Endpoint Protection

 View Only
  • 1.  SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 04, 2010 01:22 PM

    I noticed that clients were not updating virus information to the server for about 2-3 weeks. I decided to reboot the server and bam tonnes of alerts suddenly show up in the inbox. I would like to identify the source of what service failed that required me to reboot the server for this alerts feature to kick back on. What are the service dependencies that are required by SEPM for reporting alerts ~ this may assist me in identifying a logged entry in event viewer.

    For a clearer idea of what I was experiencing - in the SEPM console, Action Summary was not being updated at all until the server reboot. Virus definitions were downloading and being installed no problem.



  • 2.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 04, 2010 03:08 PM

    I think you could have restarted the SEPM service from the services, that would have solved the issue...



  • 3.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 04, 2010 05:06 PM

    I agree with Vishal, however if the issue persists you should open a ticket with support, or run the SEP Support Tool on the SEPM server. If you need assistance analyzing the data save the report and post here.



  • 4.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 04, 2010 05:47 PM

    I'd have to agree with Vishal as well. But we're now removing my question from the equation and replacing it with what you perceive to be the solution. I would like understand what feature/service in the product messed up, so I can check if there is a log entry that can assist me in detecting these issues sooner rather than later in the futre.

    I am asking you: What service does the alerting feature rely on ~ the one that pools client information from the client and dumps it into the database? It is obvious that it was the server with the issue. Is there a log folder on the SEPM server that would highlight these silent issues that I had no idea were occuring until a few weeks later? Yes, a reboot fixed it - but I need to know why this became unreliable enough to require a restart - I should not have to feel that I cannot trust the SEPM server enough that I require it to reboot once a week because someone cannot come up with an explanation on how to detect issues as they are happening.

    As well - I am looking to hear back from any server administrator who has successfully deployed MR2 on top of the 11.0.6 installation - Does this maintenance release really fix the DWH file detection issue?



  • 5.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 05, 2010 01:46 AM

    As far as I know the SEPM uses IIS for all these reporting purposes.IIS admin and world wide web services having very important roles in this.You can also check whether any error is appearing on the scm-server-0.log which is present in Program Files \Symantec\Symantec Endpoint Protection Manager\tomcat\logs..



  • 6.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 05, 2010 03:39 PM

    DATE HERE SEVERE: Broken content link detected! Skipping content: PRODUCT ID HERE

    DATE HERE SEVERE: Unknown Exception in: com.sygate.scm.server.util.securitydata.VirusData
    java.io.FileNotFoundException:  DRIVE AND DIRECTORY STRUCTURE HERE temp\indexD.html (The system cannot find the file specified)

    DATE HERE SEVERE: Unknown Exception in: com.sygate.scm.server.task.ClientTransportInfoTask
    java.lang.Exception: HTTP 503 Service Unavailable, URL: http://localhost:PORTNUMBER/secars/secars.dll?action=36
     at com.sygate.scm.common.communicate.Communicator.sendRequest(Communicator.java:303)
     at com.sygate.scm.server.task.ClientTransportInfoTask.run(ClientTransportInfoTask.java:116)
     at java.util.TimerThread.mainLoop(Timer.java:512)
     at java.util.TimerThread.run(Timer.java:462)

     


    com.sygate.scm.common.communicate.CommunicationException: Unexpected server error. ErrorCode: 0x10010000

    at com.sygate.scm.common.communicate.Communicator.sendRequest(Communicator.java:324)
     at com.sygate.scm.server.task.ClientTransportInfoTask.run(ClientTransportInfoTask.java:116)
     at java.util.TimerThread.mainLoop(Timer.java:512)
     at java.util.TimerThread.run(Timer.java:462)
    DATE HERE SEVERE: Schedule is stopped!

     

    ^^ All this was located in scm-server-1.log file. scm-server-0.log had no real entries.

    I reviewed event viewer scrolling back to the day it stopped sending alerts up to a more recent day and have not come across anything that may assist in isolating the root cause. Is there something in the above log entries that could be clues to how the alerting subsystem stopped functioning? Most of what I see when I research lines/codes from above are resources indicating some issue with a proxy server. I'll continue to monitor the log file for changes. For the time being, SEMP appears to be functioning normally - but I'm still wanting to learn why what happened happened.



  • 7.  RE: SEPM - 11.0.6005.562 - Clients not reporting alerts

    Posted Oct 06, 2010 03:08 AM

    HTTP 503 Service Unavailable---It is related to IIS.What is the version of IIS you are using?

    Check in IIS logs.Are you able to find something there?

    Also run SEP support tool in the SEPM and see any error is appearing.For more information regarding this tool refer this link

    About the Symantec Endpoint Protection Support Tool