Video Screencast Help

SEP 12.1 RU3 - SONAR not installed but reporting in the SEPM console

Created: 20 Jun 2013 • Updated: 20 Jun 2013 | 5 comments
S_K's picture

Hello,

We have started upgrade of SEP on servers from version 11 to 12.1 RU3. These are Citrix servers so we are installing only "Antivirus and Antispyware Protection" without any otgher features (no SONAR, IPS etc).

After the upgrade when I check the server in SEPM, it shows also SONAR definitions. Why is this so, when we don't have SONAR installed?

Thanks

Operating Systems:

Comments 5 CommentsJump to latest comment

sandra.g's picture

I'm guessing you mean the content the SEPM is hosting. By default, the SEPM is going to download all possible content to serve. Only clients who have that component installed will download it from the SEPM. You can change that content (after logging into the SEPM), under Admin > Servers > Edit Site Properties > LiveUpdate (tab) > Content Types to Download > click Change Selection....

You can uncheck the SONAR (or other) content you don't want the SEPM to get, if your clients don't need it.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

S_K's picture

Hi Sandra,

I mean that, on the server we have only "Antivirus and Antispyware Protection" installed, nothing else. Even when I go to Control Panel it shows this.

Then when I go to the SEPM and find the server, go to the Properties, it shows that server has also SONAR, Downlaod Protection which is not the case. I have attached screenshots here.

AttachmentSize
SEP.docx 95.36 KB
Rafeeq's picture

was this system earlier installed with PTP? I think its picking up this value from registry.

delete the clients from SEPM and then update policy on the clients

clear the bashdefs on client. 

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

S_K's picture

Yes, there was previously PTP installed, but the problem is that we are going to upgrade around 500 servers and will not be possible to perform the above steps manually on each of them

sandra.g's picture

S_K, I understand now, thanks. Sorry for the misunderstanding, and thanks for the screen shots.

I investigated this on my own system by removing the PTP component, then rebooting.  The definitions (C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs) were still there and still show in the SEPM. The BHDrvx64 is still present and running when I check under Non-Plug and Play Drivers (per the doc Rafeeq linked).

I did a little digging, and found the following document (a doc last modified by Mick2009, so I am confident it is accurate smiley):

SEP 12.1's BASH (Behavior Analysis and System Heuristics) driver remains functional even after removing Proactive Threat Protection.  BASH provides the underlying technology for a number of SEP features, and is not limited to Proactive Threat Protection.

Exactly how this connects (or potentially connects) to the SONAR definitions being present and reported to the SEPM is not clear to me, though. Maybe someone else can chime in with a bit more information.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!