Endpoint Protection

SEP 11

I am trying to figure out why the most of the items in the Monitor tab of the Manager Console show 'No Information.' The 'Compliance Status Distribution' is the only one that seems to have any data.

We have been running SEP 11 for several months now, so there should be some data. Also, we had a few infections that we were not alerted to because it does not appear to be monitoring anything. If I run a report, most come back with no data.

I have read in the forums of other people having a problem where the Monitor Tab is completely blank so I check my SQL connection, which was a success, and looked at IIS settings to see if anything stood out.

Has anyone seen this before or have any ideas of what I can check to see why SEP manager is not monitoring everything it should be?

Thanks

These are data for past 12 hours only; if nothing happend in your network then they wil always be blank; Its blank for me from past 4 months; 

now that might have passed 12 hours

used eicar string test on few servers; then create a log here, it will show u the details.

That would make sense, but when I run reports for the last year, it says there were no infections and I know there is because when I on the local machine's risk log, the infections are there but they don't seem to be reported to the server.

Those reports are only good for 12 hours before all the data is lost?

Basically, I want to figure out how to get email alerts when there are infections detected. And I don't seem to be able to set that up in the Management console because it is not reported.

Did you follow these steps?

https://www-secure.symantec.com/connect/forums/instant-notification-virus-infection

https://www-secure.symantec.com/connect/forums/no-notifications-no-email-notifications

create one notification and use the eicar test; u will get in mins :)

Sorry I took so long to respond. It was a busy day.

I have notifications setup now to for client security, new risk detected and single risk detected but i did not get an email alert when I opened eicar test file. I did get an alert on the local machine saying it was removed.. I waited about an hour to see if it would come in.

I tried this http://www.symantec.com/business/support/index?page=content&id=TECH95887&locale=en_US

And the notifications seem to work fine, but i am not notified when a virus is found.

I also followed this http://www.symantec.com/business/support/index?page=content&id=TECH104580&locale=en_US

to make sure i am notified about eicar and looking in the Monitor-Logs-Risk log is empty. It doesnt even show the virus infection we had a few days ago.

If I go to Logs-Risk or Scans and choose a time range of 1 year, it is empty.

Audit and Computer status do work. There are log entries

Where can I check to see if there is external logging? We do use SQL, not the builtin server

Thanks

EDIT

Neither link seems to work, I get

The URL you've tried isn't returning content. There are two possibilities:

# There is no article associated with this URL. Try searching our Knowledge Base.

# The article is protected and requires you to be signed into an authorized account to read it. Sign In with your SymAccount

The Monitors Summary tab does in fact only show the last 12 hours.  If you try to run reports in Monitors > Logs, do you get anything back?  Do you use External Logging?

New Risk will probably not now trigger an alert for Eicar because it's been reported before.  The following document may explain why you're not getting Single Risk alerts.

"Single Risk event notifications are not being sent."
http://www.symantec.com/docs/TECH140732

This may be of help to you:

[deleted, will put info into reply]

sandra

My apologies, the new KB system we have doesn't make it blindingly obvious when it's an internal doc.  Here's the pertinent info, which would pertain to mail delivery failure.  But it sounds like you're able to get other emails just fine, so this probably isn't going to help.

---

Advanced logging for the SEPM console can be enabled by:

1. Stop the Symantec Endpoint Protection Manager service
2. Add the line scm.log.loglevel=FINEST and scm.mail.troubleshoot=1 to the bottom of the file:
   
   C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties
3. Restart the Symantec Endpoint Protection Manager service

Once logging is enabled, search this log for the email address the notification should have go to:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\SecurityNotifyTask.log

-or-

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\catalina.out

---

The one about Single Risk involved replication, and should be visible.  Do you know if replication is in use?

External logging is noted under Admin > Servers > Local Site.  This would be forwarding logging to Syslog server, for example.

What version of SQL, and is it on the same box as the SEPM, or remote?

sandra

the log entries are stored for 30 days; u can see those settings under admin -servers-local site option

I think single risk is detected only one; the first thing we need to verify is if we are getting any kinds of reports

can you create a definitions for virus updates/outof date; this would help us to narrow down the issue.

hope your email address is not filtered by your exchange server; 

I setup all those notifications that sounded like they could affect the EICAR notification, so no there is not any replication.

External logging is disabled.

Running sql 2005 on another server, not on SEPM.

I checked the log settings and they are set for 60 days.

I created a notification for virus definitons out of date for 1 computer being out of date by 1 day

EDIT: I just got the email notification with attached report about virus definitions being out of date.

Hurray ! its working now :) 

no issues with exchange now :) 

Yes, now I just need a way to test the notification when a virus is detected.

secars test should work, it depends on the hearbeat interval where your clients will send logs to the manager...what is the heartbeat level u have set?

I am using push mode, but the heartbeat is set to 5 minutes.

I opened the eicar file about 5 times yesterday within about an hour and have not gotten any alerts from the server about it. The local machine has all incidents logged.

just go through this incase we missed out

https://www-secure.symantec.com/connect/forums/no-notifications-no-email-notifications#comment-3382911

The risk logs for the past year are empty

Damper is set to auto

And 'delete eicar event' is unchecked

We will wait for sometime ;lets see what happens

This is how it was set overnight, after I opened eicar test several times yesterday.

It shouldn't take days to receive notifications about detected viruses.

The damper would probably mean that you would get one report instead of several, but no, it should not take days to receive notifications.  With your heartbeat as frequent as it is, the clients should be uploading their logs (including threat detections and other information that would trigger emailed alerts) with regular frequency.

This delay suggests to me that the clients are either having trouble uploading the logs, or the SEPM is having trouble processing them.  It also sounds like the risk data is not making it to the SQL server, either.

Is the version of the SQL Client Tools installed on the SEPM the same as the version of SQL that the database is using?  I.e. Client Tools should be SQL 2005 as well.

Do you see a buildup of files in the SEPM folder \data\inbox\log subdirectories?

sandra

Yes, it is the same version of client tools

It does seem like there is a buildup of files in some of the log subdirectories, but I am not sure what is considered normal for a business our size. About 150 SEP clients.

behavior - 7 files

client - 220 000 files

lansensor - 0

packets - 0

security - 1200

system - 37 000

tex - 76 000

traffic - 222 000

That does seem excessive for 150 clients, at least to me.  What's the date of the oldest file in, say, client?  Are any of them .err files?

sandra

No err files, just dat

Earliest file is 5-14-10 which i believe is about the time we would have started rolling it out and latest is a few minutes ago today

Have a look at this document and see if it helps:

.dat files accumulating in the Inbox folder on SEPM
http://www.symantec.com/docs/TECH95166

sandra

I uninstalled and reinstalled SQL with no change

Then I repaired the SEPM install and reentered the SQL login credentials and they were accepted, but no change, all the files are still in the inbox

Then I rebooted the server with no change

SQL, or SQL Client Tools?

Is your SEPM a 64-bit system? One of the possible causes is installing the 32-bit version of the Client Tools to a 64-bit system.

You may want to consider opening a case.

sandra

Everything is 32 bit.

I have sepm setup to look for bcp.exe in E:\Program Files\Microsoft SQL Server\90\Tools\binn but that shouldn't make a difference should it? That is the same drive sepm is installed on.

I believe it is working because I see bcp.exe running and when I kill it then restart SEPM services, it restarts.

As long as bcp.exe is installed on the local machine (and not pointed to a copy located on the network), it should be fine.

sandra

The vast bulk of our risk logs stopped flowing through about a month ago (but the other logs seem fine).  The odd thing is that a very limited handful are still making it through.  But I've created multiple risks on my own client and they are not showing up in our database.  And we can see from the "last virus time" field on the computer status logs that we have had risks.  They just aren't being reported through the management console.

We haven't been able to discern a pattern amongst the clients whose risk logs are still making their way to the database.

We opened a case with support on Wednesday. Nothing useful has come from that yet.

I would be interested in what comes from that case as I am planning on opening one too

I was looking through scm-server logs and noticed that log 0 looks fine, but log 1 has some errors, don't know if they are related to this.

Attachment(s)

scm-server-0_21.txt   1 KB 1 version

scm-server-1_1.txt   8 KB 1 version

upgrade to 11.0.6, it was a bug in earlier version ( 11.0.500X)

Replication failure due to Primary Key Violation
Fix ID: 1958237
Symptom: The Symantec Endpoint Protection Manager logs display an error "java.sql.BatchUpdateException: Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'. Cannot insert duplicate key in object 'dbo.SEM_COMPUTER'".
Solution: If the insert statement batch fails, Symantec Endpoint Protection Manager now catches the primary key violation exception and executes the statements one by one to make sure all data is inserted or updated to the database.

https://www-secure.symantec.com/connect/blogs/release-update-6-maintenance-patch-1-ru6-mp1

2010-10-28 15:51:24.054 SEVERE: scm.server.version = 11.0.5002.333
2010-10-28 15:51:27.211 SEVERE: ================== StartClientTransport ===================
2010-10-28 15:51:27.726 SEVERE: Schedule is started!
2010-10-28 18:14:32.310 SEVERE: Unknown Exception
java.sql.SQLException: Violation of PRIMARY KEY constraint 'PK_PATTERN'. Cannot insert duplicate key in object 'dbo.PATTERN'.
	at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:364)

I'd migrate up to RU6a then to RU6 MP1.  If you're going to open a case I can almost guarantee the first thing you're going to be asked to do is migrate up.

You weren't specific about whether or not you used replication in your environment with another SEPM.  I found this in the KB noted as a fix included in RU6 MP1.

Then it appears to have connection problems with the database.

2010-10-29 07:21:54.660 SEVERE: Unexpected server error.
com.sygate.scm.server.metadata.MetadataException: I/O Error: Connection reset

sandra

edit: Ha ha, great minds think alike Rafeeq...

I actually just did that this morning, which is why I was looking through the log files so hopefully it will fix that error.

I am still stuck with a bunch of files not being processed though.

It is working now. What I ended up doing was moving all of the DAT files out of the log folders and restarting the server. Now I can watch the TMP files create then they are removed and I am getting email alerts when I try to open the EICAR test file.

One of the things I did before must have fixed it, but the logs did not start processing until I deleted all the old ones.

I wish SEP would alert us when the logs stop processing because the only reason we found that they had stopped is our firewall had detected a virus, so I was looking through SEP and found no logs. I had to look at the local machine to figure out that a virus was detected.

Glad to hear you got it worked out in the end.

sandra