Video Screencast Help

Virus definitions deployment

Created: 24 Sep 2012 • Updated: 24 Sep 2012 | 28 comments
This issue has been solved. See solution.

Hi,

I have a problem with the deployment of the virus definition with symantec Endpoint manager console rev 11.0.7000.975
All the clients have a good virus definition revision (deployment is ok), except for one client.
I do not find any log allowing to understand what does not function.
Can you help me.

Discussion Filed Under:

Comments 28 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

http://www.symantec.com/business/support/index?page=content&id=TECH105894

Thanks In Advance

Ashish Sharma

 

 

novasep's picture

I have verified all this points.
On the client in HELP AND SUPPORT ... TROUBLESHOOTING ... MANAGEMENT, the server is offline.
I don't understand.
And on the client, the symantec icon don't have the green status.

I have requested a policy profile update.

 

Ashish-Sharma's picture

hi,

are you able telnet port no 8014 ,80 ?

and check this settings

First you check wheter any proxy settings are present in Internet Explorer.If present remove it and try.

If not helps

 1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present delete the  GlobalUserOffline key

2.Check HKU\.Default\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present delete the  GlobalUserOffline key

3.Reboot the machine.

Thanks In Advance

Ashish Sharma

 

 

novasep's picture

telnet 192.168.200.5 8014 is ok (from the client to the server)

Ashish-Sharma's picture

First you check wheter any proxy settings are present in Internet Explorer.If present remove it and try.

If not helps

 1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present delete the  GlobalUserOffline key

2.Check HKU\.Default\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings Click on the internet setting key check for the keys called "ProxyEnable" if it is set to 1 then change it to 0 also check if there is a registry value called "GlobalUserOffline" if it is present delete the  GlobalUserOffline key

3.Reboot the machine

Thanks In Advance

Ashish Sharma

 

 

Mick2009's picture

Hi Novasep,

There are several reasons why one single client does not update its definitions.  Failure to connect to the SEPM, GUP, or LiveUpdate server is one cause.  Having no free space on the client is another.  The article that Ashish recommended is a good starting point.  I also recommend RDP'ing into that client and viewing its SEP and Windows Event Viewer logs.  The reason why that client is not updatign should be available there.

By the way: I strongly recommend upgrading to SEP 11 RU7 MP2, or to the forthcoming RU7 MP3.  Thre are known security vulnerabilities and issues with your current release. 

Hope this helps- please do keep this forum thread up-to-date with your progress!

 

With thanks and best regards,

Mick

novasep's picture

ok thank you, but is there a log file i can see that explain what is the problem ?

Mick2009's picture

Look in the Windows Application Event logs and System Event Logs.

In the SEP client, look in the system logs. 

There should be some error messages in either or both places which provide some insight. 

With thanks and best regards,

Mick

Chetan Savade's picture

Hi,

If only 1 clients is affected, have you tried by replacing Sylink.xml?

Restoring communication to clients with a new Sylink.xml file

http://www.symantec.com/business/support/index?page=content&id=TECH106288

The only way to know what is really going on during the communication process is to enable Sylink debugging on a client that is not updating, allow debug logging to run for 10-15 minutes, then disable again. If you like you can attach the log to the thread for review.

How to enable Sylink Debugging for Symantec Endpoint Protection in the registry
http://www.symantec.com/docs/TECH104758

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

novasep's picture

Hi,

I have executed this operation :

First export the Sylink.xml from the group you want your clients to report to initially.

  1. Click the Clients tab in the SEPM and select the group you want. Right click on it and select Export Communication Settings.
  2. Click browse, select a convenient location and name the file "Sylink.xml".
  3. Click Export.

Replacing Sylink file manually on the Client:

1) Click on Start, Run and on the Run command window type smc -stop.

2) Copy the exported Sylink.xml and paste it to the root of the Symantec client install folder.

By default the location is: c:\program files\symantec\symantec endpoint protection

After you've copied the sylink.xml file, click Start, Run and in the Run command window type smc -start.

And on the client, now i see the client shield appearing in the bottom right corner in the system tray with a green dot on it.

But deployment is not good, even if on the client in HELP AND SUPPORT ... TROUBLESHOOTING ... MANAGEMENT, the server is now present.

Ashish-Sharma's picture

It will be take some time after SEP client automatic will be update

Thanks In Advance

Ashish Sharma

 

 

novasep's picture

If it's a problem of free space on the disk, is there a log file which describe this problem ?

Chetan Savade's picture

Hi,

Do you see green dot on the yellow shield of SEP? Make sure policy serial number is correct at both end i.e. on SEPM and SEP client?

If yes, probably particular SEP clients definitions are corrupted.

How to determine if virus definitions of Symantec Endpoint Protection client (SEP) 11 or 12 Small Business Edition, are corrupted

http://www.symantec.com/docs/TECH97677

If definitions are corrupted follow this article:

How to clear out corrupted definitions for a Symantec Endpoint Protection client manually

http://www.symantec.com/docs/TECH103176

Alos, how much fress space is available on SEP installed drive?

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

novasep's picture

Hi,
Yes, the green dot is present since i have manually update sylink.xml on the client.
Free space on C: is 802MB.
I have read the first article, and there is a problem on the client :
There is no folder with the date of today (virus definition was updated on the server today and all was ok for the other clients)
And there is no "incoming" folder

Chetan Savade's picture

Hi,

Thanks for an update.

Go ahead & follow the first article http://www.symantec.com/docs/TECH97677 , then repair SEP Client & monitor the status.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Ashish-Sharma's picture

HI,

Try to remove Old virus defination and check

Thanks In Advance

Ashish Sharma

 

 

novasep's picture

I have done this procedure but it's impossible to delete the folders : (access denied)

    1. Stop the Symantec Endpoint Protection Services:
    2. Click Start, Run, typing in smc -stop, and pushing Enter.
      1. Click the Start button and then click Run
      2. Type services.msc and click OK
      3. Right-click Symantec Endpoint Protection and click Stop.
_Brian's picture

Do any of the folders delete, or is the latest one the one that won't?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

novasep's picture

You are right.
It's only the last folder that is impossible to delete.
So i have deleted the two first folders.
And now a new folder was automatically created ... and virus definition is now ok !!!
Now, the free space is up to 1Gb

Ashish-Sharma's picture

Ok ...

Your Issue is low disk space so keep disk space and reduse this type problem

Thanks In Advance

Ashish Sharma

 

 

_Brian's picture

Because it is in use. So that should be normal behviour.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Free space on C: is 802MB.
 

The solution is definitely to free up some room, then.  I doubt that SEP 11 (or any other modern software) will be able to function with less than 1 GB free.

SEP 12.1 maintains only 1 set of AV defs, and so is more forgiving of machines with little space.  You may wish to upgrade to SEP 12.1.

With thanks and best regards,

Mick

SOLUTION
novasep's picture

You are right.
And now a new folder was automatically created ... and virus definition is now ok !!!
Now, the free space is up to 1Gb

novasep's picture

Thank you for your help, i'm trying to free up some room.
But i don't understand that there is no log that explain that the problem is the memory ...

Mick2009's picture

I recommend finding all the clients with little disk space in the organization and taking steps to ensure they stay healthy.  Here's a couple links that may help you:

Issue Related to Low disk space.
https://www-secure.symantec.com/connect/articles/issue-related-low-disk-space

find the low disk systems count
https://www-secure.symantec.com/connect/forums/find-low-disk-systems-count

The SEPM can run reports full of information about all the SEP clients in the organization.  One of the items returned is disk space.  You can run and export such a report, then open its output in Excel and filter for machines with low disk space.
 

 

 

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

I agree with comments of Mick and Chetan.

Secondly, I would suggest you to try installing the Intelligent updater on the client machine, which would apparently install the Latest definition on this particular client.

I have seen situation where these definitions if corrupt on the client machine gets repaired after running the Intelligent updater.

How to update definitions for Symantec Endpoint Protection using the Intelligent Updater 

http://www.symantec.com/docs/TECH102606

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.