Endpoint Protection

I've posted all the info here and got no help. So I started a case using the online facilities. I received an email and a call, asking for more details, which I sent. Then they called saying they'd review the information and call me back later. It was the end of the day for me, so they said if they didn't call back in the next hour, they'd call the following Monday. Fine - except Monday, then Tuesday, then Wednesday and so on went by, no call. I sent more information agian via email - got a response back - THE CASE HAD BEEN CLOSED!!!!!!!!!!! When I get the "how did we do" emails, I responded back - not well at all, no resolution but the case was closed.

Case # 03797330 –Case Closed

I have responded in that way a couple of times, I've tried to forward all sorts of detail about this - nothing.

What gives? No responses here, nothing helpful, and then I get indications that even the support case had people confused, and it was just closed.

My take - this level of support was outsourced and I know how that works - paid per case, like a car salesman - sell more, earn more. Cases - close more, earn more. In this case, I'm posting here and contacting our rep. because so much time has passed - it needs fixing, and I need more than beginning assistance. This is a critical server error and has been going on for weeks now. And as it typical with me - by the time I realize it's beyond me - it's pretty big. I don't call first level, when I need help I'm nearly to the engineering mode by that time.

Because I am SO busy and do so many different things here, email works best. I try to stress that - and there used to be a place for "preferred contact" since I can't always take a phone call. It's hard to drop things and get into a 30 minute call unless it's scheduled, but email works best for me.
I can supply anyone with more information than they can handle. If there's an idea on how to solve, then they can remote in and check - or better yet - send me instructions on what to look at, check for, or what to try as a solution.  I'll apply it first few free minutes I get.

I'd also like to know why I'm referred to with a 1 after my name - this is also a first - it's always just been my name as Ive been registered for years, with no 1 after my name - have I been mixed up with another customer perhaps?

Dear Bill Dickerson1,

Case # 03797330 has been closed by your support representative If you would like to open a new support case, please call us using your local Symantec Enterprise Support Services number. Additional contact information can be located with the link provided below.

**The servers are running SEPM RU2, and SEP RU2 - in other words, clients, servers and management is all current.**

Here is but one sample of the error - and it says HI, but it pops this error with most policy changes I make.

Hopefully a Symantec employee who checks in here can look at this but do you have an SE or sales contact that get this moved up the chain?

Hello,

I am looking into this case. 

The Case was closed on 30 th March 2013.

I would request you to please Re-open this Case by calling the Symantec Support. The Case can be re-opened within 10 calendar days.

Make sure you have set the correct severity of this case.

I have escalated this issue appropriately.

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

• United States: https://support.broadcom.com (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Hello,

Symantec Support Engineers are trying to contact you and they are reaching voicemail.

I would request you to please email the Symantec Support Engineers on your availability.

And I've done just that. Actually, we had agreed to a call-back time in the first round a couple of weeks ago.

I left word to try between 8 and 11 am today. Problem is, these are best dealt with via email - it's very hard for me to ever say when I'll be near a phone, or have time for a conversation. Going so many different directions, most of us here have to work things in 5 minutes here, 10 minutes there, 2 minutes next time and so on..... so email is a much much preferred method. I can thus gather and relay any and all information, logs, documents, screen shots, etc. - as I get time.

Chances are slim I can spend more than 3 or 4 minutes at a time on a phone call, where if someone asks me to supply xyz documents or log files, I can surely do that within 24 hours  - or less, because I can start the servers or computers on the process and turn to something else. With people popping in constantly all day, meetings, alerts, things going on, my time is broken into hundreds of small chunks during a day. So, phone calls are VERY difficult, email is ideal. So what happened to the "preferred method of contact" that was the choice on almost every support site I've seen? Doesn't seem to be available with Symantec........

Unless some or most of this can be done via electronic means - it's going to take a very long time. I know - goes against the "get 'em in and get 'em out, mark it done, collect" method, but the last several support cases I've worked on, the tech handled virtually 100% via email - convenient, EASIER for the customer, and things still got resolved (well, almost, but pretty darned good, actually)

My problem now is I have a critical issue with SEP not handling a custom IPS change, so I'll be tied up with that - and will find it hard to deal with the phone and all - here's a prime example. I MUST deal with this before I turn my attention back to the case, and if a call comes while I'm in the middle of some reconfiguration...... it's a problem.

I have to ask - why in the world can't someone just email me, ask for "more details" or "can you send this log" or "please run this test" and let me work that in during the day?

All of the last cases were handled via email - for us, it's almost impossible to just sit here and wait for a call - we are not getting anything else done. And if I arrange for a call between certain hours, and we have a network outage or an office go down, I have to run and ignore the phone. I have NO CELL PHONE for work - so because for some oddball reason this particular case in insisting on a phone call and not simple asking me to work on the case through email - it's a really huge inconvenience.

It would be resolved by now if someone would do like all other techs have done over the years - simply ask for the tests or information that is needed, and I supply it...

I want to know - if all others, HP, Cisco, VMWare, Raxco and others will deal with cases through email - and Symantec has handled the last 5 cases with us using email (4 last year, 1 this year) - what's up with making me sit and wait by a phone, and not work this in as I have time, at my convenience, between my other chores and duties? I have to sit in an office, door closed, and not take on anything else because now I'm waiting for a call - between 8 and 11, and as things go, I suspect it will be at 11 so I'll not be able to leave this office and do any other work this morning.
Guys (and ladies) - our preferred method is email. We're working cases with other companies via email - and 4 with Symantec last year, 1 this year, all handled via email.
Why inconvenience the customer - waiting by the phone?

Honestly, we have a continuiing problem in another area that Symantec said "should be resolved with RU2, it's not - and I'm literally afraid to get that one opened again, as I'll have to sit and wait by the phone for that, too - while last year when working on the same issue pre-RU2, it was all done through email. I'll just have to live with the problem as I can't sit glued to a phone.

Still technically in "wait and see" mode, but right after the call, it kicked the same error again. I am beginning to suspect it's not java that is the cause (especially after something the tech said - which really didn't make sense as I was not running a java console with the errors occurred)........ I am getting an error that says that certain specific clients that have been offline a while could not apply an IPS library - and gave a serial number, and that policy serial number doesn't even exist!!

In some identical errors, the serial number is never given, in others it is, but the serial number does not match the name, time or date of any policies that show in the groups.
On the other hand - do the IPS and other things have DIFFERENT serial numbers?

Confusion abound here: I asked the tech "so what is java used for on the server - the log errors keep saying "java", is that what compiles the policies before they go out after a change?"  He said no - that's not Java at all, Java is for the console.
Quite interesting as the console doesn't normally run on either server - in fact, we seldom even log in to a SEPM server at all, so if Java is ONLY for the console, not for compiling the policies, then why is Java mentioned in all these errors? (see above posts) ?
If Java was only for the console, if there was a Java problem, I'd expect a console problem - the console is working great, and I don't run the console on a server, I run it from a workstation. If I don't run Java on a server since I don't run the console on the servers to access SEP stuff, then technically JAva is sitting doing nothing at all, right? If that's true - why java errors on almost every line in the logs?
If Java doesn't compile the policies and apply them, or Java doesn't build the packages, then what DOES java do on the SEPM server, and why is it a java error on every one of these errors in the logs??

* I'm told Java is on the servers for the console only, no other role, and it must be the correct version.
( I can buy the must be correct version part - but I installed exactly what the document said to install since the document I have says SEP came with a bad Java build included.)

* If the above is 100% true and correct as I was told today, then if I don't launch the SEPM console ON the SEPM server, Java isn't running or at least not active. IS that correct - if it's only for the console, not launching hte console in return doesn't launch the Java.

* If the first two are correct, then because the console is not running locally, so Java isn't running locally, then there should be no mention of Java in any error logs since it's not doing anything, and is for hte console.

Number 3 causes me a problem........ because Java IS mentioned in the logs - every single error is in fact a Java error, and related to policies, and packages.

 2013-04-03 13:01:42 Lpr Critical vrdsmsepm1 Apr 3 13:01:15 SymantecServer vrdsmsepm1: PC1234P655,Category: 0,Smc,FATAL: failed to apply a new IPS library . The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.
 

2013-04-03 13:01:42 Lpr Critical vrdsmsepm1 Apr 3 13:01:15 SymantecServer vrdsmsepm1: PC9876KP656,Category: 0,Smc,FATAL: failed to apply a new IPS library 6AD8-04/01/2013 19:32:59 820. The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.
2013-04-03 13:01:42 Lpr Critical 

Problem - we don't have such a policy serial number, no policies start with 6AD8 unless I do not know where to look.

These started due to an error in a  custom IPS signature - I didn't get a comma put in the IP address list. I have since fixed that. This other Java and package and HI stuff started weeks ago, many weeks ago, so this isn't the cause, but could be related?

We're barking up the wrong tree....... it's not Java causing it as the support tech said.
In fact I had the Java installed that the product said should be installed. There was a problem with the Java supplied in the product distrubution, so the document said get Java version xxx.xxxx whatever and uninstall other versions, install this, then install the console. That's what I did.

I was also correct in this -  the tech said directly "Java doesn't compile these, Java is just for the console. Java doesn't run and do this part, that's other files."
I believe that to be incorrect for several reasons - these errors refer specifically to Java - and further, I don't normally run the console on the servers. How can there be a Java error if the console isn't running, and there's no connections using Java back to the servers.

So please let's start all over  this time please READ - REALLY READ the errors I posted above and in another thread in the connect forums here. Look at the error - look and see what it's trying to do and can't do. I can read log messages and get more out of them myself.
Start fresh, out with the old - and really look at that log entry PLEASE.

Information that supports MY theory that it's an issue with Java trying to compile policies - >
1. Go to www.google.com
2. Type or paste in this search string - sygate.scm.server.publisher.compiler.logicaobject  and hit enter.
3. Skip the first result or two as those are simply referring back to this very thread here!! Look at the others....these, for example:
http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH142271

https://www-secure.symantec.com/connect/forums/sep-unexpected-error

4. tell me what you think you see........

Familiar looking? The details differ, but the gist is the same. JAVA is running on the SEPM and it's trying to do something - with policies apparently.
Since these errors just started a couple months or so ago (I've been 3 months trying to get help with this) and the product was installed before that and working fine with NO errors, then we must assume that the version of JAVA was correct. If it wasn't, then we'd see errors from day or week one. Further, these are triggered by changes in almost any of our policies - especially the HI and custom IPS signatures and such. If all Java did was run the console on the server, these errors would either never occur, or would not mention JAVA on multiple lines because I don't typically run the console on a server.
Security folks know it's against best practices to log in to a server directly and do anything. You should always perform tasks remotely. Logging into a server, running a console that's Java-based is also risky because if it crashes, or anytthing else crashes on that server, you could take the server down. I'd rather crash my notebook or desktop than a server. While logged in to a server and working directly at a server console, any malware the gets in has the same rights as me - on a server, no less. I'd rather mess up my computer with malware than our SEPM servers.
 

Anyway, this is well beyond the levels I've gotten so far - please let's start all over, check the log entry details I've posted, refer to your own documents and posts, and then try to get our SEPM servers working right agian.   The info I refer to is Symantec's own - I feel like I'm doing the job of support and actually should be on payroll LOL (almost was on the payroll, but didn't want to move to CA, Hollywood area. could never live there)