Endpoint Protection

 View Only

  • 1.  Verify if SEP on computer image has been prepped for cloning

    Posted Apr 20, 2015 12:35 PM

    We are aware of SEP duplicate hardware IDs when the computer image is not prepped.

    How can we identify SEP clients taht have been prepared for cloning BEFORE it becomes a problem?

     

    Scenario: Vendor creates base image but  doens't follow instructions to prepare a SEP client for cloning. The vendor ships us the image to check BEFORE placing the image in production.

    Can we determine if the image was prepped properly?



  • 2.  RE: Verify if SEP on computer image has been prepped for cloning
    Best Answer

    Broadcom Employee
    Posted Apr 20, 2015 12:37 PM

    Hi,

    Thank you for posting in Symantec community.

    I would be glad to answer your qury.

    1. Delete all instances of sephwid.xml and communicator.dat on file system. Possible locations:
      • C:\
      • C:\Program Files\Common Files\Symantec Shared\HWID\
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData\
      • C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\
      • C:\Users\All Users\Symantec\Symantec Endpoint Protection\PersistedData
      • C:\Windows\Temp\
      • C:\Documents and Settings\*\Local Settings\Temp\
      • C:\Users\*\AppData\Local\Temp\
         
    2. Delete the following registry values:
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\ForceHardwareKey
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostGUID
      NOTE that these values on 64-bit systems have been moved in SEP 12.1 RU5 to HKLM\SOFTWARE\Wow6432Node

    Check this article for more details.

    How to prepare a Symantec Endpoint Protection 12.1.x client for cloning

    https://support.symantec.com/en_US/article.HOWTO54706.html



  • 3.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 20, 2015 12:37 PM

    Looks for the deletes referenced here:

    How to prepare a Symantec Endpoint Protection 12.1.x client for cloning

    1. Delete all instances of sephwid.xml and communicator.dat on file system. Possible locations:
      • C:\
      • C:\Program Files\Common Files\Symantec Shared\HWID\
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData\
      • C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\
      • C:\Users\All Users\Symantec\Symantec Endpoint Protection\PersistedData
      • C:\Windows\Temp\
      • C:\Documents and Settings\*\Local Settings\Temp\
      • C:\Users\*\AppData\Local\Temp\
         
    2. Delete the following registry values:
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\ForceHardwareKey
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostGUID
      NOTE that these values on 64-bit systems have been moved in SEP 12.1 RU5 to HKLM\SOFTWARE\Wow6432Node


  • 4.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 20, 2015 09:42 PM

    Chetan, I dont think he wants to know how to prepare a clone.

    What he is asking is how to detect clones that are wrongly built without following these guides.

    I have faced the same problem. Vendor clones a system and forgets to delete these entries and the system gets deployed. We usually only find out by accident.



  • 5.  RE: Verify if SEP on computer image has been prepped for cloning

    Broadcom Employee
    Posted Apr 21, 2015 10:36 AM

    If best practice isn't followed, need to delete above suggested keys to avoid duplication of Hardware id.

    However, in case Vendors did not follow the best practice then SEP clone repair image tool can help to recover from such sceneriors. Refer this article: http://www.symantec.com/docs/TECH163349


     



  • 6.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 21, 2015 11:15 AM

    Dear Sonihal,

    I got your concern. The hardware key is generated as soon as SEP services start at OS booting.

    At the moment I don't have the possibility to test what I am going to suggest you but my idea would be to boot the image in safe mode and, if SEP services were not started as I would expect, then access the registry and verifity if the keys mentioned in the above posts have been emptied or not.



  • 7.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 22, 2015 10:49 AM

    Dear Sonihal,

    if there are not further questions, please remember to close the thread and mark a post as solution.



  • 8.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 28, 2015 01:44 PM

    @Beppe,

    None of the answers were a solution to my problem, but thanks anyway :-)



  • 9.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted Apr 30, 2015 05:32 AM

    I'm afraid, the comfortable solution you were expecting does not exist, that's why you did not get it. Yet, you may recognize the best effort here in explaining you why it is as it is and what you may alternatevilty do :)



  • 10.  RE: Verify if SEP on computer image has been prepped for cloning

    Posted May 05, 2015 03:33 PM

    Well, because you requested, I marked Chetan's answer as solution because he replied first on how to clone