Endpoint Protection

Hello, Our organization has one central office and several regional offices that are replication partners to the central office. Each partner has one management server and rights to manage ONLY his group /management server/. We remove the replication in order to upgrade to the last version of Symantec Endpoint Protection. Meanwhile in one of the sites (replication partner) a command has been issued to restart all the computers in ITS group. When the replication has been restored – this command has been replicated as if it is send from the main management server – it was applied to the whole group MY COMPANY and has been send to ALL computers in all replication partners and all the computers began restarting. We remove the replication immediately but the command is still pending for all replication partners. Our questions are: 1. How is it possible for one replication partner that have no rights EVEN to see other sites to send a command that affects all replication partners? 2. Is there any way to stop or remove the command – we noticed that only SCAN command can be canceled. 3. We set the time to delete commands to 7 days (From Admin>Local site>Edit properties>Database>Delete commands after), command has been issued 10 days ago – but we still don’t have any result – command is still pending. Please give any suggestions to force this command – to update Database properties. Any help will be appreciated.

commands are stored here

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command

and clients take it from here.

can you see any thing inside this folder

if yes, then deleted whatever inside this folder, lets check if thats work.

 

Thank you for the reply. Yes, this was the first thing we did. We found the files, delete them but after restarting the Symantec Endpoint Protection Manager service, the files re-appeared.

f you have a sql DB.
there is a DB table called
Command status
the key
STATE_ID value 5 means cancelled.
can you check if the value is 2(2=in progress)

Thank you for the reply.
We have SQL in our central office, but the replication partners use Embedded Database. So if we cancel the command in our site, using this method – writing directly in SQL DB Table, restoring the replication will bring us to the same position. Command was issued from a replication partner and we need first to cancel it there.

If you have a backup of your embedded DB, there is a tool which I have uploaded in the tools section, you can use that tool to look whats in Embeddd DB..if you could delete the commands value it should go away..give it a try

P.S : good to have backup coz we are modifying DB. I never tested it.

This is not a solution for us, I am afraid. We avoid installing non-tested software on our servers.

You are correct, i just mentioned it.. let me check what else can be done on this without disturbing the existing setting.

Hi,

I am having same issue i also want solution, i delete this files but steel command status is same, and my infected server machine is going slow.
pls give update as soon as possible.