Endpoint Protection

 View Only
Expand all | Collapse all

Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

pete

peteOct 07, 2011 10:15 AM

  • 1.  Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 07, 2011 09:51 AM

    Hello, everybody,

    I have a weired situation with SEP12.1EE notifications.

    After migrating my clients successfully to SEP12.1EE from SEP11RU6MP3, I got notfications about outdated IPS- and SONAR-signatures on all migrated clients.

    During migration I followed the Symantec whitepapers, as well as the instructions learned in a small course, held here in Hamburg.

    This problem is not limited to a specific Windows version (We have a mix of Windows 7 64-BIT and XP).

    My notfications are configured to be triggered from1 PC with signatures older than 7 days.

    The dates in the notification E-Mails are reflecting exactly the migration day (I pushed the clients with full content & resetting communication).

    When you investigate this "issue", you will see, that the mentioned clients "shows green" with no problems and fully communication, the Home Tab in SEPM shows "everything o.k.!", the client´s propertys in the client group in SEPM shows the most recent updates, good communication  and all reports shows the most recent content and no communication problem.

    I veryfied the LU content in SEPM also; it´s o.k.!

    On the other hand, by using the SEP Support tool on these clients, they show the IPS and SONAR content with the wrong date and with the remark "last checked: 01/01/1680". (It´s not a fault, it´s really 1680!)

    During investigating this issue, I tested what´s happening, if you make a clean install (removeing SEP11, before pushing the new client) or on new machines with a first time installation of SEP12.1 and I learned, that my issue is limited only to migrated clients!

    I tested the workaround for the "Date-/Time-Format" issue; my problem seems not to be related to that issue.

    Last but not least, I looked in the registry on the affected clients and found something, similar to this:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SharedDefs\SymcData-cndcipsdefs]
    "cndcIps"="C:\\PROGRA~3\\Symantec\\DEFINI~1\\SymcData\\CNDCIP~1\\20110921.001"
    "SepCache3"="C:\\PROGRA~3\\Symantec\\DEFINI~1\\SymcData\\CNDCIP~1\\20110917.001"
    "SepCache2"="C:\\PROGRA~3\\Symantec\\DEFINI~1\\SymcData\\CNDCIP~1\\20110920.001"
    "SepCache1"="C:\\PROGRA~3\\Symantec\\DEFINI~1\\SymcData\\CNDCIP~1\\20110921.001"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SharedDefs\SymcData-cndcipsdefs\MicroDefs]
    "LastBinUpdate"=hex:01,00,00,00


    ***************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\Content\IPS]
    "CurrentPath"="C:\\PROGRA~3\\Symantec\\DEFINI~1\\SymcData\\CNDCIP~1\\20110921.001"
    "CurrentSequence"="110921001"

    These paths are the old ones for SEP11 and they are empty, as expected. Shouldn´t they have been deletd during migration?

    All clients have the correct paths for the recent content also in the registry!

    My questions: Is this my mistake or a bug in the product? Is there a chance for correcting this, without uninstalling all migrated SEP-Clients? Does anyone else here have similar issues? If it is my mistake, what did I miss or made wrong?

    Kind regards from Germany,

     

    Rolf

     



  • 2.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 07, 2011 10:13 AM


  • 3.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 07, 2011 10:15 AM

    its date format issue.



  • 4.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 07, 2011 10:37 AM

    Thank you for the Link and your answer, Pete,

    I know this KB-Article, changed the date format, waited a while, but I still got these notfications.

    Should I try to change the separator to something other like mm/dd/yy, as mentioned in some other posts here?

    This is the only thing I never tried.

    Regards,

     

    Rolf



  • 5.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 07, 2011 11:49 AM

    Hi,

    Please check the following article & make sure you are having latest definitions.

    http://www.symantec.com/business/security_response/definitions.jsp?pid=sep12

    We have seen this issue previously & it was resolved by following link shared by Pete_4u2002

    However as per  your clients registry entries it's showing old dates.

    Try running Rx4Defs utility on 2-3 clients for testing purpose and share the result.

    http://www.symantec.com/business/support/index?page=content&id=TECH93036&locale=en_US



  • 6.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 07, 2011 12:08 PM

    Thank you, Chetan,

    as per my understanding, I have to open a ticket with local support for obtaining the Rx4Defs utility, right?

    You can´t give me a link via a PM, can´t you?

    So I will make this on monday and try to come back with the results asap.

    Have a nice weekend,

     

    Rolf



  • 7.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 11, 2011 09:14 AM
      |   view attached

    Hello, Chetan,

    today I executed Rx4Defs on three WS in one of my affected organisations AND I changed the date/time-fomat to mm-dd-yy.

    After that I gave the command "renew content" to the client´s group and compared all definition dates with the Symantec Website. Everything seemed up-to-date.

    But, still no success!

    I still get the weired notifications.

    Find attached some reports from the SEPM, including a sample of the notification as pdf.

    Do you need the reports from the Rx4Defs utility, too?

    Regards from Germany,

     

    Rolf

    Attachment(s)

    pdf
    scan0003.pdf   1.15 MB 1 version


  • 8.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 11, 2011 09:44 AM

    Hi,

    Before running Rx4Defs on affected machines, definitions were not updated ? after running utility it updated with latest date ?

    If yes, please check registry dates you had checked same previously.

    There are predefined notification in SEP 12.1

    Monitor Tab --> Notification --> Notification Conditions, have you checked this ?

    I could not read attached report it's in different language.



  • 9.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 11, 2011 10:41 AM

    Thank you for your quick response.

    As per my observation Rx4Defs changed nothing for me.

    Defintions were updated now and before, according to the SEPM and, yes, I checked the notification settings and the pre-defined ones.

    The registry wasn´t changed, too, Everything is like before.

    Sorry, for the reports. It´s german. I just want to show you the situation with the signature dates shown there and I thought you could imagine, what I mean, cause the reports look always the same, only the words changed from language to language.

    O.K., let me translate the important facts (Unfortunatly I don´t know the exact english names used by Symantec, so I have to translate word by word from german to english):

    The first 2 pages are from the "security content versions" report from the last 24h. Take a look of the row "SONAR - table of approved applications" with a date of 9-6-2011 rev4.

    The 3rd page is the "IPS signature deployment status" for the last 24h.

    The 4th one is a notification of "clients with outdated IPS-signatures". A you can see from the first two pages, all clients have a newer IPS Version (look at the 3rd row of the report).

    The 5th page is a notification of "clients with outdated SONAR defintions". Compare that date: It´s the date from the row "SONAR - table of approved applications" from the content report.

    I hope, my translation is well enough.

     

    Rolf



  • 10.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 11, 2011 10:54 AM

    Hi,

    Could you please share show liveupdate downloads screenshot with us ?

    Path :  SEPM --> Admin --> Severs --> Local site --> Show liveupdate downloads

    Total how many clients do you have in your network ?

     



  • 11.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 11, 2011 11:17 AM
      |   view attached

    Sure, here it comes!

    We have 4 clients in this organisation: 1 server (AV only) and 3 ws (full feature set).



  • 12.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 11, 2011 11:22 AM

    Hi,

    Your SEPM is updated with all features.

    Try this article

    Clearing log data from the database manually.

    http://www.symantec.com/docs/HOWTO55449 
     



  • 13.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 11, 2011 11:54 AM

    I will try this tomorrow morning and come back to you with my results than.

    Now it´s 6pm and soccer time: Germany vs Belgium in the qualification for the European Soccer Championship next year wink.



  • 14.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 12, 2011 05:04 AM

    Good Morning, Chetan,

    it´s 11am and I executed the purg log data command from your article HOWTO55449.

    No change: I still get the two noticifications about outdated IPS-Signatures (dated 09/03/2011) and SONAR definitions (dated (09/06/2011).

    What strikes me (I overlooked it till today) is, that the SONAR notification tells me, that we have 6 outdated computers, although we only have 3 machines in the organisation with SONAR installed?!?

    Greetings,

     

    Rolf



  • 15.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 12, 2011 05:42 AM

    Hi,

    Good Morning,

    I think you should change your default settings.

    SEPM will remove clients which are not connected for more than 30 days.

    After modifying these changes it should show 3 machines in organisation.

    It will take some time to reflect in report. Try to truncate transaction log and rebuilt indexes also.

    Screenshot is attached for same.



  • 16.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Broadcom Employee
    Posted Oct 12, 2011 06:16 AM

    what is the clients last checkin time which shows outdated?



  • 17.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 12, 2011 07:11 AM

    Good Morning, Chetan,

    good morning, pete_4u2002,

    thank you very much for all your help!

    @chetan: My settings are, as in your screenshot, including the database maintenance tasks!

    @pete_4u2002: I attached some screenshots. You can see the "last download" in the 2nd column and "last status change" in the 3rd column. I also made a screenshot from the client tab with the same dates in the 1st and the 2nd column.

    By the way: I found an interesting report, I never used, named "details of client stock" from the last 24h. It´s the only report, that shows the old IPS Signatures in the 5th column, but the most recent SONAR signatures.

    Hm, very strange.

    Is it possible to create some SQL queries to determine, from where the odd data is? I´m not an SQL expert, so it´s just a stupid question.



  • 18.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 12, 2011 07:26 AM

    change the date format

    1 - In the Security Status windows click in Preferences;

    2 - Click on the tab Logs and Reports;

    3 - Change the date format from DDMMYYYY to MMDDYYYY. Hit OK

    4 - Wait a few seconds in the Home screen. (Clicking on Refresh wont have any effect).



  • 19.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 12, 2011 07:39 AM

    Hello 22Aug,

    thank you for your comment!

    I tried this several times and with several separtors. It didn´t change anything for me.

    It´s still my opinion, that my issue is related to the migration, as no fresh installed 12.1-client is affected in any of my managed organisations. I would also rather blame my SQL database, than the date/time-issue. Otherwise it must be a very uncommon variant of that reproting issue.

    @chetan: I changed the setting to 1, as you told me in your PM!

    Greetings,

     

    Rolf



  • 20.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE

    Posted Oct 13, 2011 04:58 AM

    Good Morning,

    I write this to let you know, that we have a possible solution for that problem.

    Before I will post it here & mark this thread as solved, I asked Chetan to give me a few days for monitoring and trying that with my other affected customers.

    Stay tuned!

    Greetings,

     

    Rolf



  • 21.  RE: Notifications of outdated signatures after migration from SEP11RU6MP3 to SEP12.1EE
    Best Answer

    Posted Oct 19, 2011 04:21 AM
      |   view attached

    Good Morning, everyone,

    it´s time for posting my solution!

    At first I want to thank Chetan for his professional help and all others for participating in this discussion.

    I monitored the situation for a week with success.

    Her is, what I did on EVERY server:

    1. Setting the option "delete clients that have not connected for x days to 1.

    2. Clearing log data from the database manually (http://www.symantec.com/docs/HOWTO55449)

    3. deleting all clients in their groups in SEPM and waiting for re-populating with the next hartbeat

    4. running a dbcc command against the sem5 database (see attachement)

    Before doing all that, I made a backup of the database and temporarily broke replication, where applicable.

    So far the solution.

    I investiagted my issue more deeply from Microsofts point of view and discovered that the root cause of all that must be my personal, stupid blonde moment:

    I forgot to disable semsrv-service during the upgrade of the SEPM-SQL-Instance from 2005 to 2008R2 one month before the SEP migration.

    This is discribed in the TechNet as pre-upgrade task in the Upgrade Best Practice for SQL Server ("Disable all data change for the instance to upgrade").

    Lesson leraned!

    Greetings from Hamburg,

     

    Rolf

    P.S. I think we have to fine tune the notification settings a bit after migration to SEP12.1. I discovered today that between propagating the new SONAR defintions in SEPM and the point, where all clients had been updated, I got several notifications. O.K., that´s not an issue to discuss wink

    Attachment(s)

    txt
    dbcc script.txt   204 B 1 version