Endpoint Protection Small Business Edition

We have just rolled out SEP SBE v12.0.122.192 and have a single workstation that has problems. The green circle on the "shield" in the taskbar is on initially when the workstation is booted up and then turns off. If I run "smc -stop" and "smc-start" it also goes on and then off. Under "Help -> Troubleshooting" on the workstation is says that the server is offline. The management console shows the workstations "help state" as OK (ie. not offline). However according to the management console the client hasn't got any definitions or been scanned yet. The "Symantec Endpoint Protection Support Tool" shows that there are no communication problems between the workstation and the server. The policy on the workstation is correct according to the policy serial number. I have replaced the sylink.xml (to eliminiate a corrupt profile) but this results in the same symptoms. Any ideas?

I have run "Sylink Monitor" and compared the results to a workstation that is connecting correctly.


The first sign of differences is the line:

SignIf::VerifySignature => Error in CryptAcquireContext.. Error Code: 0x8009000F

followed by:

<mfn_DoGetIndexFile200>Signature verification FAILED for Index File Content..

Delete the client in your Protection center
go to the client
smc -stop
smc -start
check if the green dot is stable.

if that fails
smc -stop
navigate to c:\program files\symantec endpoint
delete the sylink.bak and sylink.xml file
replace a new sylink as per this document  ( might be little change for 12, just check it out)

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/52d862c54842f5b68825733d005ce48e?OpenDocument

Solution1:
This results in the same symptoms.
Green dot just flashes on then goes off (and the client is recreated in the management console).

Will report back on the second solution shortly.

Solution2:
Ok - this also didn't work.
This was the procedure that I used to update the policy when I was trying to eliminate any possiblity of a corrupt profile.
I just didn't delete sylink.bak orginally.

When I deleted sylink.bak it looks like it triggered a repair/reinstall of the SEP client so some or other reason.

The problem still remains but when I look in the SEP console on the server it looks like the client is also not reporting it's IP correctly.
All the other clients show only a single IP - but this client is different (also showing 0.0.0.0)... see attachment.

Your manager is not processing the client propertly
It holds the client entry in DB and thats why the green dot appears and then disappers
not sure if this is in 12
open sepm
click on policy
under communication settings - security tab-Do u see any option to ignore certificate?
delete the client again if its reporting, try replacing sylink? i'm sure you might have tried that.

Unfortunately that option doesn't appear to exist in the SBS version (only the standard version).
I only have options to modify the usual policies (Firewall, Virus, Liveupdate etc).

Remove the SEP installed
Install the client as unmanged
create a  new group in SPC
use this sylink to make it managed.

Will do that later today and report back.

Do you have any proxy setting in the client .if yes try bu bypassing it...

Remove the SEP installed
Install the client as unmanged
create a  new group in SPC
use this sylink to make it managed.
-> This resulted in exactly the same symptoms.

Do you have any proxy setting in the client .if yes try bu bypassing it...
-> No proxy setup.

its quite possible someone is stopping the smc.exe from running
can you look in your taskmanger if smc.exe is running?
most of the times virus will disable symantec services.
do you have anyother software installed on this box?
whats diff b/w this box and others which are communicating well..

Just basic workstation software loaded (Adobe Reader, Office etc) - nothing out of the ordinary.
There are no differences between this workstation and any other ones on the network.

All the workstations did have "Vipre" av loaded before SEP was rolled out (but this was removed).
I will spend some time over the weekend checking if smc.exe is running and scanning it for viruses.

Ok - here is what is running on the workstation.
SMC.exe is running.


Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0         28 K
System                           4                            0        256 K
smss.exe                       644                            0        416 K
csrss.exe                      692                            0      4 948 K
winlogon.exe                   716                            0      5 148 K
services.exe                   760                            0      3 488 K
lsass.exe                      772                            0      2 996 K
svchost.exe                    956                            0      5 756 K
svchost.exe                   1020                            0      4 884 K
svchost.exe                   1116                            0     35 380 K
Smc.exe                       1152                            0      8 380 K
svchost.exe                   1252                            0      3 608 K
svchost.exe                   1356                            0      4 072 K
ccSvcHst.exe                  1468                            0      2 928 K
spoolsv.exe                   1692                            0      7 284 K
svchost.exe                    384                            0      3 800 K
svchost.exe                    448                            0      4 280 K
Rtvscan.exe                    140                            0      2 572 K
explorer.exe                  2692                            0     27 172 K
SmcGui.exe                    2844                            0      5 844 K
igfxtray.exe                  3024                            0      3 712 K
hkcmd.exe                     3036                            0      3 656 K
igfxpers.exe                  3044                            0      3 012 K
igfxsrvc.exe                  3064                            0      3 160 K
RTHDCPL.EXE                   3072                            0     22 908 K
OrderReminder.exe             3184                            0      2 100 K
ccApp.exe                     3212                            0        668 K
ctfmon.exe                    3248                            0      3 960 K
wscntfy.exe                   2584                            0      2 416 K
OUTLOOK.EXE                   3364                            0     43 204 K
EXCEL.EXE                     3768                            0     22 448 K
ZSHP1020.EXE                  1568                            0      1 408 K
wmiprvse.exe                  2700                            0      6 352 K

Are there any logs files (or debug modes) that might be of use in troubleshooting this?

The fact that the workstation shows that it is online in the management console means that some basic form of communication is happening.

How I understand it is that the workstation is connecting to the server but then has a problem communicating (as per errors in 2nd post).
So then the workstation is unable to communicate further with the server (report status, download updates etc).

you are correct; initially it thinks that it belongs to some group based on some certs
because of that mismatch sepm is stopping the communication with the client
in the sepm
admin
servers
local site
make to delete clients not connected to 1 days
wait for a day and then replace sylink.

There is no option to do this - the small business edition appears to be quire limited in terms on what can be changed or managed.
I will be formatting the PC to resolve.

Thanks for the help anyway.

Stop smc service (Start--->Run type smc -stop and clock ok)
From the server delete the client
Remove sylink.xml and it's backups from C:\Program Files\Symantec\Symantec Endpoint Protection folder.Paste new sylink there.Start smc service.........