Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

unable to push new virusdefs to clients after new server install

Created: 07 Jan 2008 • Updated: 21 May 2010 | 20 comments
I did the following:

1. originally installed on one server (windows 2003 R2)
2. virusdefs used too much disk
3. The correct update wouldn't download to the server for client push
4. Able to push to client but wrong and old defs
5. Installed on another server, attempted replication but wouldn't work - disk space.
6. Did a new first time install on another server (after removal from second server).
7. Backup and restore the database (embedded) from the original server.
8. Delete orginal server.
9. New microdefs finally download to new server install.
10. Can see clients but unable to manage (new install) or push new defs. Not communicating with clients.
 
Have seen this error in the event log at install time:
 
The Java Virtual Machine has exited with a code of -1, the service is being stopped.
 
Thanks

Comments 20 CommentsJump to latest comment

SKlassen's picture
I seem to recall something about the server name being encoded in the database, making moving a db to a new machine difficult.
 
I agree that it looks like your having communication issues between the server and the clients, possibly due to mismatched DomainID or keystorepass.
 
The suggestion that I have would be to pick one client as a testbed.  Take a sylink.xml file from the new server and install it onto that client using the sylinkdrop tool (The tool itself can be run from a remote file share, but can only import a sylink.xml from a local path.  During my SEP disaster, I found PSExec to be really helpful in semi-automatic this whole process.).  Hopefully that will restore communications with the new server and you can go about doing the same for the other clients.
 



Message Edited by Scott Klassen on 01-07-2008 08:45 PM

buddy 2's picture
I have tried the sylink file without any luck. When I go to the new server that I installed Endpoint console on, the defs look updated, the clients are there but they are not communicating. It must be certificate related because I installed the new Endpoint console on the new server, deleted all from the old server and it seems to be continuing to look for the old server (the clients are). I have used my old PC as a test bed and removed endpoint and the new Server still doesn't recognize it as need some protection. All I want is for the clients to know there is a new server in town and to get there updates from him.
 
How do I do this? How do I get my existing clients to recognize a new server? How can I delete the Local host?
 
Thanks for letting me vent. This has been driving me batty.
buddy 2's picture
i forgot to mention that I am getting
 
com.sygate.scm.server.metadata.MetadataException
 at com.sygate.scm.server.metadata.MetadataManager.getFile(MetadataManager.java:348)
 at com.sygate.scm.server.configmanager.ConfigManager.getFile(ConfigManager.java:874)
 at com.sygate.scm.server.task.PackageTask.checkLiveUpdateDirectory(PackageTask.java:1259)
 at com.sygate.scm.server.task.PackageTask.run(PackageTask.java:148)
 at java.util.TimerThread.mainLoop(Timer.java:512)
 at java.util.TimerThread.run(Timer.java:462)
 
error and updated to MR1. rebooted a couple ot times and still issues. The Endpoint client of my server is updating properly and I have one client ( that for some reason semms to be receiving updates) but no one else is.
austria's picture
There is a KB articele about it.  (look at my post)
MR 1 or lubfix should repair it but lubfix did not work for me and MR1 is not available in german language.
 
buddy 2's picture
When I look on my good server under Admin>View Servers>Local Site it is showing "Newserver on Site OldServer". The OldServer has been deleted and should not be there. This is under the Downloading Server column.
 
Could this be causing my clients to be unable to down load updates and actually be functioning!!
 
Also, seeing the errors below in scm-server0.log
 
2008-01-08 16:51:46.807 SEVERE: ================== Server Environment ===================
2008-01-08 16:51:46.807 SEVERE: os.name = Windows 2003
2008-01-08 16:51:46.807 SEVERE: os.version = 5.2
2008-01-08 16:51:46.807 SEVERE: os.arch = x86
2008-01-08 16:51:46.807 SEVERE: java.version = 1.5.0_14
2008-01-08 16:51:46.807 SEVERE: java.vendor = Sun Microsystems Inc.
2008-01-08 16:51:46.807 SEVERE: java.vm.name = Java HotSpot(TM) Server VM
2008-01-08 16:51:46.807 SEVERE: java.vm.version = 1.5.0_14-b03
2008-01-08 16:51:46.807 SEVERE: java.home = D:\Symantec Endpoint\Symantec Endpoint Protection Manager\jdk\jre
2008-01-08 16:51:46.807 SEVERE: catalina.home = D:\Symantec Endpoint\Symantec Endpoint Protection Manager\tomcat
2008-01-08 16:51:46.807 SEVERE: java.user = null
2008-01-08 16:51:46.807 SEVERE: user.language = en
2008-01-08 16:51:46.807 SEVERE: user.country = US
2008-01-08 16:51:46.807 SEVERE: scm.server.version = 11.0.1000.1375
2008-01-08 16:51:48.510 SEVERE: ================== StartClientTransport ===================
2008-01-08 16:51:49.197 SEVERE: Schedule is started!
2008-01-08 16:51:50.197 SEVERE: StateCheckpointTask connect to secars failed: SERVICE NOT AVAILABLE
2008-01-08 16:51:50.228 SEVERE: IISCacheTask connect to secars failed: SERVICE NOT AVAILABLE
2008-01-08 21:02:21.303 SEVERE: Unexpected server error. in: com.sygate.scm.server.task.ThreatCatTask
java.io.IOException: Error during ThreatCat -- definitions processing error: cannot load eraser
 at com.sygate.scm.server.task.ThreatCatTask.readDefs(ThreatCatTask.java:322)
 at com.sygate.scm.server.task.ThreatCatTask.run(ThreatCatTask.java:221)
 at java.util.TimerThread.mainLoop(Timer.java:512)
 at java.util.TimerThread.run(Timer.java:462)
com.sygate.scm.server.util.ServerException: Unexpected server error.
 at com.sygate.scm.server.task.ThreatCatTask.readDefs(ThreatCatTask.java:342)
 at com.sygate.scm.server.task.ThreatCatTask.run(ThreatCatTask.java:221)
 at java.util.TimerThread.mainLoop(Timer.java:512)
 at java.util.TimerThread.run(Timer.java:462)
2008-01-08 21:02:48.398 SEVERE: DeltaContentTask.generateDeltaContent FAILED {C60DC234-65F9-4674-94AE-62158EFCA433}:80108002:80108022:D:\Symantec Endpoint\Symantec Endpoint Protection Manager\tomcat\..\Inetpub\DeltaParam\{C60DC234-65F9-4674-94AE-62158EFCA433}.param:D:\Symantec Endpoint\Symantec Endpoint Protection Manager\tomcat\..\Inetpub\DeltaParam\{C60DC234-65F9-4674-94AE-62158EFCA433}.opt
2008-01-08 21:02:48.398 SEVERE: CODE -1:status: building first pass patch files
error: cannot FindFirstFile on D:\Symantec Endpoint\Symantec Endpoint Protection Manager\tomcat\..\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}\80108022\Full.
 
Thanks
buddy 2's picture
Did some research and have the client that the PC that I used as a test bed  (removed endpoint) and then was able to finally find and make it a managed client. Still having issues with my other existing clients being unable to have their content or packages updated. I have:
 
1.
buddy 2's picture
Pardon my last post, I advertently submitted it.
 
I did some research and saw:
 
 1) in the catalina.out file that I am getting Error getting client certs JAVAX.net.ssl.sslPeerUnverifiedException: Peer not Authenticaed  
 
After using Filemon to review , my original server (First install, then installed on second and then removed from first) still has a directory C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\outbox\agent folder that appears to have clinet information.
 
Should I move this to the new server?
 
Should I delete from the old server>
 
Thanks...I really need to get these virus sigs updated.
buddy 2's picture
I had SEPM installed on a new server but started running out of disk space on my C drive were it was installed. Then after no decent resolution was found, I attempted to replicate to a new server and again ran into a space issue.
 
I then installed on the new server and did a backup from the old and restore to the new. I then deleted the SEPM from the old server.For several weeks I have been fighting with the new server not seeing the clients and the clients not having new updates.
 
Today I decided to create a new client package an made a single EXE to install. Saved in a shared folder and tested on a couple of clients. This seems to have updated to the correct package and some of the DEFS have been updated.
 
My dilemma is probable the same as some of you, I have many clients to update and I DO NOT want to have to visit each and do the following:
 
Remove the old SEP
Reinstall new SEP from package, requires reboot.
Reload autostarts a scan ( okay )
 
I would like some way to centrally manage and control this aspect of the SEPM.
 
Does anybody have any ideas how I can accomplish?
 
Thanks
 
Jim
buddy 2's picture
Seems like I'm chatting with myself...Anyway, I seem to have SEPM donwloading the new virus defs but I cannot download them to my clients. They jsut do not seem to want to update. There seems to be something terribly wrong since I visit some close clients and they look okay but SEPM isn't reporting properly.
 
Must I visit all clients, install new package, update policy and reboot????????
 
Thanks
SKlassen's picture
Yes and no.  Looks like the only way you'll get the clients to recognize the new server is to install a client package created from that machine.  There is absolutely no reason why you should have to physically go to all the machines.  Deploy remotely.  SEPM has the pushdeploymentwizard or you can use something like PSExec to push the installs.  When you create the install package, before you export it for push installs, certain parameters can be set such as whether to reboot after install or not.
buddy 2's picture
Thanks for the response. I have trying to migrate and deploy but decided to take your recommendation and try it differently. I went through the create procedure without issue and gave it a nd new group name and directory to place the package in. When it went to create it started up and then displayed:
 
Failed to create a 32 bit package for desktops 123
Error code 7
 
I have plenty of disk space and the directory gets created with 3 files placed there.
 
packlist.xml,ssci.dat and serdef.dat
 
Any idea why it croaks?
SKlassen's picture
Now that's odd.  Those are some files used to create the package (final product will be a single .exe), but not all of them.  Anything in your windows event logs generated by the process? 
 
Error Code 7 is kind of a generic windows error for problems doing something with data, usually caused by disk or memory errors.  First thing I would do would be to try creating the package again in a really easy place, like the "desktop".  Even if that works, you might want to also do a chkdsk to check for bad sectors.
buddy 2's picture
Okay It showed as being fragged, even though its a new system with about 116GB free. (93% free). I defragged and tried to desktop and same message and same 3 files in the new directory. Tried a couple of times.
 
This just doesn't make sense...
 
buddy 2's picture
I am so completely disappointed with Symantec, that I would like info on downgrading to the last workable version 10.x some that I can actually use to manage and protect my clients.
 
I really hate to do these type of non productive tasks but unless someone can enlighten me with some informational responses or fixes. I am open to ideas.
 
Thanks
rauneh's picture

if I've understood this right (I didn't read the tread to carefully), some of you reinstalled the manager console or installed it on another server...

When you do this, the clients don't recognize the server any more. That is because they've got the wrong sylink.xml file. Inside the sylink.xml file we've got the servername, IP adress and a certificate. If you reinstall on the same server, the name and IP will be right, but the certificate has changed.

What you have to do is; Create a new .msi package from the new server. Put it on a share. Copy the sylinkdrop.exe file (which can be found on CD2 I think) to this package. Use the sylinkdrop.exe tool, and replace the sylink.xml from the share with the local sylink.xml on the clients.

If you're good at scripting, you can create a logon script which executes for example a .bat script that again executes the sylinkdrop.exe on the share. I've done this, and all clients replaced their sylink.xml file and reconnected to the reinstalled server.

buddy 2's picture
So to clarify... I need to create a MSI (which I don't know how to do?) , dump it on a share, run sylinkdrop and copy the new sylink.xml to the client. What does the MSI do? Is that the new client package?
 
Thanks
rauneh's picture

If you go to admin on the main menu on the manager console, then install package --> export new install package (or something like that) The you unmark the choice of creating an exe file. Then you get the .msi package. In there you'll find the sylink.xml file. On the local client you find the sylink file under the install structure, program files -> symantec -> symantec endpoint protection. And that's file that has to be changed.

The .msi package can also be used to install new clients. For example it you're deploying the package with Active Directory. Or the client can go to the share and just click the .msi file.

buddy 2's picture
I have been getting this for awhile and most of my clients aren't communicating with the server.
Has anyone seen this before and do you know how to handle?
 
I think that it started when I deleted and moved the SEPM from one server to another and did a backup and restore of the database to the new server. The update are downloading to the new server but not getting to my clients and they are not being seen.
 
Feb 5, 2008 8:53:41 PM org.apache.tomcat.util.net.jsse.JSSE14Support getX509Certificates
FINE: Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
 at org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:113)
 at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:123)
 at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:969)
 at org.apache.coyote.Response.action(Response.java:182)
 at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:267)
 at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:150)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
 at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
 at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
 at java.lang.Thread.run(Thread.java:595)
Feb 5, 2008 8:53:41 PM org.apache.tomcat.util.net.jsse.JSSE14Support getX509Certificates
FINE: Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
 at org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:113)
 at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:123)
 at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:969)
 at org.apache.coyote.Response.action(Response.java:182)
 at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:267)
 at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:150)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
 at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
 at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
 at java.lang.Thread.run(Thread.java:595)
Feb 5, 2008 8:53:46 PM org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler processConnection
FINE: IOException reading request
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1232)
 at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
 at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:719)
 at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
 at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1547)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1511)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1456)
 at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86)
 at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:737)
 at org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:398)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:761)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
 ... 3 more
Caused by: java.net.SocketException: Connection reset
 at java.net.SocketInputStream.read(SocketInputStream.java:168)
 at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
 at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:782)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:739)
 at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
 ... 7 more
Feb 6, 2008 9:13:32 AM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run
FINE: Getting new thread data
 
Thanks
buddy 2's picture
God..I hate replying to myself. Now my SEPM won't let me even log in. I have no idea what happened but I think I need to: Either do a complete new install or go to a prior version.
 
Can someone offer some of their advice and some SOLID plans on how to execute either option???
 
Some history of my install: I installed on one server, it seemed to be working okay. It was sucking up all of my disk space and causing system halts so I moved to another server, backed up and restored to the new server and deleted the SEPM of the old server. It was seeing only 7 out of 25 clients and not updating. Then this happened and it is now crunch time.....
 
Thanks ahead of time.
 
Jim