happy to report that after a few weeks of hard work by Symantec support that most of the issues I had here, some of which were similar to the OP problems above, have been resolved. \

The worst of the issues was that the SEPM defs would not update, the AV defs that is. LU ran fine and defs like the IPS, download protection, SONAR and so on updated perfectly but the antivirus defs did not.
For anyone else with similar issues don't mess around, don't sit on it, get a support ticket started and even refer to my issue if you need to because they have seen this and have a tool to fix the definitions problem that comes about after an upgrade of SEPM. So SEPM defs issues solved!!

Other issue - exponential growth of the SQL database. We were getting by with an 80 gig drive in the SQL server for the DATA. This is a dedicated SQL server, nothing else running on it but MS SQL. C is the OS and program files, D is the SQL data and E is the SQL logs.
D went from 80 gig FULL to 250 gig with 70 gig free after the SEPM upgrade. This was SEPM only and it caused the SQL database to go from way way under 80 gig to OVER 140 gig now! They are still looking into that.

3rd issue was that the firewall logs as viewed in monitors tab, threats would not display correctly or at all on SEPM1 but did fine on SEPM2 (SEPM2 had to be fully uninstalled and then reinstalled from scratch after the initial upgrade process broke and let if SEPM-less) Odd that it worked on SEPM2 after an uninstall and reinstall but not on SEPM1 after an upgrade. So the magic tech at Symantec dug deep into the symtools results and came up with a solution - something or someone or some-whatever a year ago during other issues during another upgrade in the past changed a file or two on SEPM1 and the upgrade would not over-write said files. Makes sense so I copied the files from SEPM2 to the same location on SEPM1 and resolved the firewall log threat protection display on SEPM1 issue. That's 1 solved, 1 being looked into and 1 solved.

Ah, but wait, there's more! I happened to mention while discussing the SEPM console display issues, that I've not for a very very long time been able to sort the display of clients by the antivirus definitions column. The tech said "that's odd, I can". I proved it. He was very creative and we did some testing. He created a spreadsheet, we used the protection technology view and the default view and went through the list of columns indicating which ones were sortable and which were not. He and I both saw an instant pattern. Yes, I had discovered a bug! He had 3 he could not sort, I had 3 I could not sort. 2 of them matched between us, 1 did not. Moving the columns around, changing their order and/or position I could make the inability to sort move!
I also discovered that it was not only the order or their placement, it's HOW they got to be there! You can move a column more left by dragging it left, or, you can move it left by moving OTHER columns to the right. Depending on HOW you moved them you could cause some to lose the ability to be sorted, or gain that ability back. Sort of like shuffling cards, moving the columns in the SEPM console client view you could really shake things up as far as being able to sort the lists. So I had though for a year that there was a problem. No one believed me because THEY could sort by virus defs date and I could not - because I viewed the virus defs as so critically important I dragged that column to the left a little bit so I could always see who had what virus defs - then I was not able to sort. I got it to sort again by moving the av defs column to the right a few spots, then moving it back to the left by moving other columns to the right. Now I can sort on the av defs - but not one of the others I used to be able to sort on!

Try it for kicks - it's a bug we found, well, I told him I was going to submit a report and he got the idea to compare notes so I bet it goes up the chain fairly quickly, but if you can also trigger the inability to sort the display be a column simply by moving the column or by HOW to move the column, more info could be helpful but I'll leave that up to them. Play a trick on your co-workers, break the console display be moving columns around and causing them to lose the ability to sort on av defs and you'll be the life of the party at work, or get called into the boss's office............

My 1 single support case turned into 4, 2 are solved, 2 are in progress, 1 of those in progress is actually a bug! (an obscure one, but a bug non-the-less)
The first level fellow tried hard but was spinning his wheels, we both realized it was way over his pay grade and he gracefully escelated the case. Then James got involved and I can't say enough positive things about him. I hope that Symantec does what is needed to keep him there, better yet, get that fellow into QA as I believe that's his ultimate goal at Symantec and he seems to like working there. That's the sort you need to keep - he likes it and wants to move up into QA. Based on my experiences with him, he'd do well there. I had that goal myself but turned the offer down as I did not want to move to CA. Had I been able to do the work from here, where I live, I'd have accepted the offer as I believe in the products and enjoy QA work (even though I'm really picky and at times anal). 
Yeah, sometimes I question upper management but isn't it like that anyway, you can like the person but not always like their deeds. In this case I like the product and have mostly positive experneices with the company even if I disagree with some of their moves or decisions now and then.

Got issues with a 12.1.5 upgrade - get a ticket going and if first level can't help,. escelate and hope James is your tech. He helped me and was positive the whole time.

Holy book ShadowsPapa! :) awesome info though!

Is there a particular cause for the AV def issue or was it something specific to your environment?

If it's the same James I've worked with in the past at Symantec on a couple issues, he is THE MAN!

Glad you got it fixed though.