SEP 12.1 Client downloading large amounts of data

Created: 08 Aug 2012 | 6 comments

JoshNy

We have an Endpoint Protection client downloading large amounts of data.

This has happened before and it appears to be corrupt virus definitions and the client keeps requesting full definition files over and over.

After uninstalling the client and reinstalling, this client still continues to download large amounts of data, saturating this offsite locations bandwidth. The traffic appears to be going over port 1248 and 1865 between the client and the management server. Any idea what this is?

Windows XP client

SEP 12.1 RU1

Discussion Filed Under:

Security, Endpoint Protection (AntiVirus) - 12.x, Endpoint Protection (AntiVirus), Performance, Troubleshooting

Comments RSS Feed

Comments 6 Comments • Jump to latest comment

Swapnil khare

SEP 12.1 Client downloading large amounts of data - Comment:08 Aug 2012 : Link

Enable debuging using sylink monitor below and updload the logs . Alternatively try below steps on SEPM

http://www.symantec.com/business/support/index?page=content&id=TECH103369

Sometimes, it is noted that if there are corrupt virus definitions downloaded by SEPM, it is required to clean them up and download the virus definitions again.

Following are the steps for the same:

File system cleanup for 32-bit SESC Virus Definitions:

1. Stop SEPM server service.

2. Go to C:\program files\symantec\symantec endpoint protection manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}" folder and move all of the subfolders to another place, such as C:\Temp if you want a backup, otherwise delete the sub-folders.

Database cleanup for 32-bit SESC Virus Definitions:

3) Go to C:\Program Files\Common Files\Symantec Shared\SymcData\ and delete the following folders:
sesmipsdef32
sesmipsdef64
sesmvirdef32
sesmvirdef64

4)In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps.
Delete these keys
SymcData-sesmipsdef32
SymcData-sesmipsdef64
SymcData-sesmvirdef32
SymcData-sesmvirdef64

5). In the registry, navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef64
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef64

6). Start the SEPM service back up.

7). Run Live update from within the Symantec Endpoint Protection Management console.

This will re-populate the database which in turn will update the moniker folders.

You can try this on 1 client machine however i think above might help!

http://www.symantec.com/business/support/index?page=content&id=TECH103176&locale=en_US

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Swapnil

Ian_C. Partner

SEP 12.1 Client downloading large amounts of data - Comment:08 Aug 2012 : Link

Rx4DefsSEP.exe

This utility should automates the process of cleaning out the corrupt definitions. See http://www.symantec.com/business/support/index?page=content&id=TECH93036

Please mark the post that best solves your problem as the answer to this thread.

SMLatCST Partner Accredited

SEP 12.1 Client downloading large amounts of data - Comment:08 Aug 2012 : Link

Those ports (1248 and 1865) are not normal SEP ports (SEPM by default uses port 8014 for client communications).

If you don't know what's using those ports, I'd suggest running a netstat on the SEPM to track down which process(es) is/are listening on those ports and investigate them.

netstat -pano tcp

The above switches will return Process ID numbers for each of the tcp-based network connections when run on the SEPM, you can check within Task Manager for the corresponding process name(s) and hopefully figure out what the ports are being used for.

http://www.cstl.com/

Mithun Sanghavi Symantec Employee Technical Support Accredited

SEP 12.1 Client downloading large amounts of data - Comment:08 Aug 2012 : Link

Hello,

These ports are not used by Symantec.

I would request you to follow the steps provided above by SMLatCST and then would request you to -

Remove the machine from the network,
Follow the steps provided in the Article: Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
Run either the Power Eraser Tool OR the SERT Tool.

Power Eraser tool –

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions–

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Hope that helps!!

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

cus000 Partner Accredited

SEP 12.1 Client downloading large amounts of data - Comment:09 Aug 2012 : Link

What about your client disk space? Does it have more than 1gb of free?

also did you use custom port? it should be port 80 normally... try the netstat suggested by SMLat

if not you may also use fport.exe by foundstone

Riya31

SEP 12.1 Client downloading large amounts of data - Comment:03 Oct 2012 : Link

Please check number of contents using following.

In the Symantec Endpoint Protection Manager console, click Admin > Servers > Local Site.
Right-click Local Site and select Edit Properties.
Click LiveUpdate.
Under "Disk Space Management for Downloads", select the number of content revisions to be retained.

SEP 12.1 Client downloading large amounts of data

Comments 6 Comments • Jump to latest comment

Rx4DefsSEP.exe

Would you like to reply?

Links