Endpoint Protection

Hello,

We have recently upgraded from SEPM 12.1 RU4 to 12.1 RU5. We have pushed out the 12.1.5 client update to almost all our clients. We have having an issue with SEPM complaining it cannot see the versions of client Intrusion Prevention Signatures and SONAR Content, it lists as "Not available". The clients seem to be pulling down updates fine from the SEPM server, so they are communicating. I'm at a loss as to why it is reporting not available. Restarting the server seems to temporatily correct it for the most part, but a day or so later it pops up again. I did try a repair install and that did not seem to solve the issue either.

Has anyone run into this in 12.1 RU5?

Have you tried running the symhelp tool on both SEPM and one affected client to see what it shows?

do you see an .Err files as per this document?

Clients cannot send data back to Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH105348

This could be due to: Date Format under Home > Preferences > Logs and Report is set to DDMMYY.

Solution: Change the Date Format to MM/DD/YY and after that all the SEP clients will show up-to-date.

Change the date separator from "/" to "-" and the clients will show the latest date of definitions on the SEPM console.

Secondly, Is the SEPM updated with the Latest Virus and Spyware Protection and SONAR Definitions??

This issue also occurs when definitions provided by the Symantec Endpoint Protection Manager are older than the amount of days configured in the Antivirus and Antispyware policy before an outdated definitions notification will appear.

If the definitions on the SEP client and SEPM server are less than 24 hours old, the Antivirus and Antispyware policy is likely configured to warn after definitions are 1 day out of date. This is against best practices as definitions new definitions are not made available immediately at midnight.

Check this Article: http://www.symantec.com/business/support/index?page=content&id=TECH150078

Hope that helps!!

once you try steps above refresh sepm either by logging out and back in or refreshing the services.

Please check this too

https://www-secure.symantec.com/connect/forums/sepm-1215-and-internet-explorer-causing-system-lockups-2014-10-24

@Brian

I have run the SymHelp.exe on both a managed client and the SEPM server. I have posted some screen caps below. Only thing that could maybe cause an issue is the SEPM sever compains that Java and SQL are using the same ports, but it uses those 2 programs to run, so not sure on that one.

@Rafeeq

I dont see any errors complaining of full disk space on the log. The partition SEPM runs on has ~60GB free at this time. I also verfied NTFS permissions are correct but no change.

@Swapnil

I tried the date format change, did not seem to have any affect. SEPM is getting definition updates for everything, and is also pushing them out. I can see all the definitions update from day to day on the clients, so SEPM and the clients are staying current, its just SEPM is erroring because it sees the signatures as "Not Available".

I did some searching and it looks like 12.1 RU1 had an issue with the SQL database that was causing an issue just like this. I know at sometime before we updated to 12.1 RU5 we ran SrinkEmbeddedDB to cleanup the embedded database. Could that have caused an issue?

SymHelp grabs:

Client

SEPM

@Brian

I ran SymHelp on a managed client and the SEPM server. Only issue that I see that could effect it is SEPM complains that Java and SQL are using its ports, but it uses those to run, so not sure on that one.

@Rafeeq

I looked at the logs and do not see any mention of disk space being full. The partition SEPM is on has ~60GB free at this time. I did verify the NTFS permissions were correct as well, but no change.

@Swapnil

I tried the date format changes, they seem to have had no effect. SEPM and the Clients are recieveing updates (clients only update via server, direct liveupdate is disabled). I can see them change day to day on the clients and I have tried pushing out older SONAR and IPS content like that last link you posted, and can see the up to date definitions listed there in SEPM.

Looking on my own I did see that older versions of 12.1 had an issue with the SQL database that caused this. I know at some point before we updated to 12.1 RU5 we ran ShrinkEmbeddedDB on the database. Could that have caused an issue?

Mine was not about disk space but .err files under agent\inbox folder on SEPM, if you have checked that then its fine. wondering why its saying " communication between client and sepm may not be working "

do they go through any firewall or proxy?

I was out yesterday, sorry for the late reply.

The reason it says it possibly cannot communicate is one of the servers listed is a wierd 169 auto assign IP address. Not sure why that is in there, I did not do the initial install. But when I break it down it does have green checks by the actual SEPM IPs.

Someone recommended reinstalling java which I have done. Looks like we went form 7 update 71 to 8 update 25. The wierd thing is whenever I restart the service it starts to see the signatures fine. After I updated java I restarted the Manager service and the embedded database service. Now in client details I can see the current versions they are running, but when I come in the next day it all reverts to "Not Available".

@AFBIS

Have you found a solution for this problem? we are experincing the exactly the same problem.

I have not. I think I have boiled it down to some type of replication issue.
We have 3 sites that replicate. Each site can now see the signatures of their own clients, but all the clients connected to the remote sites show as "Not available".

@AFBIS

Have you found a solution for this problem? I´m with the same problem with 12.1.5.