Duplications of computers in the SEPM UI's Client corups
I was told that SEP communicates with Clients differently than SCS. And that the problem with duplicate computer entries was resolved.
This problem is usually a result from a machine getting a different ip address and the antivirus server listing the machine as a new entry. So you end up with computer JohnDoe1 (10.10.10.1) and the same computer JohnDoe1 (172.0.0.1).
The client computer can get different ips for many reasons, like a laptop switching from wired to wireless. Or the client machine being wired to a different part of the building (different VLAN). The user VPNing into the company.
I did an export of my clients today and was shocked to see that this problem was not fixed.
I currently have a total count of 1448 machines listed. However 45 of the machines have 379 duplicate entries (some machines are listed many times). So the end result is I really only should have 1069 machines listed.
Comments
Info
Greetings timaa,
Are you importing your clients via AD? Moving clients at all? What exactly is changing in your environment when this entries appear? You using any kind of imaging with SEP on it? What is the version number of SEP that you are using? (i.e. 11.0.x.x?)
SEPM does not list clients via IP address, its by an id that is assigned to the machine and stored in the registry the first time it checks into the SEPM. This will prevent any duplicate entries based just on IP address.
Remote Product Specialist, Business Critical Services, Symantec
Specs
We are using 11.0.4202.75.
We use SCCM to image. The image does not have SEP installed. I already stated that the duplicate entries happen when the client checks into the SEPM while having a different IP than what the SEPM knew about.
AD is not setup to get/give any info to the SEPM.
The type of information I get is from an export of a report:
I don't really understand your comment about "SEPM does not list clients via IP address". Unless you are thinking that when I listed the example with the ip in paranthesis that I was reffering to a UI looking that way.
If you fire up the SEPM UI, click the Clients tab, click on a client group the column headers are:
Name, Logon Client, IP Address, Last Scan, Antivirus Status, Firewall Status, Virus Definition.
The report I was talking about exporting was actually:
Monitors\Logs\Computer Status\View Log\Export
Info
Greetings timaa,
Thanks for the clarification. What I meant by the IP address comment is that the SEPM will not create another client entry in the database if the clients checks in with multiple ip addresses. When the client checks in, the SEPM will get the GUID which is a unique ID assigned to every client. If the unique ID is already in the database than it will link up with the existing client entry and normal communication occurs.
In your case, it appears that when the client connects in it is not getting the existing unique ID that should tie it to the existing database entry so it creates a new client entry resulting in a duplicate.
The registry entry that stores this ID is: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
The most likely culprit here is that this ID is getting changed/modified in same way/shape/form to create a new entry in the database. The computer name/ip address/etc. do not matter on a client machine, if this ID is different than what the SEPM database has it will create a new instance in the database.
If you know of nothing going on in your environment that would cause this it may be a good idea to log a case with Symantec so we can do more thorough investigating.
Remote Product Specialist, Business Critical Services, Symantec
clarification
So, From the export, I looked up a machine that had many dupes (in the XLS) "102571-X60S" This machine had 9 entries in the export. I decided to do a client search in the SEPM UI and it only returned with 1 entry.
So it seems to me that the problem is only when you do the exports. The SEPM UI seems to be correct.
Would you like to reply?
Login or Register to post your comment.