Endpoint Protection

Upgraded two servers at two different sites to MR4 MP1.  When I go into Monitors->Logs the data I'm seeing for some of the clients is old or incorrect.

Example:  Cleints are reporting auto-protect off.  I remote control the PC and auto protect is working, no errors, and the system log shows the client has been actively talking to the management server for over 12 hrs.  Data is still showing updating in the logs.

Example:  Cleints are reporting old defintion dates.  I remote control the PC and definitions are up to date.  System log shows the client has been actively talking to the management server for over 12 hrs.  Data is still not updating in the logs.  In some cases it will change but it's still not correct.  For example, one client was showing defintions of 2/3/09 this morning, even though they are up to date on the client.  About an hour later it's saying the defs are 2/26/09.  Double checked and definitions are still up to date on the PC, but logs are still incorrect.

This is happening to only about a dozen of the 60 clients at this site.  No errors in any of the logs on the client side, it's actively connecting to the managment console, and no errors in the server logs either.

This is happening at both of the sites where I upgraded to MR4.  I've been primarily working/testing on the smaller site as it is much more accessible, but the larger (+2000 clients) site is having similar issues with some of the clients date reporting.

Clients are either MR2 or MR3, have not pushed the MR4 upgrade to the clients yet.

 

Check all of the log folders on your SEP servers to see if they have files built up on them.  I have this problem too.  It started when I upgraded to MR4 and I've had a case open for months with no resolution yet.

The specific folders are ...\Symantec Endpoint Protection Manager\data\inbox\agetinfo, log\client, log\security, log\system, log\tex\avman, log\traffic

 

I'll check that out...

Could someone explain me whats wrong here;

Since I updated the SEPM to MR4(1a) the status summary shows me a lot of "not reporting status" computers. I see on my client management log (client side) that the management server is correctly connected. also my policy has correctly catch the client (SEP reinstalled on this client using the SEPM console).

Now, it looks like all commands which I send to the client from my SEPM not work anymore.

Thats a huge problem; we are deploying the SEP currently on over 1000PC's

and can't continue  our work whith this impact.

The whole "c:\progfiles\....SEPM\data\inbox" folders are empty!?!

Could someone halp me please!?!

THX

Alex

 

The inbox folders being empty is a good thing.  That means the data has processed to the database.  In my case the folders are full and the files keep building up and not processing.

>>The inbox folders being empty is a good thing.  That means the data has processed to the database.  In my case the folders are full and the files keep building up and not processing.

Okay, do you know how to prune all logs from SEPM?

 

Will update here as I get more info...(Above suggestions did not help...)

Same here in my SEPM servers logs are building up in the agents info folder. What I temporarily did is cut and paste the log to my other SEPM server so it can be processed. I have two SEPM Server with a single SQL database.

We haven't heard from symantec yet.....

We have several cases like this, the good news is that a lot of work has gone on with MR4 MP2 on this, and we are seeing an 80% improvement in log processing speed as a result of the changes we have made so far.

Do you have logs building up in ALL folders, or just agentinfo?

Go to the "IIS Manager" -> DefaultAppPool->Properties-> Identity-> Change App. pool Identity to Local System

Reboot the Server

it works for me :)

In my case the it occurs in all folders.  I've temporarily disabled the 'learned computer apps' logs to help with the issue.

So far no resolution.  Support suggested removing reinstalling SEPM and that led to another case as I could not reestablish replication.  That case is still being worked on as well.

So the primary server is still having this issue.  It passes the dbvalidator test and so far none of the suggestions have worked.  I still have data that seems to be "stuck" or is just plain incorrect in the SEPM console logs and reports.

Upgrading to MR4 MP2 fixed my servers.  They started processing the dat files much quicker and are staying caught up now. 

Thanks for confirming that MR4Mp2 is resolving the issue as stated per Release notes about the BCP and slow dat file processing