Endpoint Protection

 View Only

  • 1.  Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 02:54 PM

    Hey guys,

    I am seeking a bit of advice as it specifically relates to SEP NTP and production Windows servers (mostly virtual).  The main reason for this post results from an issue experienced early this week when we had 3 domain controllers that all became unresponsive to anything AD related. 

    For about the past year we have had 12.1.2015.2015 installed on our domain controllers, all running full server protection, AV, PTP and NTP.  From what we can tell, everything has been fine as we have not noticed any trouble related to functionality.  While the specific date of installation is unclear, I know it was not this past weekend, 12.1.4013.4013 was installed on all 3 affected servers. 

    Things were funtional and still nothing seemed out of the ordinary until Monday morning when a majority of domain services went offline.  Locally, ping times were high and even dropping, AD logons were excessively long and for about 6 hours, AD was essentially not working and applications were failing as a result of this.

    In the end, we had to remove the NTP feature of SEP to get our AD services back online.  While I can understand best practices and the recommendation for high availability machines to not run NTP and to use basic protection (AV only), but that doesn't explain why things have been running without issue for over a year.

    Essentially, my thoughts are that maybe the FW is messed up in 12.1.4 and is part of what is fixed in the teefer driver re-writes in 12.1.4.1, even if it is not directly documented.  If it is something that was not so random, I would understand that the best practice should be followed, but the fact that the behavior was random and that all three servers were running 12.1.4013.4013 indicates to me that potentially something else broke or failed to create the event.

    In fact I have witnessed similar randomness on other non-DC systems that are running 12.1.4013.4013, where performance is just horrible until the FW is stopped.  However, unlike the case with the DCs, the issue will typically just go away and resolve itself.  Therefore, further making me think there is an inherent issue with the firewall in this version of SEP.  However, before making any real accusations, I wanted to ask if anyone else has seen similar behavior resulting from NTP in 12.1.4.  Not all systems are affected and the systems that are seem to be completely random.  I might have 8 application servers all doing the same thing and only one will go crazy, before randomly fixing itself.

    I am probably searching for something that cannot be explained, but I still wanted to bring it to the community to see if in fact I am the only person seeing this issue.



  • 2.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 03:01 PM

    I have seen more then a few posts on here over the past month or so related to 12.1.4 and bad fw performance. My suggestion would be run only AV on those affected machines for now and get a call into support. Also, 12.1.4.1 just came out last week so you can always try the latest version to see if it has been corrected.



  • 3.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 03:17 PM

    I have downloaded and have 12.1.4.1 in hand for deployment but the fact that Symantec will not acknowledge any potential issues makes it difficult to convince someone whose server I just broke that they need to deploy NTP to their system again.

    "Hey, I know I just randomly crippled the enterprise with SEP with no good explanation, want to try this version, even though I don't know if it will actually fix anything...?"

    As you can see, support provides me with an impossible uphill battle.  It will take some real convincing in order to get someone the warm and fuzzy again, unless someone comes out to say 12.1.4 is flawed.

    Till then, I might be forced to either test the upgrade where I can and when I can or else, run without NTP and do AV only.  But then that scares me when IPS is what is doing 90% of the detections on the network.  So the options are vulnerable or safe with the potential to randomly be broken...



  • 4.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 03:21 PM

    Sounds like this may be the bug. I found this in the fix notes for 12.1.4.1:

    File transfer speeds between servers were reduced when SEP NTP is installed
    Fix ID: 3198871
    Symptom: With the Symantec Endpoint Protection firewall enabled, file transfer performance slows.
    Solution: Implemented a kernel traffic cache in the Teefer driver to improve performance.

    reference: http://www.symantec.com/docs/TECH216262

    But yea, I hear ya...I never saw an official alert or anything.



  • 5.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 04:33 PM

    Yeah, I mean if they are gonna lump it in there as opposed to officially reporting that 12.1.4 Teefer is crap, then the only choice I guess I have is 12.1.4.1 and then just cross my fingers to hope things are really fixed.



  • 6.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 11, 2014 04:36 PM

    Would be nice to see some sort of Wiki where paying customers can login and see newly reported bugs.



  • 7.  RE: Symantec SEP 12.1.x and Servers (domain controllers)

    Posted Apr 28, 2014 08:55 AM

    Well, even 12.1.4.1 appears to have its issues.  Got it installed on a few systems and still seeing slowness and issues.

    I assume at some point Symantec will come clean...