Endpoint Protection

Starting yesterday, I started getting email notifications saying virus definitions were not up to date. These email notifications came from the secondary server which is a replication partner to the primary server. The replication partner which is basically our DR node says we have 50 clients whose definitions are outdated by 7 days but that is inaccurate. The primary node says all clients are up to date.

Also, the notification settings are set to once every 7 days but for some reason I am getting these email notifications every hour now.

Can someone please help in clearing these up?

can you check the condition for the notification, if it is correct, can you delete and create a new one and let know if it helps.

I deleted the old notification condition, recreated a new one on the primary node and let it replicate. The threshold is set for 50 computers. As soon it replicated, I got another email notification saying 58 client virus definitions were out of date. This is not accurate becuase according to the primary node, we dont have that many clients with outdated definitions.

are there client on secondary? did you check if those are outdated?

how many days have you selected the clients npt to be delted from console if they are inactive ( not communicated to SEPM)?

Hello,

What version of SEPM are running on these machines? How many SEPM's are getting replicated?

Could you work on the following steps:

1) Disable the replication

2) Run a Repair of all the SEPM

3) Deleted the notification for Virus Definitions Out of Date

4) Add a new notification for Virus Definitions Out of Date

5) Enable the replication again.

Hope that helps!!

There aren't any clients on the secondary right now. They are all being managed by the primary. Yet it is the secondary that is sending out these notifications. Also, yesterday was the first time it started happening.

I have set the clients to be deleted from the console after 30 days of not reporting. I think this is the default settings.

I am running SEP 11.0.5 on all the machines and I have the same version of SEPM on them. 

I will try the steps you listed but I just want clarification on something: What does "Run a repair of all the SEPM" mean? Are there steps documented somewhere?

Hello,

Apologize.

"Run a Repair of all the SEPM's" means Run the Repair of SEPM from Add/Remove Programs on all the SEPM's (Primary as well as Secondary)

Hope that helps!!

I am getting notifications for other reports that I had setup from the DR server now. The DR replication partner never sent any notifications in the past but now it is. Any idea on what I should try looking into?

basically its the notification condition,also can you check the DB query to know how many clients does it report?

same time open support ticket.

What is the support phone number? I cannot find it anywhere.

Please visit this link for support contact info.

http://www.symantec.com/support/contact_techsupp_static.jsp

Just an update but so far support has no idea. They asked me to enable debug and are looking at the logs.

Hi Mithun,

After spending two unsuccesful days waiting for Symantec support to provide a solution, I decided to follow your request. I repaired the SEPM install on the replication server and now the SEPM service doesn't start. I get the following:

"The Symantec Endpoint Protection manager service on hostname started and then stopped. Some services stop automatically if they are not in use by oher services or programs. I looked at event logs and see the following: "The LoadLibrary function failed for the following reason: The specified module could not be found." EventID 4097 and "Could not load the Java Virtual Machine." EventID 4096

Any suggestions how I could fix this?

Windows 2008 x64

SEP 11.0.5

can you post the scm-server-0.log after you attempt to start the service and login?

the file doesn't seem to change when I unsuccesfully try to restart the service. The last entries in that file are from two hours ago:

may be logging needs to be enable to finest. the log above does not show error why it is stopping.

did you check with tech support engg. whats the cause?

tech support wasn't able to provide me a solution to the original issue so I went ahead and did a repair on the install. When SEPM wouldn't start, I decided to post a question on the forum because responses are quicker here than getting in touch with them. If I should contact them then thats what I will do.

enable logging to finest.try restart the sepm service and wait it stops, then pass on the logs.

Will do. Can you please let me know how I can enable loggin to finest? Thanks.

I am going to uninstall SEPM, remove the DB during the uninstall and then reinstall and recreate the secondary site. Pete, is there a Symantec best practices guide/KB to do this? I just want to confirm that when I recreate the site give it primary servers info for replication, it doesn't wipe out the primary servers DB.config.

was this primary site or secondary site? if this was added as replication site?

i suggest to follow dr steps to restore the backup

check this link

http://www.symantec.com/business/support/index?page=content&id=TECH102333

I ended up uninstalling and reinstalling SEPM on the secondary server and adding it as a replication site and it resolved all issues.