Endpoint Protection

 View Only
  • 1.  Endpoint does not appear in SEPM

    Posted Sep 08, 2018 06:39 AM

    Hi,

    the customer has SEPM 14.0.1904.0000 running on a Win 2008R2 server (also a DC). The clients are SEP 14.0.1904.0000 or 14.0.3752. 6 months ago a junior computer guy used an image to set up two new machines, without preparing the image properly. So I am pretty sure the two new machines ended up with identical SEP hardware ID. They only appeared in SEPM one at a time. This problem was never solved, for lack of interest at the customer. Lets call the two machines E and U.

    Yesterday I was at the customer and now none of the two machines were visible in SEPM. I removed SEP from U, downloaded newest SEP (version 14.2.770.0000) and installed it, and read the communication file into it so that it should know how to find SEPM. Hoping that this would change the hardware ID. The machine is Win10 april 2018. Now E (the other Win10 machine) appeared correctly in SNMP. However still no sign of U. The SEP should be compatible with the Win10, according to https://support.symantec.com/en_US/article.TECH235706.html

    I ran cmd as admin and ran RepairClonedImage.exe -v. It said it finished successfully. However, the client still does not appear in SEPM. https://support.symantec.com/en_US/article.TECH163349.html

    Ping works, and I do not think it is a network issue. I activated the apache access log, https://support.symantec.com/en_US/article.HOWTO80741.html. This is how it typically looks like:

    192.168.10.50 - - [07/Sep/2018:18:01:54 +0200] "POST /secars/secars.dll?h=082962A18F61CD85B5D1...A4AECFB4BE2C20FD HTTP/1.1" 200 - "-" "-"
    192.168.10.154 - - [07/Sep/2018:17:40:07 +0200] "POST /secreg/secreg.dll?l=2 HTTP/1.1" 500 531 "-" "Sylink"

    .50 is one of the good machines, that is visible in SEPM. .154 is the machine that is not visible. For the good machine there is secars, and a really long number (my abbreviation with ... dots). For the bad machine there is secreg and no long number.

    Is there a way to display the hardware ID on a SEP? So that I can check if the two machines U and E have identical hardware ID.

    Does a reinstall of the SEP change the hardware ID?

    Could it be a problem that a machine has the newest SEP, while the SEPM server is an older version? Could it be a problem with the latest SEP?

    How to interpret the Apache log?

    Any other insights as to how to fix this?

    Grateful for all insights.



  • 2.  RE: Endpoint does not appear in SEPM

    Posted Sep 08, 2018 06:42 AM

    Does the client show as connected on its end? What does SymDiag show or sylink debugging?

    Even an older 14 SEPM can manage newer 14 SEP clients, although not recommended.

    https://www.symantec.com/connect/forums/sepm-never-shows-both-win10-sep-clients-same-time#comment-11938371



  • 3.  RE: Endpoint does not appear in SEPM

    Posted Sep 08, 2018 02:16 PM

    The client does not show as connected on its end: On the bad machine I go to the SEP, press Help-Troubleshooting, go to Server Connection Status, press Connect Now. It is requesting updated policy form the SEPM. However, Status remains Not Connected. And there is HTTP error 500. It tries to connect to the correct IP (the ip of the SEPM server), on port 444. The firewall on the macine is controlled by SEP. Last Successful Connection is Never. Under Help-Troubleshooting-Management, the Server is Offline.

    I have not tried SymDiag or sylink debugging. Will try this next time I get the chance with the customer. I will come back with more info then.

    Is there a way to display the hardware ID of a SEP?

    Where can I download earlier SEP versions? Like the one corresponding to our SEPM.

    Thanks for helping out.



  • 4.  RE: Endpoint does not appear in SEPM

    Posted Sep 08, 2018 02:27 PM

    Should be in C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\sephwid.xml

    Only the current version is available for download. If you need older versions then contact support.



  • 5.  RE: Endpoint does not appear in SEPM

    Trusted Advisor
    Posted Sep 27, 2018 04:13 AM

    After uninstalling the SEP client, verify that the files & registry entries has been deleted as well.

    See https://support.symantec.com/en_US/article.HOWTO54706.html for the details of the paths & registry (bottom of article)



  • 6.  RE: Endpoint does not appear in SEPM

    Posted Jan 23, 2019 09:27 AM

    Hi, I was at the client site on Monday. I kept working on the problem discussed in this thread. Earlier I had contact with Symantec support and got download links for SEP 14.0.1904 and 14.0.3752.

    1) I checked the sephwid.xml file on the two machine U and E. If I interpret the file correctly, the two did not have the same SEP hardware ID.

    In the sephwid.xml file the U machine has: <HardwareID ID="CDD37A43E961FC1A41B9C8B406A64369" CreationTime="1536347208" LastUsedTime="1548068002"/>

    The E machine has: <HardwareID ID="79DE26E32C2E0B77B1EEDA03BFE124C9" CreationTime="1507822884" LastUsedTime="1547630806"/>

    Is this ID the correct entry to compare? In the file there are also System ID, 1-7. Is Hardware ID a Symantec number and the System IDs machine numbers? (like Mac, fqdn etc).

    2) I ran SymDiag on U. I have not yet sent it in to Symantec for interpretation.

    3) I removed the SEP from the U machine. I was then careful to remove the files & registry entries (see post from Tony Sutton above). Both machines had enrollmentinfo and sephwid file in C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData. The E machine also had other Symantec files to be deleted. Both machines are Win10 Pro. Then I tried to install SEP 14.0.1904. Could not install it - guess it is not for Win10. Then I tried to install SEP 14.0.3752. Did work. I read the communication file into the SEP and the client was now communicating correctly with the server. On both the machines E and U. The customer also had a new client machine that I installed SEP 14.0.3752 on.

    Now the communication with SEPM is correct. However, there is a new error in SEPM: Intrusion Prevention Signature Failures. All the 3 Win10 (E, U and the new one) machines have this error. And none of the Win7 machines. What does it mean and how do I fix it?