Endpoint Protection

I have exactly the same issue with MR2 MP2. Do you have a solution available??

 

Thanks,

martin

Did you change your "delete clients that have not connected for x days" setting?

In SEPM, click on ADMIN.   Click on the Local Site and select Edit Site Properties.

 

My installation of SEP11 is too new to notice if computers are hanging around after the 30 days mine is set to.

 

 

Yes, this box is checked....

The strange thing is that these computers don't show up under "Clients" but only under "Security Status"->"More Details":

See screenshot: http://img378.imageshack.us/my.php?image=screenshotvk5.jpg

 

martin

I have a similar problem (see here): my client mirgration report seems static and lists already migrated and deleted SEP clients. The "delete clients ..." option is set, too.

Same exact problem running MR2 MP2.  Anyone find a solution?

Same problem in MR4, not just decomissioned computers though.  It seems like there is no purging of old data in the database.  I have an open case on this now.

with MR3 onwards, clients will be purged from the clients list based on the setting mentioned in this thread, HOWEVER, information in the other views will be purged based on settings in the database and log settings tabs of the server configuration.

Hi Paul,

 

Thanks for your reply.  I worked with tech support yesterday and we changed the database log settings to 1 day for everything and my Security Status - More Details page still shows problems with Scan failure, Antivirus Definition failure and IPS signature failure from July 2008.

What was the solution?

No solution yet as I'm still working with tech support.  Apparently, my database is not clearing out old information even though it's being "swept".

i have the same error. i have clients that are no longer in AD but still show up in the monitors tab. why is that????

For me, it's looking like a replication/database issue.  I had bi-directional replication enabled and have changed it so that the two replicated servers only send their logs to the main server (and disabled sending logs from the main server to the replicated servers).  I'll know in a couple of days if this fixes it.

We have only one Endpoint server and we still have our Endpoint status reports messed up by machines listed that have been deleted from Active Directory weeks ago still showing up in reports of machines with definitions failures.

Yes, still having this issue with several clients.  Each are running MR4 and are single SEPM deployments.  Computer objects are no longer in AD nor in the client list yet they still show as failed under security status for virus defs, scans, etc.  Haven't opened a case yet as it really hasn't warranted me spending the time with tech support.  I was hoping it was something simple I was missing, but looks like I might have to pick up the phone.

 

Thanks all for your responses.

Hello all, any solutions to post for this issue?

Hi BTIT,

I ended up having to uninstall / reinstall all SEPM's and creating a new database (restoring the server certificate and domain ID, rebuiliding my groups, management server lists and all policies).  It was a major pain to do all of this, but all looks good now (knocking on wood).

I kind of got the hint that if I used SQL server instead of the embedded database, things could have been cleared up by editing the tables but I'm not 100% sure on this.  I never want to go through this again so I'm keeping a close watch on everything.

You could try deleting clients from the SEPM that are giving you wrong data and see what happens when they get added back in automatically on the next heartbeat (this is for pull mode, don't know what happens if you're in push mode).  For me, when clients were added back in, some fell off the more details report and some stayed on (either IPS or Truescan defs were not being reported to the SEPM properly).  I don't think there was any other solution to my problem as we tried *many* different things.

Hi Paul,

I'm trying to get rid of old scan evens, some date back to near the beginning of last year and i've checked the database tab and "delete scan events" is set to 30 days i still have very old scan events in my log.

Is there now other way around this other than bacsically recreating the database (that's if i've read Rick's resolution right.

Cheers,
Rob

I'm bringing this back up as it is still an issue.  MR4 MP2 on all clients and SEPM's.  Clients that were deleted (via Local Site Properties / Delete clients that have not connected in 30 days) still show up in the Security Status / More Details screen with signature or definition failures.

Clients that were incorrectly reported in that screen that I knew for a fact had up to date definitions I simply deleted them from the clients tab.  They fell off the More Details screen but when they re-appeared on the next heartbeat, they still showed errors in the More Details screen. 

i also have the same issues...
hope we could have a simpler work around than the one suggested by symantec to RickJDS...
very time consuming and labor intensive...

same over here...

Hi Grant,

Here's my setup if you want to reproduce the problem:

Three servers (one main, two replicated - replicating logs from child to parent only, nothing else) SEP/SEPM started from MR2 to MR4 MP2 embedded database (all clients and servers were upgraded together) had the problem from MR2 through today.

Windows Server 2003 Standard SP2 4GB RAM (/PAE switch in boot.ini) dual Xeon processors plenty of hard drive space (OS installed on C, all apps installed on D, dedicated swap file on seperate partition).  Servers all get content from Symantec every 4hrs, computers that don't connect in 30 days are purged, log pruning is all 60 days. 

Clients are mostly XP Pro SP2/SP3, some Windows 2000 Pro (SP4), and a handful Windows 7 RC 64 bit.  Clients use a location based policy (check for SEPM connection only implemented since MR4 MP1A) and if they are on the WAN, get content updates from SEPM/GUP only, otherwise get from Symantec only (off WAN).  Clients configured in pull mode heartbeat of 1 hour.

What I have noticed: decomissioned clients but never removed from AD or SEPM get purged in 30 days but SEPM still shows them in the Security Status / More details screen witth failures.  Some of the computers showing up *may* have been turned off and purged after 30 days but turned on and the client shows updated definitions but SEPM shows failures.  Some, I can't explain as these should have been on at least once every other week at a minimum (user  goes on vacation).  These ones I cannot explain show up with Antivirus definition failures but the date of the definitions are blank in that More Details screen.

Let me know if you need more information.

Cool I will be running these tests all week. Now just so you know I won't be able to necessarily recreate the exact hardware specs you have but all of the settings and the variety of Operating Systems will be no problem. Also do you want me to run this test at the default 30 days (obviously that would take much longer)  or do you think setting the purge time to one day is sufficient. Personally I don't think the hardware nor the amount of purge time really matters, it is more which versions of SEP on the different OSs that I am interested in. But I am yours to command so you just let me know what you think. I am in the process of installing the various OS's right now so that will take a while anyway, so you have some time to get back to me. I am just trying to think of the quickest/most efficient way to re-create your setup so we can get some data on this issue.
Cheers
Grant

Grant thanks for testing!  I think changing the purge time to one day should be fine as long as you can monitor events closely (checking with detail about clients that fall off and if they come back or not, monitoring AV/IP signature failures, etc.).  Looking forward to your results.

Hey Grant,

I had a laptop that hasn't connected to our network since February (policy was dated 2/19/09, running MR4, all servers and clients are now at MR4 MP2).  We turned it on today and it showed up in "My Company" (it was previously pruned).  It did not show a green dot after two hours (pull mode, 60 minutes).  I replaced the sylink.xml file and the green dot showed up (SEPM was uninstalled / re-installed around that time and I had to replace all client's sylink.xml file).

This has been my experience with computers that were turned off past the pruning/purge setting and then turned on.  Why do my clients show up in SEPM whereas your tests, they did not?

So MR4_MP2 doesn't fix this issue either. It's a real pain having those old machines showing up still. I've reset my dleeting clients that have contacted in x days to 1 and will see if this removes them.

I'll keep watching this thread in the hope that there's something abit simpler than recreating the database comes up.
Rob

Still installing some of the OS's. Sorry Rick this will be done by hopefully the end of this week, it is somewhat slow going having to download each OS and install it. Am planning to do the next couple of tests tomorrow. Just keeping you updated on where I am at with the tests. Thanks for being patient and keeping me updated with your info.

Grant-

Yesterday i set

1) the Site Properties, "Delete Clients that have not connected for :" to 1 day
2) the Databse properties "Delete old scan events after " to 1 day
3) deleted and reimported my AD conatiners under the clients tab and also deleted any clients in the "Default Group"  once i did the reimport (i had to reapply my policies to each container as required)

And when i logged in to SEPM this morning my scan list has been cleaned of all old computers and all computers that are switched on are reporting in and the green dots show up too (some of them weren't yesterday).

Cheers,
Rob

Hey Rob,

I'm glad this worked for you.  I don't import AD containers so this doesn't work for me (I've played with the site properties and database properties settings and I still have failures being reported that are older that what I've set - scan, antivirus definition, intrusion prevention signature failures).

I enabled Rob's suggestions yesterday afternoon around 4pm and *thought* the database would "prune" clients that didn't connect at midnight (I remember someone from tech support telling me that's when it took place). Two hours ago when I checked the server, it showed clients that haven't checked in as old as three weeks. Now, I just checked again and all clients that haven't checked in older than one day are pruned. 

This appears to be a solution.  I need to keep an eye on what happens when clients that were pruned get turned on again.

How often is the database pruned or purged of old data? This appears to be different in MR4 MP2.

On a side note, I had another laptop that has not connected to our LAN/WAN in over three months appear in SEPM when it was connected today.  It shows a green dot, auto upgraded to the latest version and has the latest policy.

Where do you configure the Databse properties?

Click on Admin / Servers / Local Site / Edit Site Properties.

Still not working.  I enabled the option to delete clients that have not connected after 1 day and delete scan events after 1 day on all three of my SEPM servers (one main, two replicated).  Each server will delete client error information for clients reporting directly to the server (Security Status / More Details).  Replication does NOT update the main server properly from the remote servers. 

So, in essence, the main server (server A) does not report errors about clients reporting to itself, but it shows errors for clients reporting to the two remote replicated servers (server B and server C).  Logging into the remote servers, server B does not report errors for clients reporting to itself, but shows errors about clients reporting to server A and server C.  Same with server C not reporting errors for clients reporting to itself, but shows errors for clients reporting to server A and server B.

Replication is set to only update the main site logs from the child sites only (replicate logs from the partner site to the local main site).

Sorry this is taking so long. I actually dropped and broke a small hinge on the back of my work laptop, so that is out of commision for a while. I am still running your tests on my home computer to see what is wrong. Just finished installing all of the OS's and SEP + the SEPM. Doing the test now : )

Grant-