Endpoint Protection Small Business Edition

 View Only

  • 1.  SEP smb 12.1 SONAR issues

    Posted Feb 06, 2012 09:23 AM

    We are experiencing some problems with SEP small business edition 12.1 (clients are running SEPM version 12.1.671.4971).

    We receive a lot of emails regarding "Access denied SONAR" c:\windows\system32\svchost.exe" 

    I have no idea which program may be the cause for this warning. We have no VPN client software running. Maybe it is the network driver, or other 3th party program...

    The problem is you can only enable or disable the SONAR feature in the SMB edition. In the enterprise edition you can change the behavior when such risk as above listed is detected (see image below). We have to find the program that causes this or disable sonar completely to get rid of the warnings. 

     

    I've created a case with symantec, to ask if there is a way to list the process id from the svchost.exe. After weeks of troubleshooting, they suggest to upgrade to enterprise edition. There is no way to log more information in the smb edition.

    First symantec told that my policies are corrupt, they found some settings which should not be able to set in the SMB edition. This was a clean installation, no upgrade, so I don't understand this. Next step (  I had to this a few times) was to collect logs on both server and affected clients. Nothing was found. I had also to collect some process monitor logs. But a few days later, they told me I had to look in the logs by myself. Symantec doesn't support procmon, but they asked me to send it to them in the first place....



  • 2.  RE: SEP smb 12.1 SONAR issues

    Trusted Advisor


  • 3.  RE: SEP smb 12.1 SONAR issues

    Broadcom Employee
    Posted Feb 08, 2012 06:18 AM

    Hi,

    If it's Small Business Edition limitation no one can do much more here.

    At this point you can give request for product enhancement.

    http://service1.symantec.com/DISCUSS/SUPPORT/feedback2.nsf/product+feedback 

    As per your comments "We receive a lot of emails regarding "Access denied SONAR" c:\windows\system32\svchost.exe" "

    Will it be possible for you to attach screen-shot for same ?



  • 4.  RE: SEP smb 12.1 SONAR issues

    Posted Feb 08, 2012 07:23 AM

    Same message for other pc's. Just the hostname changes.

    We have tried to set up new policies (default) and new groups. But the result is the same. No VPN software installed on the computers.



  • 5.  RE: SEP smb 12.1 SONAR issues

    Broadcom Employee
    Posted Feb 08, 2012 12:37 PM

    Hi,

    Thanks for sharing screenshot.

    Could you please share case number which you had logged with Support.



  • 6.  RE: SEP smb 12.1 SONAR issues

    Posted Feb 09, 2012 07:02 AM

    Case 415-805-480

    Thanks!



  • 7.  RE: SEP smb 12.1 SONAR issues

    Broadcom Employee
    Posted Feb 20, 2012 12:03 PM

    Hi,

    The caller process can be found by viewing the control log under client management on the Symantec Endpoint Protection (SEP) client interface. Screnshot is attached for reference

     

    But unfortunately when we checked with SBE 12.1 clients, control log is not present.

    I believe control logs are not captured in SST logs as well.