Endpoint Protection

Hi,

We don't seem to be getting any alerts on the EP Manager monitor, logs etc. And although email reports are coming through there is no information on them.

IE: I set up an email alert. To test it I used the 'eicar.com' fake virus to create an event. The local pc popped up the alert as expected.

But there is nothing showing up in the monitor and no email is triggered and there was nothing on the latest report.

I'm used to the old Corp. AV so maybe I am missing something.

We have version MR3 right now.

Any ideas?

 

Thanks

Paul

 

 

 

 

 

I am also new to this, but I think you need to setup alert configuration, and specify the symantec action you want to filter/receive alerts.

I believe everything is correctly set already.

In any case, even when a use a test virus the event does not show up on the Home page of the management tool. - It really looks like something is wrong with the communications belween the client and the management console.

 

Do you mean that the clients still are using SAV 10, but the SEPM manager is already installed to process SAV logs (which are to be forwarded by SSC then)?

 

On sepm:

If the client is also SEP, do you see a green dot in the manager console indicating the client appears to be online?

 

On the sep client:

When you open the client UI and click "Help and support" > "Troubleshooting...", do you see that the server is connected to this client?

 

If both appear to indicate that the don't communicate, check the sylink.xml file in the installation folder of SEP client. This contains the communication settings.

Hi I think you should send/post screenshots of alert config and threat list log on home page.

Clients and Server are both SEP 11.

In the Mgt Console - only 4 of the computer have green dots . Others do not (some may pc's that are powered off).

The test laptop does not hav a green dot and on the laptop it is showing the server as offline.

Even the client on the SEP server has not green dot and says the server is offline.

How would I fix a problem with the sylink.xml?

 

Thanks

 

Okay -

 

On the laptop I am testing: The client now shows the server name, and in the mgt console it has a green light.

But after running a test - the event still does not appear in the mgt console - on any screen.

 

The threat lists are just blank - there isn't even any indication of signiture update - but I know live update is pulling them down to the server at least.

I'm not sure what screen is the 'alert config' that you refer to.

 

Thanks

 

 

maybe it's because I was not around for the inital install but -

 

I cannot find anything alongthe lines of Agent Configuration etc.

Can you tell me exactly where it is?

In the Mgt console?

There is nothing in the console admin tab anything like that.

Help?

 

Thanks

Paul

Hi,

I am currently using STR for the email alerts, but If I am not mistaken you should be able to do this also with SEP.

1. Create a filter on what symantec actions you want to have an alert first. Because if you select all of the actions you might be flooded with email alerts.

2. Setup the SMTP you will use for the alerting, you will also need to create an account, (the account who will send the alerts)

3. Test the connection of the SMTP to your Server, try sending a test a email using telnet from the SEP server that you are using, u can search for the commands on the internet.

4. Set-up alert configuration, the info that will be needed here are (eg. below)

 a. Single virus event,

 b. product filter (in your case sep)

 c. action filter (access denied filter, left alone <-- separetly configured on the threat list/risk list)

 d. send the email alert to? <-- where you will send the alert

 

Hope this helps,

Paul

 

Hi,

Hi,

Thanks - I've created the filter and parametes for the alert and plugged in an email address.

We know the email is working because it sends us daily reports. But the reports are always empty - as is the console screen. No activity of any kind indicated. And it would 'seem' as if the lack of activity being communicated is preventing any email from being sent.

Paul

 

Can you see the SEP clients?

Thanks. Yes - we can se them.

Some appear to be communicating properly - other's we aren't sure about. But they are getting updates.

I knew one was not getting the policies and corrected the comunication issue with that one. The policy immediately kicked in - but still nothing registering on the console.

??

 

 

But on your clients, there are viruses found? it seems there is a problem with the communication from server to clients and clients to server

What about windows firewall? Try disabling it. Dont know do we still need any exceptions, as SEP is adding its exception itself, but we still have TCP 2967 port exception in our firewall (from the old SAVC days).

How did you deploy the package to the clients? is it remotely or manually installed 1 by 1?

No Windows firewall turned on.

Client distribution was installed manually.

 

Paul

 

Okay - not going well.

I've segregated one laptop and made sure it was communicating to the point that it was getting the policy from the server.

In the mgt console the client information:

The client status shows a correct checkin time.

Protection technologys say 'not reporting status'

and there is no current status reported as to the Virus definitions date.

Maybe it's not fixable.

 

Hi, try the remote deployment sir, with 1 or 2 client pc's,

Based from the screenshot that you gave there could be a problems processing the logs or retrieving logs from the clients.

1. Are you using SQL? 

2. What do you see in \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo ?

>> Are you using SQL?

No.

>>> What do you see in \Program Files\Symantec\Symantec Endpoint >>Protection Manager\data\inbox\agentinfo ?

It's empty. There are no logs being produced.

Tested remote deployment on on pc - no change.

 

Thanks.

hi all

by default SEPM is deleting EICAR events

SEPM console-> admin-> servers-> local site-> properties-> Database

uncheck Delete EICAR EVENTS

>>by default SEPM is deleting EICAR events

Yep - already found that. Thanks.

did it helped?

>>> did it helped?

No - no change.

on what kind of OS SEPM is installed?

also do u use push or pull kind of server-client connecting?

does client show connection with the server(Help and Support-> troubleshooting)?

>>>OS SEPM is installed?

Windows 2003

>>>also do u use push or pull

Push

>>>does client show connection with the server

Yes.

did you try to replace sylink.xml?

>>>did you try to replace sylink.xml?

Yep yep yep

 

http://service1.symantec.com/support/ent-security.nsf/docid/2008051309225748

 

what are the results when you open a web browser connecting to your SEPM? 

 

Also grab SylinkMonitor and follow the directions in order to get the logging going correctly.  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007456519454798

 

Look through your log file for any HTTP status codes of 404, or attach the log here for us to look at.

>>>Client is not appearing in Symantec Endpoint Protection Manager (SEPM), error: HTTP returns status code=407<<<<

The clients appear - they get policy information but they are not communicating status information or alerts.

 

>>> when you open a web browser connecting to your SEPM? 

It opens normally - nothing different from the mgt console.

 

>>>Look through your log file for any HTTP status codes of 404<<<

There are no 404 codes.

>>>>>>

Here is some of the log (with sensitive info xxx'd out):

>>>>>>

03/09 11:35:12 [1844] </CSyLink::mfn_DownloadNow()>

03/09 11:35:40 [320] <MaintainPushConnection:>SMS return=200

03/09 11:35:40 [320] <ParseHTTPStatusCode:>200=>200 OK

03/09 11:35:40 [320] <MaintainPushConnection:>RECEIVE STAGE COMPLETED

03/09 11:35:40 [320] <MaintainPushConnection:>COMPLETED

03/09 11:35:40 [320] <ScheduleNextUpdate>Manually assigned heartbeat=5 seconds

03/09 11:35:40 [320] HEARTBEAT: Check Point 8

03/09 11:35:40 [320] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

03/09 11:35:40 [320] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

03/09 11:35:40 [320] <IndexHeartbeatProc>====== IndexHeartbeat Procedure stops at 11:35:40 ======

03/09 11:35:40 [320] <IndexHeartbeatProc>Set Heartbeat Result= 2

03/09 11:35:40 [320] <IndexHeartbeatProc>Sylink Comm.Flags: 'Connection Failed' = 0, 'Using Backup Sylink' = 0, 'Using Location Config' = 0

03/09 11:35:40 [320] Use new configuration

03/09 11:35:40 [320] HEARTBEAT: Check Point Complete

03/09 11:35:40 [320] <IndexHeartbeatProc>Done, Heartbeat=5seconds

03/09 11:35:40 [320] </CSyLink::IndexHeartbeatProc()>

03/09 11:35:40 [320] <CheckHeartbeatTimer>====== Heartbeat loop stops at 11:35:40 ======

03/09 11:35:45 [320] <CheckHeartbeatTimer>====== Heartbeat loop starts at 11:35:45 ======

03/09 11:35:46 [320] <GetOnlineNicInfo>:Netport Count=1

03/09 11:35:46 [320] <GetOnlineNicInfo>:NicInfo<SSANICs><SSANIC Ip="192.XXX.XXX.XXX" Mac="XX-0e-9b-b9-XX-XX" Gateway="192.XXX.XXX.X" SubnetMask="0.0.0.0"/></SSANICs>

03/09 11:35:46 [320] <CalcAgentHashKey>:CH=02DC6F8FC0A864FA0088C615BED1FD4C1MLPNY_T42XXXXXXc.com4857454C45A597438BCD0E22A1940970

03/09 11:35:46 [320] <CalcAgentHashKey>:CHKey=822B7DF0FBE31818C28663600172C7AE

03/09 11:35:46 [320] <CalcAgentHashKey>:C=02DC6F8FC0A864FA0088C615BED1FD4C1MLPNY_T42XXXc.com

03/09 11:35:46 [320] <CalcAgentHashKey>:CKey=91675296493F4D1BD9B6E4561B99E8F7

03/09 11:35:46 [320] <CalcAgentHashKey>:UCH=02DC6F8FC0A864FA0088C615BED1FD4C0paulXXXXXX.COMMLPNY_T42XXX.com4857454C45A597438BCD0E22A1940970

03/09 11:35:46 [320] <CalcAgentHashKey>:UCHKey=0A5E246DE48F60CB4EB7844328886717

03/09 11:35:46 [320] <CalcAgentHashKey>:UC=02DC6F8FC0A864FA0088C615BED1FD4C0paulXXXXX.COMMLPNY_T42XXXXX.com

03/09 11:35:46 [320] <CalcAgentHashKey>:UCKey=65245291DD55FC3E32CE4FA0629D0540

03/09 11:35:46 [320] <DoHeartbeat>HardwareID=4857454C45A597438BCD0E22A1940970

03/09 11:35:46 [320] <DoHeartbeat>CHKey=822B7DF0FBE31818C28663600172C7AE

03/09 11:35:46 [320] <DoHeartbeat>CKey=91675296493F4D1BD9B6E4561B99E8F7

03/09 11:35:46 [320] <DoHeartbeat>UCHKey=0A5E246DE48F60CB4EB7844328886717

03/09 11:35:46 [320] <DoHeartbeat>UCKey=65245291DD55FC3E32CE4FA0629D0540

03/09 11:35:46 [320] <DoHeartbeat> Set heartbeat event

03/09 11:35:46 [320] Use new configuration

03/09 11:35:46 [320] <RegHeartbeatProc>====== Reg Heartbeat loop starts at 11:35:46 ======

03/09 11:35:46 [320] HEARTBEAT: Check Point 1

03/09 11:35:46 [320] HEARTBEAT: Check Point 2

03/09 11:35:46 [320] <PostEvent>going to post event=EVENT_SERVER_CONNECTING

03/09 11:35:46 [320] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0

03/09 11:35:46 [320] HEARTBEAT: Check Point 3

03/09 11:35:46 [320] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000

03/09 11:35:46 [320] HEARTBEAT: Check Point 4

03/09 11:35:46 [320] <RegHeartbeatProc>===Registration STAGE===

03/09 11:35:46 [320] <MakeRegisterData:>logon id (domain/user)=XXXXXXXX.COM/paul

03/09 11:35:46 [320] <MakeRegisterData:>XML data: <?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

<SSAProduct Version="11.0.4000.2295" />

<SSAOS Version="5.1.2600" Desc="Windows             42DBC38PProfessional" Type="17105154" ServicePack="ServicePack"/>

<Processor ProcessorType="x86     0x1.dbd580p-957mily%20Model%20Stepping" ProcessorClock="1698" ProcessorNum="1"/>

<Memory Size="535740416"/>

<BIOS Version="IBM%20%20-"/>

<TpmDevice Id="0"/>

<SSAProfile Version="5.0.0" SerialNumber="D1D6-030.000000050.0000002009%3a120x0.307d90p-102219"/>

<SSAIDS Version="" SerialNumber=""/>

<SSAUTC Bias="300" />

<DNSs><DNS Address="xxx.xxx.xxx.250"/><DNS Address="XXX.XXX.XXX.X"/></DNSs>

<WINSs><WINS Address="xxx.xxx.xxx.250"/></WINSs>

<DHCPServer Address="xxx.xxx.xxx.250"/><SSANICs><SSANIC Ip="xxx.xxx.xxx.126" Mac="00-XX-9b-b9-XX-18" Gateway="xxx.xxx.xxx.1" SubnetMask="0.0.0.0"/></SSANICs>

</SSAHostInfo>

</SSARegData>

03/09 11:35:46 [320] <SyLink>[MakeRegisterData] registration Hardware Key=4857454C45A597438BCD0E22A1940970

03/09 11:35:46 [320] ************Reg CSN=1

03/09 11:35:46 [320] <mfn_GenPostData (for Registration):>Request is: s_origin_length: 1350

s_session_id: 4857454C45A597438BCD0E22A1940970

Sygate-SSN: 1

<?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

<SSAProduct Version="11.0.4000.2295" />

<SSAOS Version="5.1.2600" Desc="Windows             42DA940PProfessional" Type="17105154" ServicePack="ServicePack"/>

<Processor ProcessorType="x86     0x1.daa600p-957mily%20Model%20Stepping" ProcessorClock="1698" ProcessorNum="1"/>

<Memory Size="535740416"/>

<BIOS Version="IBM%20%20-"/>

<TpmDevice Id="0"/>

<SSAProfile Version="5.0.0" SerialNumber="D1D6-030.000000050.0000002009%3a120x0.307d90p-102219"/>

<SSAIDS Version="" SerialNumber=""/>

<SSAUTC Bias="300" />

<DNSs><DNS Address="xxx.xxx.xxx.250"/><DNS Address="xxx.xxx.xxx.X"/></DNSs>

<WINSs><WINS Address="xxx.xxx.xxx.250"/></WINSs>

<DHCPServer Address="xxx.xxx.xxx.250"/><SSANICs><SSANIC Ip="xxx.xxx.xxx.126" Mac="00-XX-9b-b9-XX-18" Gateway="xxx.xxx.xxx.1" SubnetMask="0.0.0.0"/></SSANICs>

</SSAHostInfo>

</SSARegData>

03/09 11:35:47 [320] <SendRegistrationRequest:>http://xxx.xxx.xxx.250:80º¦8xôŒó‰öüNÁ^[‰ò5ƽº

éæøïOsEZOŒ®¦r‹{^¨BÈDôÀn?4Ž’W´‚ê®uŠâäºáåå’h¦-ë’:U‘~‰âè_•ŸÆQÆö~ŒüæÜÂ!AÜW#婪Ñ'¥ÎdRÆ#2s&$à8²ç‡¦Å¤KðÍ;cÃ>¨üä;‡´§ï.åßò0

j¤ðE˜¹Zð`ÆÌ9Ì|Ì]:n‚ig²>ÌøÍ¢„߈Dk#îÞ@ýmÊ’†\ßcó5›:üüçW\|7Rº$.P¸Ís:‰Äƒ·µa "Îçœ>ìç·hK¡Š–ŽÏàÂÃÁ’"WhhªØs”|€ýF“    –PRÄö

ÛgÕ5´ÀŽK[GxQ‡SaAPbm<Uo»›¿Òa!

03/09 11:35:47 [320] <SendRegistrationRequest:>SMS return=468

03/09 11:35:47 [320] <ParseHTTPStatusCode:>468=>468 Request not allowed

03/09 11:35:47 [320] <SendRegistrationRequest:>Content Lenght => 48

03/09 11:35:47 [320] <mfn_DecodeSSN>Sygate-SSN=47

03/09 11:35:47 [320] <mfn_DecodeSSN>Read CSN=48

03/09 11:35:47 [320] HTTP returns status code=468

03/09 11:35:47 [320] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED

03/09 11:35:47 [320] <SendRegistrationRequest:>COMPLETED

03/09 11:35:47 [320] HEARTBEAT: Check Point 5.1

03/09 11:35:47 [320] <RegHeartbeatProc>switch to another server

03/09 11:35:47 [320] HEARTBEAT: Check Point 9

03/09 11:35:47 [320] HEARTBEAT: Check Point 8

03/09 11:35:47 [320] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

03/09 11:35:47 [320] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

03/09 11:35:48 [320] HEARTBEAT: Check Point 1

03/09 11:35:48 [320] HEARTBEAT: Check Point 2

03/09 11:35:48 [320] <PostEvent>going to post event=EVENT_SERVER_CONNECTING

03/09 11:35:48 [320] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0

03/09 11:35:48 [320] HEARTBEAT: Check Point 3

03/09 11:35:48 [320] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000

03/09 11:35:48 [320] HEARTBEAT: Check Point 4

03/09 11:35:48 [320] <RegHeartbeatProc>===Registration STAGE===

03/09 11:35:48 [320] <MakeRegisterData:>logon id (domain/user)=XXXXXX.COM/paul

03/09 11:35:48 [320] <MakeRegisterData:>XML data: <?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

<SSAProduct Version="11.0.4000.2295" />

<SSAOS Version="5.1.2600" Desc="Windows             42DBC38PProfessional" Type="17105154" ServicePack="ServicePack"/>

<Processor ProcessorType="x86     0x1.dbd580p-957mily%20Model%20Stepping" ProcessorClock="1698" ProcessorNum="1"/>

<Memory Size="535740416"/>

<BIOS Version="IBM%20%20-"/>

<TpmDevice Id="0"/>

<SSAProfile Version="5.0.0" SerialNumber="D1D6-030.000000050.0000002009%3a120x0.307d90p-102219"/>

<SSAIDS Version="" SerialNumber=""/>

<SSAUTC Bias="300" />

<DNSs><DNS Address="xxx.xxx.xxx.250"/><DNS Address="xxx.xxx.xxx.X"/></DNSs>

<WINSs><WINS Address="xxx.xxx.xxx.250"/></WINSs>

<DHCPServer Address="xxx.xxx.xxx.250"/><SSANICs><SSANIC Ip="xxx.xxx.xxx.126" Mac="00-XX-9b-b9-XX-18" Gateway="xxx.xxx.xxx.1" SubnetMask="0.0.0.0"/></SSANICs>

</SSAHostInfo>

</SSARegData>

03/09 11:35:48 [320] <SyLink>[MakeRegisterData] registration Hardware Key=4857454C45A597438BCD0E22A1940970

03/09 11:35:48 [320] ************Reg CSN=49

03/09 11:35:48 [320] <mfn_GenPostData (for Registration):>Request is: s_origin_length: 1350

s_session_id: 4857454C45A597438BCD0E22A1940970

Sygate-SSN: 49

<?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

<SSAProduct Version="11.0.4000.2295" />

<SSAOS Version="5.1.2600" Desc="Windows             42DA940PProfessional" Type="17105154" ServicePack="ServicePack"/>

<Processor ProcessorType="x86     0x1.daa600p-957mily%20Model%20Stepping" ProcessorClock="1698" ProcessorNum="1"/>

<Memory Size="535740416"/>

<BIOS Version="IBM%20%20-"/>

<TpmDevice Id="0"/>

<SSAProfile Version="5.0.0" SerialNumber="D1D6-030.000000050.0000002009%3a120x0.307d90p-102219"/>

<SSAIDS Version="" SerialNumber=""/>

<SSAUTC Bias="300" />

<DNSs><DNS Address="xxx.xxx.xxx.250"/><DNS Address="xxx.xxx.xxx.X"/></DNSs>

<WINSs><WINS Address="xxx.xxx.xxx.250"/></WINSs>

<DHCPServer Address="xxx.xxx.xxx.250"/><SSANICs><SSANIC Ip="xxx.xxx.xxx.126" Mac="00-XX-9b-b9-XX-18" Gateway="xxx.xxx.xxx.1" SubnetMask="0.0.0.0"/></SSANICs>

</SSAHostInfo>

</SSARegData>

03/09 11:35:48 [320] <SendRegistrationRequest:>http://169.254.148.177:80º¦8xôŒó‰öüNÁ^[‰ò5ƽº

éæøïOsEZOŒ®¦r‹{^¨BÈDôÀn?4Ž’W´‚ê®uŠâäºáåå’h¦-ë’:U‘~¬¶¢’Òp

ëp'Ñ0Â

ëóÆ@˜­l

ñ{JÀ¹+ÄïW

Bu}—‡Åeƨ4ñ    é‰˜ÜÀ1ÜRBXÒW–s®™âß;:v_oò­V,‰÷·Åæšp2°—‚?Tz¿rÀûç»!…=¿¡ˆ!

ŒPûtÈ\õ±@D    "c©ÚQŽ—9vǘ•çqÆ&Ìyé8cÚkµ

(ã4Ó›:Hç|yѤŸsƒ?¹VGߢv‰ÌÎYßÝ2h…° "4F•Ô‡ü›y—

03/09 11:35:53 [480] <CSyLink::SetNewLearnedAppList()>

03/09 11:35:53 [480] ***NewLearnedApps - Current count: 115

03/09 11:35:53 [480] ***app=autochk.exe

03/09 11:35:53 [480] ***app=SescLU.exe

03/09 11:35:53 [480] ***app=symwsc.exe

03/09 11:35:53 [480] ***app=userinit.exe

03/09 11:35:53 [480] ***app=searchprotocolhost.exe

03/09 11:35:53 [480] ***app=searchfilterhost.exe

03/09 11:35:53 [480] ***app=LUCOMS~1.EXE

03/09 11:35:53 [480] ***app=LuCallbackProxy.exe

03/09 11:35:53 [480] ***app=wmiprvse.exe

03/09 11:35:53 [480] ***app=AUPDATE.EXE

03/09 11:35:53 [480] ***app=ati2evxx.exe

03/09 11:35:53 [480] ***app=mpnotify.exe

03/09 11:35:53 [480] ***app=winlogon.exe

03/09 11:35:53 [480] ***app=csrss.exe

03/09 11:35:53 [480] ***app=wuauclt.exe

03/09 11:35:53 [480] ***app=TP4EX.exe

03/09 11:35:53 [480] ***app=DoScan.exe

03/09 11:35:53 [480] ***app=LVComSer.exe

03/09 11:35:53 [480] ***app=rdpclip.exe

03/09 11:35:53 [480] ***app=SmcGui.exe

03/09 11:35:53 [480] ***app=TpShocks.exe

03/09 11:35:53 [480] ***app=ccApp.exe

03/09 11:35:53 [480] ***app=Communications_Helper.exe

03/09 11:35:53 [480] ***app=Quickcam.exe

03/09 11:35:53 [480] ***app=WindowsSearch.exe

03/09 11:35:53 [480] ***app=COCIManager.exe

03/09 11:35:53 [480] ***app=ctfmon.exe

03/09 11:35:53 [480] ***app=explorer.exe

03/09 11:35:53 [480] ***app=notepad.exe

03/09 11:35:53 [480] ***app=SavUI.exe

03/09 11:35:53 [480] ***app=SymCorpUI.exe

03/09 11:35:53 [480] ***app=LULnchr.exe

03/09 11:35:53 [480] ***app=LogitechUpdate.exe

03/09 11:35:53 [480] ***app=reader_sl.exe

03/09 11:35:53 [480] ***app=Smc.exe

03/09 11:35:53 [480] ***app=smss.exe

03/09 11:35:53 [480] ***app=services.exe

03/09 11:35:53 [480] ***app=lsass.exe

03/09 11:35:53 [480] ***app=svchost.exe

03/09 11:35:53 [480] ***app=AluSchedulerSvc.exe

03/09 11:35:53 [480] ***app=ccSvcHst.exe

03/09 11:35:53 [480] ***app=spoolsv.exe

03/09 11:35:53 [480] ***app=LVPrcSrv.exe

03/09 11:35:53 [480] ***app=Rtvscan.exe

03/09 11:35:53 [480] ***app=winvnc4.exe

03/09 11:35:53 [480] ***app=searchindexer.exe

03/09 11:35:53 [480] ***app=SylinkMonitor_6733.exe

03/09 11:35:53 [480] ***app=wmiadap.exe

03/09 11:35:53 [480] ***NewLearnedApps - New count: 116

03/09 11:35:53 [480] </CSyLink::SetNewLearnedAppList()>

03/09 11:36:09 [320] <ParseErrorCode:>12029=>The attempt to connect to the server failed.

03/09 11:36:09 [320] <SendRegistrationRequest:>SMS return=0

03/09 11:36:09 [320] <ParseHTTPStatusCode:>0=>Uninterpreted Status

03/09 11:36:09 [320] <SendRegistrationRequest:>ERR to query content length

03/09 11:36:09 [320] <SendRegistrationRequest:>Content Lenght =>

03/09 11:36:09 [320] HTTP returns status code=0

03/09 11:36:09 [320] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED

03/09 11:36:09 [320] <SendRegistrationRequest:>COMPLETED

03/09 11:36:09 [320] HEARTBEAT: Check Point 5.1

03/09 11:36:09 [320] <RegHeartbeatProc>switch to another server

03/09 11:36:09 [320] HEARTBEAT: Check Point 9

03/09 11:36:09 [320] HEARTBEAT: Check Point 8

03/09 11:36:09 [320] <PostEvent>going to post event=EVENT_SERVER_DISCONNECTED

03/09 11:36:09 [320] <PostEvent>done post event=EVENT_SERVER_DISCONNECTED, return=0

03/09 11:36:09 [320] HEARTBEAT: Check Point 1

03/09 11:36:09 [320] HEARTBEAT: Check Point 2

03/09 11:36:09 [320] <PostEvent>going to post event=EVENT_SERVER_CONNECTING

03/09 11:36:09 [320] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0

03/09 11:36:09 [320] HEARTBEAT: Check Point 3

03/09 11:36:09 [320] <RegHeartbeatProc>Setting the session timeout on Profile Session (Registration) to 30000

03/09 11:36:09 [320] HEARTBEAT: Check Point 4

03/09 11:36:09 [320] <RegHeartbeatProc>===Registration STAGE===

03/09 11:36:09 [320] <MakeRegisterData:>logon id (domain/user)=XXXXXX.COM/paul

03/09 11:36:09 [320] <MakeRegisterData:>XML data: <?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

<SSAProduct Version="11.0.4000.2295" />

<SSAOS Version="5.1.2600" Desc="Windows             42DBC38PProfessional" Type="17105154" ServicePack="ServicePack"/>

<Processor ProcessorType="x86     0x1.dbd580p-957mily%20Model%20Stepping" ProcessorClock="1698" ProcessorNum="1"/>

<Memory Size="535740416"/>

<BIOS Version="IBM%20%20-"/>

<TpmDevice Id="0"/>

<SSAProfile Version="5.0.0" SerialNumber="D1D6-030.000000050.0000002009%3a120x0.307d90p-102219"/>

<SSAIDS Version="" SerialNumber=""/>

<SSAUTC Bias="300" />

<DNSs><DNS Address="xxx.xxx.xxx.250"/><DNS Address="XXX.XXX.XX.XX"/></DNSs>

<WINSs><WINS Address="xxx.xxx.xxx.250"/></WINSs>

<DHCPServer Address="xxx.xxx.xxx.250"/><SSANICs><SSANIC Ip="xxx.xxx.xxx.126" Mac="00-XX-9b-b9-XX-18" Gateway="xxx.xxx.xxx.1" SubnetMask="0.0.0.0"/></SSANICs>

</SSAHostInfo>

</SSARegData>

03/09 11:36:10 [320] <SyLink>[MakeRegisterData] registration Hardware Key=4857454C45A597438BCD0E22A1940970

03/09 11:36:10 [320] ************Reg CSN=50

03/09 11:36:10 [320] <mfn_GenPostData (for Registration):>Request is: s_origin_length: 1350

s_session_id: 4857454C45A597438BCD0E22A1940970

Sygate-SSN: 50

<?xml version="1.0" encoding="UTF-8" ?><SSARegData NameSpace="rpc"><AgentInfo DomainID="02DC6F8FC0A864FA0088C615BED1FD4C" AgentType="105" UserDomain="XXXXXX.COM" LoginUser="paul" ComputerDomain="XXXXXX.com" ComputerName="MLPNY_T42" PreferredGroup="Myompany    ‹Testing" PreferredMode="1" HardwareKey="4857454C45A597438BCD0E22A1940970" SiteDomainName=""/>

<SSAHostInfo><NetworkIdentity UserDomain="XXXXXX.COM" LogonUser="paul" HostDomain="XXXXXX.com" HostName="MLPNY_T42" HostDesc="IBMThinkPad" />

Looks like the send status returns a method not allowed.

 

03/09 11:35:47 [320] <SendRegistrationRequest:>SMS return=468

3/09 11:35:47 [320] <ParseHTTPStatusCode:>468=>468 Request not allowed

03/09 11:35:47 [320] <SendRegistrationRequest:>Content Lenght => 48

03/09 11:35:47 [320] <mfn_DecodeSSN>Sygate-SSN=47

03/09 11:35:47 [320] <mfn_DecodeSSN>Read CSN=48

03/09 11:35:47 [320] HTTP returns status code=468

...

3/09 11:36:09 [320] <ParseErrorCode:>12029=>The attempt to connect to the server failed.

03/09 11:36:09 [320] <SendRegistrationRequest:>SMS return=0

03/09 11:36:09 [320] <ParseHTTPStatusCode:>0=>Uninterpreted Status

03/09 11:36:09 [320] <SendRegistrationRequest:>ERR to query content length

03/09 11:36:09 [320] <SendRegistrationRequest:>Content Lenght =>

03/09 11:36:09 [320] HTTP returns status code=0

 

When you open the web browser to the server (from the local machine) did you enter:http://localhost/secars/secars.dll?hello,secars 

Also test remotely changing localhost to the name/ip of the server.  There is another tool I'm looking for that was posted on connect but i cannot seem to locate it right now... I'll keep looking.

 

 

>>(from the local machine) did you enter:http://localhost/secars

>>Also test remotely changing localhost to the name/ip of the server.

 

Both come up okay...(?)

 

Thanks for the help.

Paul

http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe

 

Run on the SEPM and check for errors... run on client, check for errors.  Let me know if it returns anything.  Also if you can take some screen prints of our Management Server List and IIS settings showing the IP address of the server it might help.

 

 

Hi,

Already ran the support tool - the only errors is that there is an MR4 version available.

>>can take some screen prints of our Management Server List and IIS >>settings showing the IP address of the server it might help.

 Can't get screeshots at the moment - not sure what you want to see but on the IIS side - the website IP Address is "All assigned" (the are two IP addresses 169.254.x.x and 192.168.x.x. Both are addresses on our server).

On the console side: Local Sites (NYDC01), Management Server is NYDC01 (it has the same IP address as the website) and the localhost (adaptive server, Database sem5, user DBA).

 

If that helps.

 

Please deploy remotely to sample clients, want to make sure the client-server communications are running ok.

i had the same issue

you can delete the computer accounts from database

below is the queries:

delete from dbo.SEM_CLIENT
where computer_name=''
delete from dbo.SEM_COMPUTER
where computer_name=''

only put workstation name in ' '

then restart SMC service (smc -stop      smc -start)

take a look in the console under virus definition destribution - computers have to appear

Do have problems with file sharing with your workstations and servers?

>>>Please deploy remotely to sample clients

That's was already done. No change.

>>>> Do have problems with file sharing with your workstations and servers?

No.

>>>>you can delete the computer accounts from database

Where are the queries run from?

 

>>>>you can delete the computer accounts from database

 

Where are the queries run from?

SQL server management studio

 

>>>>you can delete the computer accounts from database

 

>>>SQL server management studio

 

Not using SQL

 

Not sure if you already tried this.

I had the same issue in a test environment. None of the clients were reporting their status to he SEPM although all clients appeared to be ok (green dot) on the server as well as on the clients.

I was able to solve it by re-running the configuration on the SEPM. I used the same settings as I used when I installed it the first time.

After I finished the configuration wizard, clients appeared in the reporting console again.

I'm still don't know what the root cause was as I went through quite some troubleshooting steps but to no avail. 

Hope this helps.

Erik

 One part of the problem seems to have been with the ODBC setup not having the proper information. -- It just so happens that I did need to rerun the configuration to make sue we had the correct database password. -- But after fixing the ODBC I was able to get one pc communicating with the console so alert started to work.

Still checking out the other pc's.