Endpoint Protection

Hi,

I administer a network with more than 500 servers, with Windows 2000, 2003 and 2008. All machines has the 11.0.4242.75 version of Symantec Endpoint Protection.

Many machines have been installed from a cloned image of the operating system with sysprep, and the antivirus installed. Now, in the SEP Management console, some of the machines are missing, and when one machine updates its policy, appears in the console in place of other. For example, we have server1, server2, server3, all with the antivirus installed, the console shows just server2. We log into server1, update the policy, and in the console server2 dissapears and server1 appears. Then, update the policy in server3, and server1 dissappears and server3 appears.

How can we solve this problem? We have tried to uninstall the client and install again, and the problem persists. We have more than 50 servers affected.

Thank you

That issue for clone image system

The following steps must be performed on each client which has a duplicate hardware ID.

1. Stop the Symantec Management Client (SMC) service. This can by accomplished by clicking Start > Run and entering the command: smc -stop
2. Delete %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml
3. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink
4. Edit the HardwareID value data to be blank
5. Start the Symantec Management Client (SMC). This can by accomplished by clicking Start > Run and entering the command: smc -start

When the client next communicates with the SEPM, it will generate unique HardwareID's and sephwid.xml's

Infuture you will be create any image follow below articles

Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image

Thanks for your quick answer. I have tried that solution, but in my machines there is no sephwid.xml file to delete. I have search for it in the whole disk, and there is no such file. I have delete the content of the registry key, but the problem persists, probably because as there is no sephwid.xml file to delete, the procedure is not complete.

You can also check this download

https://www-secure.symantec.com/connect/downloads/image-installation-system-problem

This article lists how to remove the hardware ID from version before RU5 as well:

http://www.symantec.com/docs/TECH96808

#EDIT# Whoops, looks like James has already linked this article.  Might be worth noting that you're running a very old version of SEP now, that goes End of Limited Support on 5th Jan next year (in one month's time).  Time for an upgrade perhaps?

http://www.symantec.com/business/support/index?page=releasedetails&key=54619#

Thanks all for your answers. Yes, it's time for upgrade, but they are more than 500 servers 24x7, so we need a lot of time and work to upgrade, and Windows 2000 machines don't support version 12 (and they are not going to leave giving service at least in two years).

I will read the articles, and keep you informed.

Hi,

Thank you for posting in Symantec community.

Releases prior to RU5 required that the HardwareID be deleted by following the instructions below,

NOTE: Failure to follow these directions may have adverse effects on client communication and registration.

Please ensure that the Symantec Endpoint Protection (SEP) client does not communicate with the Symantec Endpoint Protection Manager (SEPM) prior to and while creating the image.

If the SEP client has checked in and registered with the SEPM, the following registry values must be deleted prior to creating the image.

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID.

NOTE: The registry value HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\SySoftk must also need to be deleted if present.

Once the image is applied to a new system, the client will generate a unique id value, check in with its SEPM, and register. During the registration process, the SEPM will register all necessary client information into the database.

This value will regenerate the next time the client loads.

Reference: Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image

http://www.symantec.com/docs/TECH102815

Well, I have read the article to remove the hardware ID in versions prior to RU5, and it explain how to do it... before the creation of the cloned image. But it is too late for that: the image is done, applied to the servers, and the servers are giving service. The solution has to be something after the damage is done.

The other documents, one is the same that the first option, but I have no sephwid.xml file to delete. The other, is the syslink.xml solution. I have tried that solution, changing the location of the client, but the problem persists, only change the locaction where the client appears/dissapears.

I have been thinking about a possible workaround, but I am not sure if it will work (and not sure how to afford it). If I uninstall the client, remove all SEP files, and all registry entries, and then install again, I suppose that the client will be completely new; the only problem (and maybe the worst problem) is that I don't know if there is a way to remove ALL the files and registry entries. The standard uninstall, definetively doesn't do that.

The instruction in the article should work fine.  Once the HWID is gone, the next start of the SEP processes is meant to cause the client to generate a new HWID and new client record in the SEPM.

Is this not happening?

Yes, the instruction in the article should work fine. But, again, there is no sephwid.xml to delete in my machines, so the instruction cannot be aplied completely. And the fact is that it's not working. I tell you more: I run smc -stop, delete the content of the registry key, run smc -start and the registry key keeps empty.

How about a reboot?

The instructions indicate that for older SEP versions that the file isn't meant to be there.  It's all handled by the reg keys.

If you're after the Cleanwipe tool for complete removal of SEP, then you need to log a case with Symantec to get a hold of it I'm afraid.

Maybe the smc -stop/start is not enough: I will wait till the next restart of the test machine (which will happen in less than a week).

Thank you.

Well, I have done the following test in two machines with the same hardware id.

In one server: smc -stop, delete content of HardwareID registry key, smc -start.

The HardwareID is generated again, and is the same than before. Why the system is not generating other ID?

I think you're meant to delete the Value itself, not the contents.

Deleted the value itself, the same hardwareID generated. I guess it uses some other information to generate de HWID, or it is reading it from elsewhere.

Hmmmm, if you want to investigate it, I think the Debug logs show the generation of a new HWID.  Perhaps enable this and see what it says?

http://www.symantec.com/docs/TECH91540

In theory, you should see log similar in nature to those identified in the below article (obviously slightly different as we're looking at a different issue here):

http://www.symantec.com/docs/TECH175680

Also, can you confirm the version of the client on this test server you're looking at?  Is it possible it is running a later version?

Hi, 

Check for any error messages on NTP log.

Regards

Ajin