Endpoint Protection

Just recently upgraded to 12.1 and I am having some problems with random servers showing as disabled in the SEPM.  When I check on the status it says that a component is malfunctioning on the Download Insight Status column.  I have about 100 servers running 12.1 and I get about 5 a day that do this.  It seems I have to restart the servers and then they start working again.  It is not the same 5 servers every day either it seems to be completely random.  I just recently upgraded to 12 from 11.  Has anyone experienced a problem like this?  Thanks for any help!! 

Hi. What's the OS of the servers? And if this also happens to workstations?

The server is windows server 2008 R2, and MOST of the problem is occuring on 2008 R2 Domain Controllers.  I have this installed on very computers that are workstations, but so far no problems with them. 

is there any application event id the same time you receive the above error?

Maybe it would take a while for SEP 12 to "learn" all the files being loaded in the server. Although at the moment, most suggestions also would tell you to restart the service. Worst case would require you to repair the installation. Fortunately, you don't have the firewall installed so there's no reboot required.

It was discussed here:

https://www-secure.symantec.com/connect/forums/sep-12-malfunction

I'd checkout the settings on the client side - error message displayed on the GUI.

And a rather vague KB Article here:

Article URL http://www.symantec.com/docs/HOWTO54868

And by resaearch, I've stumbled upon a website which I'd like to recommend for everyone to avoid at the moment which also contains your post: http://banspyware.info/2011/10/sep-12-1-download-insight-status-component-is-malfunctioning/

The main page of that site http://banspyware.info indicates it's been hacked. It's currently, or has been for a while, mirroring or linking to IT Security sites.

Thank you, I will do a little more research on the above links, but my problem seems to be a bit different then your first link.  If I restart the computers that are having the problems then they work just fine.  Each morning I come in after a new virus definition has been pushed it happens to just a few computers.  It is not every computer, and it is not the same computer every day.  It seems to be completely random. 

In the GUI on the client side it says "Download Insight is Malfunctioning.  Download Insight is not functioning correctly due to an intrusion prevention component."

Repair the malfunctioning component. Test this on one of your least favorite servers. :D

Went into the logs on the SEPM server and it shows a continues Content Update Server error "Downloaded new content update from the management server failed. Remote file path: .................................................................."    it keeps trying it on the servers that are having the problem until I restart them.   As soon as I restart the client it then works fine. 

I am having the exact same problem this morning.

This is a fresh install of 12, but some clients are complaining about the corruption mentioned above.

I am running the Protection Manager on a 08 server

I have not found a fix.

Ssavoy,

When you restart does it fix the problem?  Is it all your servers or just a couple random servers?

Hi Poly15,

Many thanks for starting this Connect Forum thread.  There's no known issue or article that matches the log entries that you are describing.  You may wish to contact Symantec Technical Support so that the matter can be investigated in full, and any potential issue or defect identified.

(Recent upgrade to 12.1 from 11.0.6200) I have been experiencing "Component is Malfunctioning” issues with Server 2008 machines and Vista Business workstations for the Tamper Protection Status.  I did open a ticket with technical support and still working on a solution.

Initially I tried repair.  Running repair fixed a couple machines but several others returned to the disabled list after a day or two.  I also tried deleting the machines from SEPM and letting them repopulate.  This was also not a permanent fix. 

At some point in the process identified that maybe there is a reporting issue.  Tamper Protection—though reported as disabled is working on the machines.  Also, all reports generated from clicking on the home page show broadcast IP address (192.168.1.255).  Next tried Admin>>Edit Database Properties>>set Delete clients that have not connected for “x” days to one.  The hope was that SEPM would churn the info and report accurately.  That was unsuccessful.

Followed the instructions below from support and all machines have been reporting properly for almost a week—until this morning.

1. Stop SMC on both of the affected SEP client computers by clicking Start > Run, Enter smc -stop > Click OK.
2. In the SEPM console, delete the SEP client entry that the two or more computers have been sharing. This will prevent the client duplication that would otherwise occur due to the following steps.
3. On each of the affected SEP client systems, open the registry key: "HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink" Clear the value "HardwareID" (Make it blank)
4. On each of the affected SEP client systems, navigate to the following directory location: "C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData"
5. Find the file "sephwid.xml". Rename to "sephwid.xml.bak".
6. Re-start SMC on each SEP client system (Step 6.) by clicking Start > Run, Enter smc -start > Click OK.

Today, one Vista workstation that had been fixed returned to the disabled list.  I reopened my ticket with support.  We need to determine if the client machine is reporting bad information or if SEPM is misinterpreting good information. So tonight I am going to run the Symantec Endpoint Protection Support Tool to collect data.  Once I submit the file, I should hear back on Monday.  If no issue is determined from the support tool, the next step is Sylink debugging.

The Symantec Endpoint Protection Support Tool did not turn up any useful information.  Windows application logs do show several event ID 45 entries which may explain. Here are a couple of examples.

SYMANTEC TAMPER PROTECTION ALERT
Target:  C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Event Info:  Create Process
ActionTaken:  Logged
Actor Process:  C:\PROGRAM FILES (X86)\KASEYA\ADVLGL53958384774167\AGENTMON.EXE (PID 1528)
 

 SYMANTEC TAMPER PROTECTION ALERT
Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
Event Info:  Open Process
ActionTaken:  Logged
Actor Process:  C:\USERS\KSURIANO\APPDATA\LOCAL\TEMP\RNINST~0\REALPLAYER.EXE (PID 4968)

Anyhow, for the machine that the above fix did not permanently resolve, uninstall/reinstall did provide a lasting solution.  Hope this helps.

may be you can add those application under tamper protection exception

Please Help!

I have this message *Download Insight is not functioning correctly due to an Intrusion Prevention component* on Status panel of my Symantec Endpoint Protection (12.1.1000,157 RU1). My PC is running under Windows XP, 32bit. I am really not familiar with the SEP. I will appreciate if you can guide me how to fix this problem. I have tried the LiveUpdate and restarted couple time my PC, but the above-mentioned message is still there. I need step-by-step instruction. I am a good human virologist, but - an absolutely computer program illiterate person. Hope somebody will be patient enough and willing to help me.

Leon  

since you have restarted as asked in article

http://www.symantec.com/business/support/index?page=content&id=TECH173568

you may need to open a support case.

ok what i have done and will monitor it... open SEP console> click on change settings>  click on configure settings for Client Management>  click on configure proxy options and click radio button I do not use a Proxy server> and no click on the Live Update tap and do the same for Proxy server there.

 no click on live update on console   should now connect to servers and download new definitions and will clear Insight error

you can make changes in the policy that is pushed to the clients , open SEPM > click on Policies> click on Live update> right click Liveupdate Settings Policy> change proxy server to I do not use a Proxy server,

should take care of the issue

thanks

i had the same problem...my fix so far and is still working..open up the SEPM console

navigate to Policies and click on Liveupdate> now right click on Liveupdate Settings policy

 click edit and click on Server Settings>  at bottom click on Configure Proxy options>  click radio button i do no use a proxy server for http or https. click on ok

now go to clients that have issues and up date contant or you can do the same to the proxy server on the client setting tab now try to do a live update on client and when finished erro goes away

good to go