Endpoint Protection

Hi guys, I am facing couple of issues with SEP endpoins regarding them being appearing as Disabled and Out of date on SEPM servers. Version of SEPM is 12.1.5 and clients are running a mix of 12.1.5 , 12.1.4 and 12.1.3.

Out of Date Clients.

Mostly the following components are shown as out of date on SEPM report. Screenshot Attached

AV, IPS, Sonar, Download Protection

OS of machines varies from Windows7, Server 2008 R2, 

Diabled Clients.

Mostly the following comports are showing as malfunctioning in SEPM Report.

AP, Sonar, Download Insight, Temper Protection. 

OS of machines are windows 7 ( all protection components are installed) and Server 2008 R2 and Server 2012 only the AV component installed and Download Insight. Screenshot Attached.

I would really appreciate your support in getting the root cause of as what is the reason for the above behaviors and how can we fix without reinstalling the agent.

Thanks and Regards

Your suggestions are opinions are greatly welcomed.

Thanks & Regards,

There could be a myriad of reasons as to why. First off, run the SymDiag tool:

About SymDiag - formerly SymHelp

So you don't spend too many resources, try a repair, if that doesn't work you may as well re-install.

On these affected machines, bring up the SEP client and go to Help -> Troubleshooting and verify that it's connected to the server & date/time of last connection.

Also check the logs as well to see if there's any error messages and go from there.

SymDiag tool can help as well - run it and it will tell you what's up.

Now and then, they do get corrupted, i.e. bad def updates. But use the tools above to get started to find out what's wrong with them.

I will run the SymHelp tool on the affected endpoints , but running a repair or reinstall on 80 production server is something without a valid reason is a difficult thing to make the customer do as there is not a proper justification and reinstall requires a reboot.

I wish we could have a script from Symantec that could wipe out the corrupted definations automatically. Anyone aware of such script?

The problem is the issue already occurred and if you didn't have advanced logging already enabled, you're not going to see much. If it's a one off then I wouldn't waste the time. I'd run a repair first, re-install second and be done.

If it's a repeat offender, then enable logging, let it run until the issue occurs again and comb through the logs (which are cryptic and usually support needs to be brought in).

...but that's just my two cents.

In addition to what ℬrίαη has said regarding your 1st paragraph, I'll quickly answer to your 2nd paragraph...

This is what I did the last time when the clients had a corrupted definitions - you do this from SEPM and all clients will have the fresh set of definitions once you have done this step.

https://support.symantec.com/en_US/article.TECH166923.html

Have a try with SymDiag first and if it gets you nowhere, try the step above.

Hi guys , I just wanted to confirm one thing. If I upgrade these clients from 12.1.5 to 12.1.6 MP4 , is it going to fix this Out of Date and Component malfunction issue ? or the only well known fix for this problem is either the repair or reinstall?

Have you seen any instances where the upgrade to a newer release have fixed this issue?

Thanks and Regards 

Since you do not know what is causing the issue is, it's hard to tell if upgrading will resolve this issue or not. What about doing a test upgrade on one of these machine and see if it resolves the issue?

Yeah I am thinking to do the same to see if the upgrade would resolve the issue instead of doing the troubleshooting which will consume a lot of time.

I will run the SymDiag shortly on few sample machines to see if reports any cause about this behavior.

Thanks

Upgrade may or may not fix it, depends on what the exact issue is.

Hi guys , just to update you on this . I ran SymDiag on few sample endpoints rendering the above behavior on which all protection features are installed and the report showed as the definations are corrupted and some  services are not running ( it makes sense )

However I also ran the same tool on few servers rendering the same disabled and Out of Date problem. Now on these servers only the AV and IPS components are installed only ( AV and iPS both are updated with latest protection definations) . However when we click the disable list on the SEPM console these same servers machines are part of the disabled list reason becuase in SONAR feature it shows as " Not Available in the report" whereas in reality SONAR isn't installed on the server. The same is true for the other two servers as well.

Another thing in the report was for Download Protection content it was showing out of date for all three servers ( last download date for Download protection content was different for all three servers) . However these three servers are downloadinng the definations from the same SEPM Server from where other 1,000 endpoints are downloading as well and they dont have this behavior for Download Protection content.

What is wrong here ?

Thanks

This was an issue on older versions of SEP, incorrect reporting that is.

Well the version of SEPM is 12.1.5 and clients version is a mix of 12.1.2 , 12.1.4 and 12.1.5.

You mean this is a reporting error, just one more thing which I observed when I ran the Diag on one of the servers on which only the AV and IPS components was installed , it complained about some Sonar driver, however Sonar component is itslef not installed.

Yea, seen this happen with those older versions and incorrect reporting in SEPM