Endpoint Protection

 View Only
Expand all | Collapse all

Problem with Central Quarnatine server

  • 1.  Problem with Central Quarnatine server

    Posted May 20, 2009 12:39 PM
    This is probably something simple and stupid, but I am unable to connect to Central Quarantine server. I installed CQ per Symantec's instructions by installing CQ Console first, followed by the CQ itself. Rebooted machine, fired up the console and attached to the server. Went into Properties and enabled IP under "Protocols" to listen on port TCP/9991, as shown below.

    imagebrowser image

    OKed my way out, restarted CQ services and tested with SEP client that is configured to use CQ to upload the test virus to it. Virus was quarantined, but nothing is showing up in the CQ. SEP client is configured to use the server using FQDN and proper port, but it won't connect to it.
    Moreover, telnet to CQ on port 9991 doesn't work, and "telnet localhost 9991" on CQ itself doesn't work either. Quick "netstat -an" shows no processed listening on port 9991as if CQ service is not running, but all services are started and running fine. Sysinternals TCPView shows Icepack.exe trying to make an outbound connection to Symantec gateway, but it's not listening locally. I rebooted machine few times and uninstalled/reinstalled CQ server and console with no apparent result. It almost looks like CQ service is started but it's not doing anything on a network layer as far as accepting client connections.
    Am I missing something here?
    Thanks in advance!


  • 2.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 01:11 PM
    CQ is actually almost useless, we release definition for it just once per week, therefore it does not give you a better protection than your daily updated clients.
    CQ is generally deprecated because it is an old product not so useful if you already have SEP 11. There are already some discussions in this forum about the CQ features and its future that are not so good, therefore, just uninstall it.

    What does Central Quarantine do?
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111507273948



  • 3.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 01:26 PM
    Hi Giuseppe,
    Thank you for your response. We were actually planning to use it as a centralized storage of quarantined files, so they can be retrieved by support personnel easily. We were not going to use it to submit samples to Symantec and/or to get custom definitions.
    Interestingly, it actually worked fine before, but entire SEP pilot was rebuilt on a new hardware and all of a sudden, CQ is no longer functioning.

    It's obvsiously reassuring to know that CQ is dead. :-)


  • 4.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 01:52 PM
    OK, you have a good reason to use the CQ but I am not expert on troubleshoot it, I hope you get an answer from a CQ expert.

    Regards,


  • 5.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 03:13 PM
    Is CQ officially supported? Maybe I can open a ticket if it's still supported by Symantec. It would be nice to be able to use it for the reasons stated above.


  • 6.  RE: Problem with Central Quarnatine server

    Broadcom Employee
    Posted May 20, 2009 03:33 PM
    Yes, it is supported still as far as I'm aware.

    I think that the issue you are facing is probably this:

    Title: 'Quarantine Server appears to be using a different port than it is configured to use'
    Document ID: 2000081412370148
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000081412370148?Open&seg=ent

    If you still run into issues after correcting any port mismatches identified in the document I linked please feel free to reply back and I'll see if I can help you out. I've resolved quite a few QServer cases and it's not a particularly complex utility.

    Hope that helps!


  • 7.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 03:42 PM

    BUNK.
    I'm going to 150% disagree with you, and no offense, but that's a wreckless comment.
    We, the customers, deal with things you have no idea about. Sorry, but walk a few days in our shoes, deal with what we do, support what we must and HOW we must.
    What's the big deal anyway? Defs are developed for everything else? Why not release them every hour for q-server?
    Why not release the un-QA'd defs for q-server?
    Do a search for posts by me regarding quarantine server.

    SEP is what's worthless in how it handles quarantined things - at least in the REAL world of support like I must live it in a gov't agency with the customers WE have to deal with. SEP can't operate or do what I need to do with quarantined items.
    In fact, recall some Symantec employee said that you'd need 10,000 clients to have such a need or see things that would fit q-server, and you'd not see but one or two items a year that should be submitted?
    Well, guess what just happened again today, and if q-server had been 100%, it would have been hands-off for me....... That's twice this month alone - and with only 350 computers, not 10,000
    I won't type all that stuff over again - folks can search for my posts on q-server.

    I say killing q-server is a crazy idea - and it would take VERY VERY little to make it work and work properly and integrate it.

    Until you've seen and worked with me here, please don't judge what we need to do.

    There are OTHER products that do what q-server does and when you come in here like that, you really tempt me to get their demos in here. I need what I need, and when one product won't work in a manner consistant with how we must operate here and support things, I find one that will.  The fact that SEP was advertised as still working with q-server is one reason we moved to SEP and reinstalled the q-server here.

    I'll probably see this message, well, disappear, and be chastised for speaking out, but I'm tired of support telling me I don't know what I'm doing and products we use aren't needed any more. You guys sit in there and support a product developed in-house. I live here and work here and must support things for people that have problem telling their monitor from a keyboard.
    Show me how SEP can do EXACTLY what q-server does right now with NO user intervention what-so-ever?  Can SEP do that? Can it submit samples and get the latest rapid release defs without intervention?
    Can I click a button HERE in my office and do it all? With q-server I could.
     



  • 8.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 04:28 PM
    David,
    Thank you for the article. I did make the change and finally qserver.exe is listening on TCP/9991 as it should. However, my clients are not submitting viruses to quarantine: they quarantine files locally but they never show up on the CQ server.
    SEP is configured to upload viruses to CQ server on port 9991 and I can telnet from clients to CQ server on port 9991, so sommunication is not the issue. Do I need to change the port in SEP Management console to match the hex->dec port number from the article? In other words, 9991 converted to hex->swapped around->back to decimal is 23582, is this the port I need to enter on the SEPM side?
    Thank you!



  • 9.  RE: Problem with Central Quarnatine server

    Broadcom Employee
    Posted May 20, 2009 04:52 PM
    Nope. The SEPM does not have the issue QServer has with ports. If you have the QServer side setup right and the SEPM side pointing to the correct port that should be it. How are you testing what is sent to QServer from those clients? IIRC Eicar and manual submissions will not forward to QServer although I could be wrong, I'll doublecheck in a couple minutes here on my QServer install.


  • 10.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 04:59 PM
    David,
    I'm using Trojan Simulator from http://vx.netlux.org/vx.php?id=st00
    I also tried few known programs like netcat, Foundstone's superscan and others to test with. SEP catches it locally and quarantines them, but they never show up in CQ.

    Dimitri



  • 11.  RE: Problem with Central Quarnatine server

    Broadcom Employee
    Posted May 20, 2009 05:20 PM
    Hmm... It should be going out then. Do you have that port blocked somewhere? In the SEPM how do you have the name of the server QServer resides on set? Try changing it to the IP Address of the server running QServer and see if that makes a difference. I know you said telnet works, but I thought I would ask the port question anyway in case you just have telnet excluded. Let me know.


  • 12.  RE: Problem with Central Quarnatine server

    Posted May 20, 2009 05:43 PM
    Hi,

    I know how you need the q-server but you know that currently is not working as expected and this is what I wrote.

    As you remember, my idea is to implement it directly in SEPM but I am not in the position to change the Symantec's strategy or to change how often the release for the q-server are released.


  • 13.  RE: Problem with Central Quarnatine server

    Posted May 21, 2009 10:58 AM
    Changing FQDN to IP in SEPM made no difference. I can telnet from a client to the server by either FQDN or IP on the port specified and I can see connection passing through, so it's definitely not a communication issue. It's either SEP client is not sending it or CQ is not accepting it.
    If the product is supported, I'll open a ticket with Symantec support. Thanks for everyone's help!


  • 14.  RE: Problem with Central Quarnatine server

    Broadcom Employee
    Posted May 21, 2009 11:47 AM
    Yep, that would be your best bet. I would imagine it would be something we could identify more quickly that way.

    Thanks!