Video Screencast Help

Why is Virus Definition Report incorrect?

Created: 31 Aug 2012 • Updated: 03 Dec 2013 | 74 comments
This issue has been solved. See solution.

Every day I receive an emailed Administrator Daily Summary Report from Symantec Endpoint Protection Manager.  And everyday the section on Virus Definition Distribution says there are more PCs out of date than there really are.  It will say there are 4 PCs out of date by 7 days, but will only list 1 PC.  (see attachment)  The same report is also in the program when I open it.  Why is this?  Thanks in advance!

Comments 74 CommentsJump to latest comment

Ashish-Sharma's picture

What is SEPM version ?

Have you check manualy Out of date System ?

 

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

SEPM version is 12.1.1000.157

I'm not sure what you mean by the second question though.

Thanks!

Ashish-Sharma's picture

Remove...

Edit...

Are you having unmanged client ?

are you using image OS ?

 

 

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

No, we don't use imaged OSs, and to my knowledge there should not be any unmanaged clients.

Fabiano.Pessoa's picture

Hi,

Have you looked at upgrading the OS?
Update your OS and also take a look at the system clock maa look at the clock in bios
After upgrading the system to update your solution and run a scan in safe mode
Then check reports

hugs

 
 
Desfazer edições
 
 
 

 

Fabiano Pessoa

Systems Analyst - Forensic Expert

ahazelwood's picture

Unfortunately upgrading the OS is not something we can do right now.  

What is "system clock maa?"

Fabiano.Pessoa's picture

Hi,

Sometimes the system clock also changes its forms.

Fabiano Pessoa

Systems Analyst - Forensic Expert

Fabiano.Pessoa's picture

If your operating system is windows?
If you let me know and I will continue to help you

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Ashish-Sharma's picture

have you any SEP 11 Client ?

Please check Manually in sepm Console how many system are out of 7 days ?

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

I am new to the position and to SEPM and I don't know how to find out if there are any SEP 11 Clients or how to manually check which systems are out of date.  Sorry.

Ashish-Sharma's picture

How many system difference daily reports?

Currently Report saying 3 systems different.

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

Correct, there is a "4" noted there but only 1 is listed.  It seems like there is a discrepancy every day.

Ashish-Sharma's picture

Yes rest of three system are yet not reporting your sepm console.

So it's SEPM server showing out of date.

please check manually in sep console how many system are not update in 7 days?

do you have access SEPM console ?

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

OK, I figured out how to check manually the Virus Definitions Distribution in the SEPM console.  It appears that only 1 is out of date for the past 7 days.  So should I not worry about the discrepancy in the numbers that are being reported in the daily emailed report? 

Ashish-Sharma's picture

Yes, you can export all SEP Client and Sorting by defination Date.

How to Export SEP client

https://www-secure.symantec.com/connect/forums/how-print-out-all-sep-client

Thanks In Advance

Ashish Sharma

 

 

ahazelwood's picture

I did not get a "Search Clients pop-up" as stated in the instructions.

Ashish-Sharma's picture

HI,

Are you login SEPM console on admin account ?

There is an easy way to copy sep client

you can open the required group to export its clients and select all clients "Ctrl+A" and then copy "Ctrl+C" then past it in Notepad or Excel.

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

It was an upgrade or a fresh install?

I would like to suggest to check with the latest version i.e SEP 12.1 RU1 MP1 (12.1.1101.401)

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

This was installed a while back before I worked here.  SEPM version is 12.1.1000.157

rs_cert's picture

Hi,

As per your converstation, i would suggest you that you can create the daily notification for the same.

It help you to find the old defintion systems with hostanme/ip address.

Steps are below

Open and login to the SEPM
 
Click Monitors

Click Notifications

Click Notification Conditions
 
Click Add
 
Select "Virus definitions out-of-date"

Enter the notification name(eg- old defintion)

Select condition (eg- 3 computers with virus definitions older than 2 and so on days )

Add your email id here.

Then Ok.

ahazelwood's picture

Sorry, I can't quite understand your instructions.  Particularly this part:  "Select condition (eg- 3 computers with virus definitions older than 2 and so on days)"

Chetan Savade's picture

Hi,

Try the following steps:

Delete daily summary report, before deleting check the settings.

Repair SEPM through add/remove programs.

Again create same daily summary reports & check.

A weekly summary report is showing correct information?

What's the size of sem5.db? It will be under C: or installed drive \Program Files or (x86)\Symantec\Symantec Endpoint Protection Manager\db

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Hi Chetan, 

Thanks for the info.  I delete the report and re-created it, repaired SEPM, and the new report shows the same thing.  I couldn't find sem5.db.

Chetan Savade's picture

Hi,

Try following steps:

1) SEPM --> Admin --> Servers --> Local Site --> Edit Site properties --> Chnage management server log settings expires after 1 day.

Note: It will wipe out entire database entries, you have a limited number of clients so I think you can go ahead with this setting.

Wait for a one day

2) On day 2, Stop the Symantec Endpoint Protection Manager Service

Go to C:or Installed drive \Program Files or (x86)\Symantec\Symantec Endpoint Protection Manager\Tools

Run updatedbtime.bat

3) Go to Admin --> Servers --> localhost --> Select Rebuild indexs now & Truncate transactions log now

4) Monitor new report.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

I don't get the option for log settings.  Attached is what I get:

symantec.JPG
Chetan Savade's picture

Hi,

My apologies, screenshot were taken from SEP version 11.

In SEP version 12.1 it's under localhost properties.

SEPM --> Servers --> Local host ---> Edit database properties.

The screenshot is attached to the reference.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

I did this:

 

2) On day 2, Stop the Symantec Endpoint Protection Manager Service

Go to C:or Installed drive \Program Files or (x86)\Symantec\Symantec Endpoint Protection Manager\Tools

Run updatedbtime.bat

 

And got this error:  (see attachment)

Symantec2.JPG
Ashish-Sharma's picture

Hi,

Check symantec Database services are running or not ?

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

Go to services.msc, check Symanec Endpoint Protection Manager and Symantec Embedded database services are running or not?

 

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

They are both running (but I had stopped SEPM earlier as directed in the instructions).

Chetan Savade's picture

Hi,

If possible reboot the server & try to run updatedbtime.bat

If above steps didn't help, you have following choices left.

1) Upgrade to the latest SEP version i.e SEP 12.1 RU1 MP1

2)  Log a web case with Support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to Create and Validate a SymAccount for using Symantec's MySupport

http://www.symantec.com/docs/HOWTO31127

3)  SEP next release SEP 12.1 RU2 is on road map, you can test with beta version

https://symbeta.symantec.com/login.html

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Rebooting didn't help.  :(

How do I know what version I have and how do I upgrade?

(BTW, the link above for creating a new case provides outdated information.  I can figure it out, just FYI)

 

Thanks again!

Chetan Savade's picture

Hi,

To check current version, login to the SEPM console. On the right hand top corner you will see Help option, Select that  & click on about.

It will tell you the SEPM version details.

Check till date SEP releases: http://bit.ly/m0vOJp

Let me know SEPM version I will tell you the possible upgrade path.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Hi Chetan,

Thanks for the info.  I have version 12.1.1000.157

BTW, I tried several times to create a case via Symantec's website.  I keep getting this error (attached).  This has happened to me before which is why I never use the website.

 

symantec fail.JPG
Chetan Savade's picture

Hi,

SEPM version 12.1.1000.157 i.e SEP 12.1 RU1.

The latest version is 12.1.1101.401 i.e. SEP 12.1 RU1 MP1

You can directly upgrade from SEP 12.1 RU1 to SEP 12.1 RU1 MP1.

You need to download setup files from https://fileconnect.symantec.com, you would require a serial number which starts with 'M'. Eg. M1122334455

If facing problem to log a web-case then Please contact Symantec Technical Support via the support phone numbers listed below

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp   India: Toll-Free 000 800 4401 456                                                                                            

IDD call: +61 2 8220 7111

Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hi,

Download Symantec_Endpoint _Proection_12.1.1_MP1_SEPM_EN.exe.

After download extract it & run setup.exe, it will start the SEPM upgrade.

Prior to upgrade always take a database backup.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

Check this Article:

Understanding the Downloads of Symantec Endpoint Protection (SEP) 12.1 available on Symantec FileConnect website.

In your case, you would have to download the Symantec_Endpoint_Protection_12.1.1_MP1_Part1_Installation_EN

which includes all the Installation of

SEPM 12.1RU1 MP1 , SEP 12.1 RU1 MP1 (32 bit) , SEP 12.1 RU1 MP1 (64 bit), SEP MAC 12.1 RU1 MP1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ahazelwood's picture

I am not able to extract any SEPM files that I download.

This is as far as I get and it hangs up (see below).  Do you know what I am doing wrong?

 

extract.JPG
Fabiano.Pessoa's picture

Hi, good afternoon, how are you?

 Make an easier way to remove the PCs on the network each you upgrade the operating system and version of your security solution separately in each
 Do it one by one and then put in the network again

 will work

 hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

ahazelwood's picture

OK sorry, not quite sure I understand, could you rephrase?  Or write it in Portuguese or Spanish - Entendo  :)

Fabiano.Pessoa's picture

Oi,

Que bom que você entende o português !! (risos)

Vamos lá, eu quis dizer que poderi fazer o seguinte;

Retirar as máquinas da rede e atualizar uma a uma fora da rede, atualizando o sistema operacional e a solução de segurança utilizada por você.
O problema pode estar na conformidade e é de se imaginar que como as nossas soluções procuram conformidade, uma delas não entrando a outra recusa.
Então, poderíamos tentar reaver isso pelo modo de separar as máquinas, atualizar sistema operacional e solução de segurança e retornar as mesmas para rede e aí sim atualizar todas juntas.
Já tentou isso ?

Grande abraço

 

Fabiano Pessoa

Systems Analyst - Forensic Expert

Chetan Savade's picture

oi,

Se você tiver baixado apenas arquivos de instalação do SEPM de FileConnect como eu havia dirigido, então, provavelmente, não vai ser um arquivo zip.

Nesse caso, não há necessidade de extraí-lo, ir diretamente para a pasta de download.

Execute o setup.exe e atualização será iniciado.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Muito obrigada Chetan e Fabiano!  :)  

Tudo esta funcionando agora!!

ahazelwood's picture

Well, the upgrade seemed to keep the Virus Definition Distribution report straight for a couple of days, but now my problem is back again.  There is a 2 listed but only one computer reported.

Chetan Savade's picture

Hi,

I would suggest you to test with SEP 12.1 RU2 beta version.

Let me know if you faced the same issue.

https://symbeta.symantec.com/login.html

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

I logged in to get the Beta version but this is all I see.  Where do I go?  Thanks!

beta.JPG
Ashish-Sharma's picture

HI,

I Think this is something bug.

You can try test with beta version

or you can will be be wait for release date. 

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

Go to beta agreement, accept the agreement.

You have to download SEPM beta setup.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

There is no way to accept the beta agreement.  It just lists the agreement, that's all.  :(

beta1.JPG beta2.JPG
_Brian's picture

Wondering if BETA testing is closed...

Chetan Savade's picture

Hi,

Go to the Home tab, select download beta build

Screenshot is attached to the reference.

Now select Download SEP 12.1.2 SEPM beta build.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Yes, maybe it is closed.  I don't have those options (see below):

beta5.JPG
Chetan Savade's picture

Hi,

It's not closed.

Beta2 is now open for testing.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

_Brian's picture

Just got the email about Beta2 being available.

ahazelwood's picture

Oh well, I can't access it.  Guess I'm forever doomed.....at least during Beta.....

ahazelwood's picture

Okey dokey, Beta is installed and everything seems to be fine so far - Virus Distribution Definitions have been correct for the past couple of days.  Thanks for everyone's help!  :)

ahazelwood's picture

I am still receiving a Virus Definition Distribution report that has (2) listed but only shows one PC.  Any more ideas?

Chetan Savade's picture

Hi,

Are you using OS image while deploying SEP?

Check this article

http://www.symantec.com/business/support/index?pag...

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

Actually no, we don't do imaging here, it's a small agency.

Chetan Savade's picture

Hi,

It's not working after an upgrade to SEP 12.1 RU1 MP1 nor with SEP 12.1 RU2 beta version.

I hope SPEM and SEP clients both are on the same version.

With reference to this thread it seems that you have less number of clients in the network.

Is it possible to recreate the new database? Replace Sylink.xml to restore clients communication?

If not possible we will try to follow some other troubleshooting steps.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ahazelwood's picture

I have never recreated the database so I'm not sure if I can do it or not.  Any links to directions for this?  Thanks!

How do I tell what SEP version the client is using?

Chetan Savade's picture

Hi,

After logon to the SEPM console, click on help tab & select about option.

Screenshot is attached to the reference.

For SEP clients, GO to Computers tab & select client status view.

Database reinstall is nothing but SEPM reinstall.

You will have to uninstall SEPM through add/remove programs and do a fresh install :)

SEPM 12.1 Fresh install with Embedded database - graphical overview

http://bit.ly/KUWxaS

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Is there any update on this?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hi,

You should call now support to find out root cause of an issue.

Please contact Symantec Technical Support via the support phone numbers listed below

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp                                                                                                         

Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hi,

I haven't give up smiley

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved in this release.

Out-of-date virus definition notifications are incorrect
Fix ID: 2863845
Symptom: Out-of-date virus definition notifications are incorrect.
Solution: Notifications now show the correct information.
 
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
Ashish-Sharma's picture

Hmm... I  think this is SEPM bug....

 

Thanks In Advance

Ashish Sharma

 

 

DougDem's picture

Well I am running SEP 12.1 RU2 and the administrator daily summary report still has frequent errors in the virus definitions section. It seems to have more errors on "< 24 hours" and " > 1 day". For instance the report I generated from the management console a few moments ago says there are 222 that are > 1 day old, but when I expand the list there are 763. This is only one example. Is anyone else having issues with the Administrator Daily Summary report on 12.1 RU2?