Data Loss Prevention

Hi Everyone,

I just need help on how can I restart the agent manually without rebooting the endpoint or host where it was installed. Reason behind is that, some of the agents appear as not reporting, both EDPA and WDP service are running in the host and it can also communicate with the Endpoint server. Telnet is successful as well. So my last option is to restart the EDPA and WDP service.

BTW: Already issue SC STOP EDPA command but it fails. run as admin.

Any other option?

Thank you.

Cris

Hi spiky,

As far as i know, you have 3 options for that (and 2 of them you've allready said):

- restart services (EDPA and WDP);

- restart machine;

- restart agent on DLP console

   - System -> Agents -> select machine you want -> Restart

Regards,

I've been through this situation many times and I know its more difficult when agent is showing the "not reporting status" in console. You can't even run the reboot task in such cases from the Enforce Console - Agent overview.

SC STOP EDPA dosen't help, I know have tried that myself.

What I would do normally in such cases is that use the service shutdown tool (service_shutdown.exe) which comes with the DLP installation binaries from fileconnect. Simply copy this tool to "C:\Program Files\Manufacturer\Endpoint Agent" and run it through command line. It would prompt you for the tools password and your services would be stopped.

You then net start edpa and net start wdp later. This completes the stopping and restarting of services.

When the number is more, I would even store this tool on the shared drive and run these commands using psexec. Let me know if you need to know the syntax & I can share the same with you. This normally helps me restart DLP services on a large number of broken DLP agent without having to restart them.

example: psexec.exe @hostlist \\share\service_shutdown.exe -p___

Thanks Paulo and Leadvue for the response.

@Leadvue, can you share me the PSEXEC syntax that you mentioned? Because i'm facing a large number of agents not reporting and this will save me from going through all of them.

Regards,

Cris

Considering the Default Admin$ is enabled in your environment (port 445 accessible) -

PsExec.exe -u "domain\user" @hostlist.txt \\sharename\psshutdown.exe -p "_____"

• Download and store the PsExec file on the C: Drive (on C:\PsExec)
• Create a txt file named "hostlist.txt" and store IP/Hostname of all systems where you need to perform this action (each new IP on a new line)
• On a shared location, which is accessible to all affected clients, store the psshutdown.exe tool
• Remember to enter the tool password along with the -p switch in the original psexec command stated above.

All the best & let me know how it goes.

Best Regards,

Leadvue

Leadvue,

Is it psshutdown.exe or service_shutdown.exe? What does this psshutdown.exe do?

Thanks.

Regards,

Cris

PsShutdown is a subset of the PsTools from SysInternals. You dont need that - thats for restarting systems remotely.

You need two things here: 1.) the normal "PsExec" tool from the PsTools family & 2.) service_shutdownexe which in the Tools directory on the DLP agent binaries you download from fileconnect.

So to summarize:

PsExec - Microsoft Sysinternals Tool for remote command execution

service_shutdown.exe - Symantec Vontu DLP Tool for actually entering the Tools password and shutting down edpa & wdp gracefully.

Do not hesitate to reach out to me if any further questions.