(Recent upgrade to 12.1 from 11.0.6200) I have been experiencing "Component is Malfunctioning” issues with Server 2008 machines and Vista Business workstations for the Tamper Protection Status. I did open a ticket with technical support and still working on a solution.
Initially I tried repair. Running repair fixed a couple machines but several others returned to the disabled list after a day or two. I also tried deleting the machines from SEPM and letting them repopulate. This was also not a permanent fix.
At some point in the process identified that maybe there is a reporting issue. Tamper Protection—though reported as disabled is working on the machines. Also, all reports generated from clicking on the home page show broadcast IP address (192.168.1.255). Next tried Admin>>Edit Database Properties>>set Delete clients that have not connected for “x” days to one. The hope was that SEPM would churn the info and report accurately. That was unsuccessful.
Followed the instructions below from support and all machines have been reporting properly for almost a week—until this morning.
- Stop SMC on both of the affected SEP client computers by clicking Start > Run, Enter smc -stop > Click OK.
- In the SEPM console, delete the SEP client entry that the two or more computers have been sharing. This will prevent the client duplication that would otherwise occur due to the following steps.
- On each of the affected SEP client systems, open the registry key: "HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink" Clear the value "HardwareID" (Make it blank)
- On each of the affected SEP client systems, navigate to the following directory location: "C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData"
- Find the file "sephwid.xml". Rename to "sephwid.xml.bak".
- Re-start SMC on each SEP client system (Step 6.) by clicking Start > Run, Enter smc -start > Click OK.
Today, one Vista workstation that had been fixed returned to the disabled list. I reopened my ticket with support. We need to determine if the client machine is reporting bad information or if SEPM is misinterpreting good information. So tonight I am going to run the Symantec Endpoint Protection Support Tool to collect data. Once I submit the file, I should hear back on Monday. If no issue is determined from the support tool, the next step is Sylink debugging.