Endpoint Protection

We have a number of SEP11 clients (various versions including 11.0.4014) that have up-to-date virus definitions (as reported by the client when you bring up the GUI).  However, on the management console, the version of the definitons for that client is listed as being from an earlier date. For example, we have several that report a definiton date of April 23, 2010.   The last report time for the client is correct which tells me the client is communicationg with the server.

I've tried cleaning out All Users, Symantec Shared, and Program folders and the registry to no avail.  Short of a complete uninstall/registry and file system cleanup/reinstall, is there any way to get the client to report correctly?

Try upgrading it to Ru6Mp1 11.0.6100.xx

your version is little old

this version  had a bug ;upgrade to RU6

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

Client status is displayed incorrectly in the Symantec Endpoint Protection Manager console
Fix ID: 1677244
Symptom: Client status is displayed incorrectly on the Home page Status Summary, but correctly on the Clients tab.
Solution: Corrected the query to retrieve client status from the database.

http://www.symantec.com/business/support/index?page=content&id=TECH131653&locale=en_US

do you see too many number of dat files under " Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo" ?

upgrade the SEPM would be the option as well.

I have already tried updating some of the clients that exhibit this behavior to MR6.

The problem remains the same once the client is updated.  The defs are up to date on the PC but do not report correctly to SEPM.

Have you installed or are you running a Firewall on your system?

One thing you might want to look at, is that the machine's port that is communicating to the "reporting component" of SEPM is not being blocked.

I believe it is port 2638.

Custom application on the machine(s) using port 2638?

put the client to a new group and check the behaviour

I failed to note that SEPM is currently at version 11.0.6005,562

We have the SEP11 firewall running on laptops, but no SEP (or other) firewall running on servers or desktops.  The issue is present in all three types of system.

Can you try from any client/server to:

telnet [symantec server name] 2638

See if you can communicate with the reporting component on the server.

I just tried from two computers that DO NOT have the reporting problem, and I cannot telnet to that port.

I tried from computers that DO HAVE the problem and I cannot telnet to that port.

its  telnet servername 8014 ( the port used by your symantec manager)

It connects perfectly.

do you see too many number of dat files under " Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo" ?

Interesting about port 2638 not working.  It is working here.  Oh well.

* * * * * * *

Have a look at this, and try the monitor and post the logs please.

http://www.symantec.com/business/support/index?page=content&id=TECH103369&locale=en_US 

If you have older clients reporting into a newer SEPM, it's possible that changes in the database schema are causing this reporting weirdness.  I definitely recommend getting all clients up to at least where your SEPM is, 11.0.6005 (RU6a), preferably get everyone up to 11.0.6100 (RU6 MP1).  [Oh, I see you have updated.]

Perhaps use the dbvalidator to ensure the database doesn't have broken links.  What type of server is the SEPM on, and do you access it through RDP (and if so, is it a console session)?

"How to use the Validation Tool for the Symantec Endpoint Protection Manager Database."
http://www.symantec.com/docs/TECH104892

Some admins disable telnet, so the fact that you can't telnet may be a red herring.  Do a netstat -anbo | more (in a command window on the SEPM) and look to see if dbsrv9.exe is listening on this TCP port (provided the DB is the embedded DB).

sandra

Is the System and OS date set to the correct time and zone?

We had problems like that in generating reports, all because of a misconfigured date. I don't know Who did it and how it got changed.