Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEPM 12.1 - Notification reports not accurate

Created: 25 Sep 2012 | 10 comments

Hi guys,

This has been very frustrating and has finally come to the top of the pile for a solution.  We are running SEPM 12.1.1000.157 RU1 and every day we have some triggered notifications stating that the IPS and SONAR definitions are months out of date for hundreds (though not all) of our clients.

However when you check the clients at the physical location, through the local SEPM managment console on site,  or from the master management console at our head office,  the dates for the clients show that they are up to date and current!

One thing that does concern me is that when looking at the 'Clients' list under SEPM,  the date is still in American format (mm/dd/yyyy),  where as the dates in the whole rest of the interface are in the Australian format (dd/mm/yyyy).  The dates in the notification reports are also correct as Australian format.

For injstance on of our local computers here in Sydney shows up on the IPS definitions report as 14/09/2012 r1 but on the client and in SEPM console it is 22/09/2012 r1 (although in the console it is 09/22/2012).

Could this be the issue?  I'm not sure where to even start to troubleshoot thisproblem.  All in all the system is working and the clients are up to date but we need to get some meaningful reports as people are just regarding them at the moment.

Let me know if any other information is needed.

Thanks in Advance!

 

Comments 10 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

You can be configure your time setting GMT time. Is your time zone ( GMT +5:30),

Actually , now the policy time will be GMT time. Is your time zone ( GMT +5:30), then it is as per design.

if you want it to set to local timezone check this link

http://www.symantec.com/business/support/index?page=content&id=TECH165766

Thanks In Advance

Ashish Sharma

 

 

mhouston100's picture

I think you misunderstood, the time and timezone is correct on the clients and in the SEPM console.

The problem is that the notification report is reporting incorrect details. As in I received an IPS definitons out of date report today at about 1 PM, this report stated that the PC 'KEVINC' has IPS definitions out of date - reporting the definition date being 14/09/2012 r1 however I check the PC 'KEVINC' and it is reporting that the definitions are completely up to date with the current def's (22/09/2012 r1).  It will also show in the SEPM console as correct.

This same PC will show up every day in the notifications as being out of date,  even though it is current.

It is strange because it happens to almost half of our PC base but not consistently,  we just get the notifications every day,  then I go to SEPM and check them and everyone is up to date and current.

Ashish-Sharma's picture

Hi,

Your virus definations are up to date but  IPS and SONAR definitions are not updating.

We are running SEPM 12.1.1000.157 RU1 and every day we have some triggered notifications stating that the IPS and SONAR definitions are months out of date for hundreds (though not all) of our clients.

.
 
 
Check this thread
 

About the SONAR definitions release dated September 5, 2012, revision 11

http://www.symantec.com/docs/TECH196189 

 

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

Since you are receiving wrong notification?

After an upgrade? suddenly it started? from specific date?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

mhouston100's picture

No,  this was a fresh install on Server 2008 R2,  it has been happening since we started with SEP 12,  it just wasnt a priority because the updates were working.  But now we need to get more accurate reporting and we are looking to close the project off.

mhouston100's picture

I'm still struggling to diagnose this problem.  We have a main branch server with 5 smaller replication branches.

One setting that seems a bit iffy to me is the 'Replicate logs from the local site to the partner site'.  It's hard to explain but let me try:

We have the local data replicating from the remote branches to the main branch and the main branch is the only one with email enable at the moment (for testing).  We DONT have it selected to replicate from the main branch back to the remote branch.

Is it possible that (as they aren't being updated) the remote branches are sending old data about clients not in thier branch as they arent getting the new logs from the main branch?

(I hope that was clear! ha ha)

I have enabled this setting for two way log replication for testing though it will probably take a day or so to confirm.

In the meantime is there any logs I should be looking into (server or client)?  The notifiactions were incorrect again today...

mhouston100's picture

Ok so still having the same issue today.  We have one branch server that is an SEPM server and also has the client installed,  I would expect this to be reporting correctly for itself but it isn't.  Details that are reported today:

Notification today at 12:24AM:

Computer
Current User
IP Address

IPS Definitions

Last Download

Last time status changed

Domain Name
Server Name
Group Name

Product Version 

 

Newcastle
####
192.168.##.###

21/09/2012 r1

20/04/2012 10:11:09

02/10/2012 20:29:48

Default
Newcastle
My Company\Servers

12.1.1000.157

(the last downloaded date, third column from the left, is actually just after the initial installaion of the clients)

Client is reporting:

Current IPS definitions of 29.09.2012 r1

Checking the client log,  the last two updates are as follows:

 

3/10/2012 2:37:09 AM Information An update for Intrusion Prevention Signatures was successfully installed.  The new sequence number is 120929001.
 
30/09/2012 2:14:55 AM Information An update for Intrusion Prevention Signatures was successfully installed.  The new sequence number is 120928001.

 

So why am I getting a notification that is:
  1. Reporting an incorrect last download date?
  2. Reporting an incorrect definition number?

Hopefully I can get this resolved and finally close this off!  Again thanks in advance.

Chetan Savade's picture

Hi,

There are two weekly scheduled reports & seven pre-defined notifications configured by Symantec.

Delete the notification and recreate it & check whether it makes any difference or not?

This is the only notifcation showing incorrect information?

Schedule Reports location: SEPM --> Reports --> Scheduled Reports

Predefined Notifications location:

SEPM--> Monitors--> Notifications --> View Notifications --> Notifications Conditions

Have you enabled database maintenance featuers? i.e. Truncate the transaction logs and rebuild the indexes?

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

mhouston100's picture

I was off yesterday but this morning I have removed all notifications and recreated them with the same settings.  I'll have to wait and see whether it makes a difference or not.

I have seen this article:

http://www.symantec.com/business/support/index?page=content&id=TECH144817

Could it be related to this problem?  I notice that a LOT of the computers that are being notified about have the last download date as either months and months out of date (as the example in the previous post,  it is only 8 days after the original install) or never.  Could this information being notified about possibly be OLD data and related to the bug mentioned above?

Is it possible to remove this notification data from the database and staret fresh?

Over the coming months we will be looking to roll out 12.1 RU1 MP1 but I'm hoping to get this solved before then.

I'll report back the results of recreating the notification.

Thanks for your time!

Chetan Savade's picture

One quick note, make sure all the existing notifications are acknowledged as well.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<