Endpoint Protection

Hi,
I run SEP MR4 MP2 on Windows 2003 SP2 servers and Win XP clients.
On my SEP console the Security status shows Attention needed but when looking for details I see in the log workstation with older virus definition or workstation who did not run a full scan in the last 30 days but all these workstations are not longer running SEP. They are not in my console anymore and I don't know how I can purge these false reports.
Any help is appreciated.
Thanks a lot.

Log into the SEPM and click on the Admin tab.

Click on Servers.

Select the "Local Site" from the list of Servers.

Under "Tasks," select Edit Site Properties.

Under the "General" tab, there is a check box that says "Delete clients that have not connected for X days." By default this is set to 30. Change the number of days as desired.

Click OK.

By default SEPM Keeps the client information for 30 days..... Because of that you wil find client which you have already removed from network...
After 30 days SEPM removes the client information (It marks the del flag in the database to "1")
.
Try to reduce this value (It’s available in properties of local site) and your old computers which are not present will go. Then status will be good.

Thanks Prachand.
I enabled that box, I refreshed my SEP Manager Home page but nothing changed yet in the Security status. Same Attention needed and the same number of in-existing workstations in the reports.
There is a log somewhere that did not purge.
I also logged off and back in to my SEP Manager.

Open the IE on the machine where SEPM is installed type

https://localhost:8443/servlet/ConsoleServlet?ActionType=ConfigServer&action=SweepLogs

Curious to see if Prachand's url works for you as it didn't work for me.  I have clients in the "more details" screen with failures for more than 30 days ago (logs are set to 30 days).  I had this problem for a LONG time (MR2?).

The first time it is run it flags logs to be deleted.

The second time it actually removes them.

It may not work at all on MR2, I havent tested it on earlier than MR3.

Ran it four times in a row on my SEPM MR4 MP2 and I still have many scan, AV and IPS definition failures including quite a few that have no date.  Many have dates older than 30 days.

Hi -

I had a very similar issue.   I was seeing machines listed in the Security Status report under Scan Failures (never been scanned),  but if you looked at the client itself, or even in the scan log from SEPM,  it was clearly being scanned on our weekly schedule.    I saw a similar issue with some machines related to AV definitions being out of date.    They were flagged in the Security Status "Attention Needed" report, but if you checked the client (or the SEPM logs), you would see they had the correct defs.

This is due to duplicate entries in the database.   Symantec provided me a tool that removed duplicate entries from my database.   If found / deleted 385 entries, and after that my report was clean.

  NOTE:  I am running MR4 MP2 on the SEPMs.  This problem did not affect all my clients.   Just a very small number of them.


Symantec has confirmed to me that this is a known issue slated to be fixed in RU5.


I am keeping my fingers crossed for the real fix in RU5 (which is due in the next few weeks).


Doug 

After the long weekend my old log cleared and the status is Good.
Thanks a lot!

Doug, was this fixed for you?  I just upgraded all SEPM's to RU5 and I still have this problem.  I might have to wait until the logs get swept (I think that happens every night - anyone know for sure?).

Has anyone found a fix for this?  I'm also running RU5 and am seeing machines that no longer exist listed under Antivirus Definition Failures.  I have performed the troubleshooting steps listed above...no luck.