Endpoint Protection

 View Only
Expand all | Collapse all
Fatih Teke

Fatih TekeMay 18, 2009 09:59 AMBest Answer

Migration User

Migration UserMay 19, 2009 04:26 AM

  • 1.  report error

    Posted May 18, 2009 03:55 AM
    Hi everybody.
    I have taken mail from SEPM. scheduled report and it tell me the which computers have virus definition is out of date. the mail is like this:
    Message from:
    Server name: xxxxxx
    Server IP: xxx.xxx.xxx

    124 computers found with antivirus definitions older than 7 days.

    See attached report for more details.

    when i open the attachment xxx.mht file. i saw this:
    Out-of-Date Clients Triggering Notification on 18.05.2009 10:47:13

    Last check-in time: any Print Save Close

    Nothing to Report

    Is that posible? where is the 124 computers?
    Thank you
    Best Regards.
    Fatih


  • 2.  RE: report error

    Posted May 18, 2009 04:49 AM
    Can you double check on the filter settings you used and the settings on the report file? Does it match?


  • 3.  RE: report error

    Posted May 18, 2009 05:01 AM

    sorry i wrote wrong. I take this report in monitor tab > notifications
    I taken second mail. same result 124 computers but this time i saw 17 computers in attachment. why it is not complate result? have any idea?
    Thanks
    Best Regards.
    Fatih.



  • 4.  RE: report error

    Posted May 18, 2009 09:33 AM
    Hi,

    Can you please inform us the settings you have made in the page below:

    imagebrowser image


    Cheers,
    Aniket Amdekar



  • 5.  RE: report error
    Best Answer

    Posted May 18, 2009 09:59 AM

    imagebrowser image



  • 6.  RE: report error

    Posted May 18, 2009 10:21 AM
    Hi,

    I think there is a communication issue between the SEP clients and SEPM. Because of which, the clients are offline.
    And according to the screenshot you have attached,  the report is supposed to include only online clients.

    So,

    1. Uncheck the box " Include only clients which are online " and check if the reports comes up with all the computer names.
    2. Please check if the computers have a green dot on the Shield Icon. You can also check this in the SEPM-> Clients Tab-> Protection technology View.


    Hope this helps.

    Cheers,
    Aniket


  • 7.  RE: report error

    Posted May 18, 2009 10:45 AM
    I opened a case with Symantec for a similar observation with my installation, and if I understood correctly the following explanation applies:

    When the client starts up, if it is unable to verify its catalog against the LiveUpdate point (whether SEPM, GUP or LiveUpdate) or if the hash does not match, it believes it has out of date definitions and rolls back to the last full set, then immediately begins building up incrementals to get back up to date. However the roll-back causes the client to be momentarily out of date, which it holds as a logged event. At its heartbeat interval it is typically up to date again so it checks in with the server and simultaneously reports up to date definitions, but also reports the event which has passed. If more than 100 clients each report out of date but then self repair, the alert will be generated by the SEPM server, yet the console view and the view from each client will show correct definitions. The alert is not wrong as it refers to a situation which did exist momentarily for each client listed, but it is effectively out of date in this instance.

    Normally this situation would only be expected after a prolonged offline time (eg users returning after vacation), but in our case, we had a location where this was happening on consecutive days due perhaps to invalid hash or catalog files. I opened a case but the clients promprly self-repaired at the next full update before I had an opportunity to capture log data.


  • 8.  RE: report error

    Posted May 18, 2009 01:20 PM
    Hay,

    Very good explaination on what happens in the background when client is trying to perform liveupdate.

    Thanks a lot for sharing this information with all the users.

    Cheers,
    Aniket


  • 9.  RE: report error

    Posted May 18, 2009 05:53 PM
    you mean this report create when client open the computer. and first time client couln't send about information. that why SEPM said this client is out of date? is it true i understand?
    Sorry my bad English :(
    If i understand true how can i take this report?


  • 10.  RE: report error

    Posted May 18, 2009 06:07 PM
    Sorry I didn't actually mean to mark that last post as the solution, and it seems I am unable to undo it. However what dgh says is true. To answer your question yes this is happening only when the client first boots up.  What dgh is saying is that when you have more than 100 clients out of date you will get that alert from the SEPM server. I am afraid I am not understand exactly what you need from us.
    Thanks,
    Grant



  • 11.  RE: report error

    Posted May 19, 2009 02:22 AM
    i didn't mark its a solution!!  i didn't do that. thats why i am asking it is true! I am sorry i cannot speak English very well. but i write now as best as i can.
    first i am not mark dgm 's anwer solition. i thing so aniket  did it. ( forum admins can see i am not marked believe me)
    I want to say i taken notification from SEP Manager. And SepM told me "there are 124 clients virus update definition is out of date. see attachement"  i take this mail and open the attachment. but attachment is say "Nothing Reported" 1 hour later i taken second mail from SEPM and  i can see only 27 computers in attachement. but say stil 124 computers.
    I mean there are not all computers list in attachment.
    I hope i use true English Grammer.
    Thank you.


  • 12.  RE: report error

    Posted May 19, 2009 03:04 AM
    It is for your offline computers. You cheked that report must only include Online computer. so 124 ia all of your online and offline computer but your attached report filterd them to only online computers as i guess.


  • 13.  RE: report error

    Posted May 19, 2009 03:54 AM
    imagebrowser image

    I marked with numbers. 1- SEPM told me there are 179 computers virus definition is out of date. than i click repor (on left) and export number 2. as you can see there are not 179 computers. there are only 21 computers. I try this report "Include report online users" check box and without. but I cannot take all result in this report.
    I know my English is not perfect but i hope you will understand this time.
    Thanks.


  • 14.  RE: report error

    Posted May 19, 2009 04:26 AM
    What is the filter value for the check-in time?


  • 15.  RE: report error

    Posted May 19, 2009 04:50 AM
    imagebrowser image
    I try check "Include only clients whic are currently online" box. both all them report is not true result.
    and how can i clean dgh's answer solition? is not my solition and i dindn't check this is a solition !!!! i want to clear how can i do that?


  • 16.  RE: report error

    Posted May 20, 2009 01:06 AM
    Hi Everybody.
    Aniket my problem is still continue. picture is upside. Please Help.
    Thank you.


  • 17.  RE: report error

    Posted May 20, 2009 01:24 AM
    Hi sir have check also actual on the client about it's definition? is it really not updated?


  • 18.  RE: report error

    Posted May 20, 2009 01:43 AM
    I am checking rigth now. and report is true. virus definiton is old 7 days. and symantec logo in left down side have yellow !
    when i click Fix Button it try to request new definition.
    Now i have 2 problems. One of them why my clients take new definition from server?
    and why my report said 127 computer is out of date but there is no 127 computers in attachment?
    Thank you.


  • 19.  RE: report error

    Posted May 20, 2009 01:50 AM
    Looks like we you need to raise a case with Symantec Support sir. So sir you are saying based from the reports that only 21 computers not updated not 217.. Am I correct?


  • 20.  RE: report error

    Posted May 20, 2009 02:32 AM
    i want to explain. ( i cannot speak English very well thats why i can do some mistakes)
    I create a notification in SEPM>Monitors window. and i create a rule for virus definitions.
    I said if clients have 7 days out-of-date virus definition send me mail. You can see options picture upside.(5 posts up in here)
    than i taken a mail from SEPM. mail told me

    Message from:
    Server name: xxxxxx
    Server IP: xxx.xxx.xxx

    124 computers found with antivirus definitions older than 7 days.

    See attached report for more details.

    than i open the attachent. they are no 124 computer in attachment. only 20  clients. ( this count change every mail. sometimes 20 sometimes only 5 computer details in attahment.)
    Thats why i ask report told me 124 computers out-of-date but i cannot see 124 computers in attachment. I try "Uncheck the box " Include only clients which are online " and check if the reports comes up with all the computer names." but its not change.
    why my reports isn't true?
    why my clients take updates from server.

    Ps: please dont call me "Sir". tell me my name. my name is Fatih ;)
    Thank you




  • 21.  RE: report error

    Posted May 20, 2009 02:38 AM
    Hi, i see your point Fatih(sorry), I will try to recreate your situation. But on the other hand please raise a case with Symantec Support, and also can you try to generate a list from the Logs? can you cross reference with your report with the same filters?


  • 22.  RE: report error

    Posted May 20, 2009 02:49 AM
    Also, see if the inconsistency of the data is with only one report or multiple reports.

    May be you can run some other reports and check if correct data is being sent to you.

    Cheers,
    Aniket


  • 23.  RE: report error

    Posted May 20, 2009 08:11 AM
    I changed computer counts to 1000 computers. maybe cannot show 124 computers. i write success of fail in here when report come to me.
    Thanks.


  • 24.  RE: report error

    Posted May 21, 2009 01:59 AM
    i change computer counts to 1000 and report didn't come. why? i have only 460 clients maybe whats why?


  • 25.  RE: report error

    Posted May 21, 2009 03:21 AM
    Hi fatih, it should not be the case, 1000 means just number to be displayed of computers per report page.


  • 26.  RE: report error

    Posted May 21, 2009 04:44 AM
    i try another notification. and it is work. now i change computer counts to 50. maybe SEPM has been very busy.
    By the way i connect to my symantec partner. (who sale this produce) and he will connect to my SEPM and we will look together. If any change will happen i will write in here again.
    Thank you for answer.
    Have a nice day.


  • 27.  RE: report error

    Posted May 22, 2009 01:02 AM
    I am very happy now :) Because my report come true !  my last change options it is worked. my problem is solved i can see report now.
    Thank you everybody  for answers
    i will write another question about performance with new topic. I search but i cannot found.
    Have a nice day.


  • 28.  RE: report error

    Posted May 22, 2009 01:08 AM
    What was the solution fatihteke? just double check on the filters/options used?


  • 29.  RE: report error

    Posted May 22, 2009 02:11 AM
    no. i change this options. " Notification condition 50 Computers" (picture is upside) it was 100 computers. and report came empty. i change it to 50 than report came. only i did this.