Endpoint Protection

We have a problem since upgrading to MR5 (11.0.5002.333) involving upgraded and new SEP clients with not reporting any virus scans that are actually occurring and completing.  This problem is isolated to Vista and Windows XP SP3 computers with SEP version 11.0.5002.333 and doesn’t affect any of our servers with the same version of SEP.  I know that the virus scans (full occurring daily and active scan with new definitions) are occurring because they appear in the Windows Application log, but not within the Symantec Endpoint Protection counsel (View logs>Antivirus and Antispyware Protection>View Logs) or in the logs on the management servers.  The Scan of threats section of the SEP counsel does correctly show the last full scan.  This is not problem for clients running MR4 MP2.

Has anybody else seen this problem?  Is there a fix?

This is becoming a major problem because with have a daily report showing clients that have not had virus scans within the past week (e.g. users canceling the scans) and then we create help desk tickets to have the computers manually scanned and troubleshoot any potential SEP problems.  Now this is report is useless for SEP with MR5.

Just to make sure, have you double-checked you policy settings in SEPM to make sure the logs are retained on workstations? (Assuming you have your servers and desktops in different groups with different policies).

Yes we do have three different policy setting (desktop, laptop, and servers), but all desktop and laptops that have MR5 (whither they are in desktop or laptop policy group doesn’t matter) aren’t reporting scans, but all prior versions are.  About 90% of our desktops and laptops are still running MR4 MP2 and they have the same policy as our MR5 clients and they don’t have this problem.

Yes, I always force myself to ask questions like that because I do have admins here who manage their own SEPM domain that split computers into different groups by OS and then version of SEP, and then sometimes by department as well.  Many times they've reported problems with the "vista 64" machines or some other type of machine, but it would turn out to be their policy settings for that group.

I noticed you didn't say specifically if the SEPM server was running RU5 or if just the clients with problems were (or both).

The SEPMs are running MR5 and the problem is only occurring with MR5 clients and not with MR4 MP2 clients within the same policy applied to all desktops.  This is not a SEP policy configuration issue because the same policy is applied to both MR5 and MR4 MP2 clients and only MR5 clients are affect.

However noticed this behavior occurs only on groups that are AD OU synch. groups, copying the client to any Symantec group make the reporting working again.

All AD OU synched in our organization are experiencing the same, creating manually a group with same policies, same communication settings etc... and copying the AD object to this group or any existing group make the client reporting flowing again.

It seems to be highly related to AD OU synched groups in my case, I logged a case with Symantec support, If i get it fixed will let you know but so far the above workaround was this only temp solution I found (without any help from symantec support yet)

As well all clients in prev. versions are still functionals. Note then when you go to computer status logs, you see that last scan date appears there up to date while scan logs shows not entries for this same date and computer.

I am having the same issues.

SEPM servers running MR5, Clients running MR5, AD Sync in place.

Scans occur, the client system logs it, the SEP client never logs anything.

SEPM does understand that the scan has occured, you just have to specify the search criteria to give you info on scans that occured with files scanned over 50K (the little scans, or active scans, I dont really care about)

So it works, theirs just no logs on the local SEP client to reflect that its working.