Endpoint Protection

Guys, Can you help? My company has recently installed Symantec Endpoint Protection Manager v11. We have deployed the pc client to most of our 150 machines and I regularly search for unmanaged computers from the management console. The results contain 'Unknown Computers' and when we try to deploy to these, they fail. The help file's definition of Unknown does not shed any light on the possible solution or suggest a method of converting them to Unmanaged. As we recently spent 2 and a half hours on hold to their helpdesk we are naturally seeking an alternative source for the solution. Regards, AlanF.

I've always been currious about the exact definitions about Unknown and Unmanaged.  I've had Trend clients identified as Unmanaged, and older Symantec Coporate clients ID'ed under Unknown.  As for failed delivery here are a few things to check.

1) Can your server establish network connectivity to the endpoint?
2) Are there ACLs or port restrictions between the server and the endpoint? Ports 137, 138 (UDP) and 139 (TCP) 445 (TCP)
3) Does the account your specifiying have Administrative privledge on the endpoint?
4) Is the Remote Registry service running on the endpoint?
5) Is any local agent preventing the istallation of the client

You can check the event viewer on the endpoint to see if there are any error logs that might help track down the issue.

'Unknown' clients is like saying that it does not know what is present on that PC. The installed software is either corrupted or there is something that prevents the server from gathering data from the clients.

I just ran this on one of my remote sites and two computers showed up as Unknown and I know they have the SEP MR4MP1a client installed (also on the clients tab, they show up with a green dot and the SEP client is not reporting any errors).  Does anyone know exactly what this tool checks for (assuming services and registry).  I used a domain admin account, and all other computers were not detected as Unknown or Unmanaged at that site.

They're checking the Symantec logs. Then there is the heartbeat signal to make sure they're up. But they should be known if they are remotely installed or if the package is created from the server and set to be managed.

Thanks Mon, but my two clients in question were installed from managed packages created in the SEPM console.  Again, they show the green dot locally and on the SEPM.

@RickJDS: You have managed packages and onlye these 2 PCs are giving you headaches. I'd like to blame the connection between the client and the server but I guess that isn't the case. I can't pinpoint which file or service affects the way the client connects. It could most likely be a corrupted application somewhere.

My thinking is that SEP searches for specific keys on the registry or specific files when doing discoveries. It doesn't probably reside in the actual AV application/service or the LU.

it means not communicating with the management server , so , u installed the client in the machine. therafter u copy the server sylink.xml file and paste.

These documents should be helpful in grabbing how it works


http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008123108513948?Open&seg=ent


https://www-secure.symantec.com/connect/forums/finding-unmnaged-clients


https://www-secure.symantec.com/connect/forums/nst-stops-early-error-when-searching-unmanaged-computers

Thanks for the links, checking the auditparams.txt file in the tomcat\bin folder, I know now exactly what to look for in the registry to figure out why my two managed computers show up as unmanaged.

Very useful documents etc. which I am still ploughing through. I didn't mention in my original post that I am attempting to delivery SEP to PC's which have been wiped and re-imaged and would not have Symantec references in the registry. After all, that's what I am trying to deliver!

I understand that there is a method of installing SEP from a local setup file but this makes the PC unmanagable from the management console. Any comments?

Cheers, AlanF.

I posted a blog bit a while back that shows how to use the login script to detect is SEP is present.

I've seen unknown computers in the results here, too. And those computers are usually running SEP just fine and managed.
I've also seen it list our switches, wireless access points, etc. - as computers running Windows. I bet Cisco would like to know that!

Shadowpapa: You should have added link of that blog for ease of search and navigation.

I could not find at the first try, and later it was bit tedious to come back here either.

Tejas

<< Deleted by moderator We don't allow advertising on these forums >>