Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Old SAV Clients not purged from SEP 11 MR4

Migration User

Migration UserJan 15, 2010 02:52 AM

  • 1.  Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 14, 2010 12:59 PM
    I'm having a nuissance problem where several old SAV clients still appear in logs, and the Security Status reports, even though all clients were long since upgraded to SEP. Because these SAV clients no longer exhist, their last scan and AV defintions cause the Security Status to show problem.  When I go into logs, I can can see the same client machine listed with both SEP and SAV data, with the SAV log entry showing they have not checked in in over 6 months (also identifies the old SAV version, and server group as the "domain"). 

    I have tried setting the system to delete old clients, and scan logs (both to 1 day), then forcing the server to sweep the logs. However, the reports still show the out-of-date clients.

    Is there some way to manually remove old client entries from the log?

    SEP 11.0.4000.2295 using embedded DB.

    Thanks,
    DK


  • 2.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 14, 2010 08:34 PM
    open sepm
    on the home tab click on preferences
    in the logs tab
    uncheck upload logs from 10.x
    run managment server confiz wizard of sepm , from start all programs symantec endpoint protection
    run a repair of sepm from add /remove programs
    check if that helps
    http://img121.imageshack.us/img121/9283/logst.png


  • 3.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 02:52 AM


    Upload SAV logs.JPG


  • 4.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 04:48 AM
    Yes, it is possible to delete stale entries from the database manually. Each client has a falg called deleted and it will be set for a client which is no more communicating with SEPM.

    You can run the following query to check if it shows your SAV clients:
    Select computer_name from SEM_CLIENT where deleted ='1'

    If the results are positive, you can go ahead and delete them.

    Note: before doing any manipulations, please take a backup of DB.

    Cheers,
    Visu.


  • 5.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 03:30 PM
    Thanks to both of you, but the problem is not yet solved.

    1) I have already unchecked the upload legacy 10.x logs option and forced the database maintenance and sweep operations... no luck.

    2) I was able to access the database using the dbisqlc.exe utility, but the clients in question are not listed in the SEM_CLIENT table.

    Now that I have database access, I just need to identify where those old entries are located and delete them. Any ideas what the table names are used for the Scan Failure and Defnition Failure reports?

    DK


  • 6.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 03:40 PM
     the reference guide can be found here

    http://www.symantec.com/connect/sites/default/files/DB_Schema_Ref_Guide.pdf


  • 7.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 04:08 PM
    Thanks, Rafeeq, I have been looking at that. Unfortunately, the reference guide does everything but specify table names. It also doesn't help identify what tables are used in the queries behind the Scan Failured and Definition Failures report on the SEPM homepage.

    I was able to find the entries in the SEM_COMPUTER table. However, the Definition Failures report still shows 16 clients failing, even though only one computer is listed (that computer is legitimate).

    DK



  • 8.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 04:27 PM
    use this tool to know the DB
    https://www-secure.symantec.com/connect/downloads/embedded-database-editor 


  • 9.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 15, 2010 04:30 PM
    I'm fine editing and deleting with the dbisqlc utlity, I just need to know what I'm looking for.

    I've fixed the ScanFailures report by deleting the old entries in SEM_Computer.

    The problem that remains is the Virus Definition Failures report. It only lists one computer, but the summary says there are 16 with failures. I just need to know what table that report is getting it's data from.

    DK


  • 10.  RE: Old SAV Clients not purged from SEP 11 MR4
    Best Answer

    Posted Jan 15, 2010 04:44 PM
    you are running on 11.4 i think this was the bug and corrected in mu5, can you do an upgrade?

      Client status is displayed incorrectly in the Symantec Endpoint Protection Manager console
      Fix ID: 1677244
      Symptom: Client status is displayed incorrectly on the Home page Status Summary, but correctly on the Clients tab.
    Solution: Corrected the query to retrieve client status from the database.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648 


  • 11.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 16, 2010 01:18 AM
    I'm not sure which table it is... try SEM_AGENT and .. umm.. IDENTITY_MAP ... And hey, even if you delete the SEP entry which is online, the client will again register with the DB... so I guess, that shouldn't be a probs :) ..

    Cheers,
    Visu.


  • 12.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 16, 2010 01:39 AM
    Go to Admin ---->Servers----->local site---->edit site properties in both database and log settings tabs reduce the values and try... 


  • 13.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 18, 2010 01:42 PM
    Thanks. I'll try upgrading to MR5 this weekend as I already have some maintenance planned.

    DK


  • 14.  RE: Old SAV Clients not purged from SEP 11 MR4

    Posted Jan 25, 2010 09:43 AM
    The RU5 update seems to have taken care of the rest of the problem. All of the status reports now show the correct number of clients and failures.

    I appreciate all the help and input.

    Thanks,
    DK