Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SEP 12.1 Client downloading large amounts of data

Created: 08 Aug 2012 | 6 comments

We have an Endpoint Protection client downloading large amounts of data. 

This has happened before and it appears to be corrupt virus definitions and the client keeps requesting full definition files over and over. 

After uninstalling the client and reinstalling, this client still continues to download large amounts of data, saturating this offsite locations bandwidth.  The traffic appears to be going over port 1248 and 1865 between the client and the management server.  Any idea what this is?

Windows XP client

SEP 12.1 RU1

Comments 6 CommentsJump to latest comment

Swapnil khare's picture

Enable debuging using sylink monitor below and updload the logs . Alternatively try below steps on SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH103369

 

Sometimes, it is noted that if there are corrupt virus definitions downloaded by SEPM, it is required to clean them up and download the virus definitions again.

Following are the steps for the same:

File system cleanup for 32-bit SESC Virus Definitions:

1. Stop SEPM server service.

2. Go to C:\program files\symantec\symantec endpoint protection manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}" folder and move all of the subfolders to another place, such as C:\Temp if you want a backup, otherwise delete the sub-folders.

Database cleanup for 32-bit SESC Virus Definitions:

3) Go to C:\Program Files\Common Files\Symantec Shared\SymcData\ and delete the following folders:
sesmipsdef32
sesmipsdef64
sesmvirdef32
sesmvirdef64

4)In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps.
Delete these keys
SymcData-sesmipsdef32
SymcData-sesmipsdef64
SymcData-sesmvirdef32
SymcData-sesmvirdef64

5). In the registry, navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef64
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef64

6). Start the SEPM service back up.

7). Run Live update from within the Symantec Endpoint Protection Management console.

This will re-populate the database which in turn will update the moniker folders.

 

You can try this on 1 client machine however i think above might help!

http://www.symantec.com/business/support/index?page=content&id=TECH103176&locale=en_US

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

Ian_C.'s picture

Rx4DefsSEP.exe

This utility should automates the process of cleaning out the corrupt definitions. See http://www.symantec.com/business/support/index?page=content&id=TECH93036

 

Please mark the post that best solves your problem as the answer to this thread.
SMLatCST's picture

Those ports (1248 and 1865) are not normal SEP ports (SEPM by default uses port 8014 for client communications).

If you don't know what's using those ports, I'd suggest running a netstat on the SEPM to track down which process(es) is/are listening on those ports and investigate them.

netstat -pano tcp

The above switches will return Process ID numbers for each of the tcp-based network connections when run on the SEPM, you can check within Task Manager for the corresponding process name(s) and hopefully figure out what the ports are being used for.

Mithun Sanghavi's picture

Hello,

These ports are not used by Symantec.

I would request you to follow the steps provided above by SMLatCST and then would request you to -

  1. Remove the machine from the network,
  2. Follow the steps provided in the Article: Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
  3. Run either the Power Eraser Tool OR the SERT Tool. 

Power Eraser tool –

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

What about your client disk space? Does it have more than 1gb of free?

 

also did you use custom port? it should be port 80 normally... try the netstat suggested by SMLat

if not you may also use fport.exe by foundstone

Riya31's picture

Please check number of contents using following.

  1. In the Symantec Endpoint Protection Manager console, click Admin > Servers > Local Site.
  2. Right-click Local Site and select Edit Properties.
  3. Click LiveUpdate.
  4. Under "Disk Space Management for Downloads", select the number of content revisions to be retained.