Endpoint Protection

 View Only

  • 1.  SEP 12.1 Client downloading large amounts of data

    Posted Aug 08, 2012 09:21 AM

    We have an Endpoint Protection client downloading large amounts of data. 

    This has happened before and it appears to be corrupt virus definitions and the client keeps requesting full definition files over and over. 

    After uninstalling the client and reinstalling, this client still continues to download large amounts of data, saturating this offsite locations bandwidth.  The traffic appears to be going over port 1248 and 1865 between the client and the management server.  Any idea what this is?

    Windows XP client

    SEP 12.1 RU1



  • 2.  RE: SEP 12.1 Client downloading large amounts of data

    Posted Aug 08, 2012 09:28 AM

    Enable debuging using sylink monitor below and updload the logs . Alternatively try below steps on SEPM

    http://www.symantec.com/business/support/index?page=content&id=TECH103369

     

    Sometimes, it is noted that if there are corrupt virus definitions downloaded by SEPM, it is required to clean them up and download the virus definitions again.

    Following are the steps for the same:

    File system cleanup for 32-bit SESC Virus Definitions:

    1. Stop SEPM server service.

    2. Go to C:\program files\symantec\symantec endpoint protection manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}" folder and move all of the subfolders to another place, such as C:\Temp if you want a backup, otherwise delete the sub-folders.

    Database cleanup for 32-bit SESC Virus Definitions:

    3) Go to C:\Program Files\Common Files\Symantec Shared\SymcData\ and delete the following folders:
    sesmipsdef32
    sesmipsdef64
    sesmvirdef32
    sesmvirdef64

    4)In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps.
    Delete these keys
    SymcData-sesmipsdef32
    SymcData-sesmipsdef64
    SymcData-sesmvirdef32
    SymcData-sesmvirdef64

    5). In the registry, navigate to and delete the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef32
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef64
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef32
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef64

    6). Start the SEPM service back up.

    7). Run Live update from within the Symantec Endpoint Protection Management console.

    This will re-populate the database which in turn will update the moniker folders.

     

    You can try this on 1 client machine however i think above might help!

    http://www.symantec.com/business/support/index?page=content&id=TECH103176&locale=en_US



  • 3.  RE: SEP 12.1 Client downloading large amounts of data

    Posted Aug 08, 2012 12:25 PM

    Those ports (1248 and 1865) are not normal SEP ports (SEPM by default uses port 8014 for client communications).

    If you don't know what's using those ports, I'd suggest running a netstat on the SEPM to track down which process(es) is/are listening on those ports and investigate them.

    netstat -pano tcp

    The above switches will return Process ID numbers for each of the tcp-based network connections when run on the SEPM, you can check within Task Manager for the corresponding process name(s) and hopefully figure out what the ports are being used for.



  • 4.  RE: SEP 12.1 Client downloading large amounts of data

    Trusted Advisor
    Posted Aug 08, 2012 03:22 PM

    Hello,

    These ports are not used by Symantec.

    I would request you to follow the steps provided above by SMLatCST and then would request you to -

    1. Remove the machine from the network,
    2. Follow the steps provided in the Article: Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
    3. Run either the Power Eraser Tool OR the SERT Tool. 

    Power Eraser tool –

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

    Hope that helps!!



  • 5.  RE: SEP 12.1 Client downloading large amounts of data

    Posted Aug 08, 2012 06:03 PM

    Rx4DefsSEP.exe

    This utility should automates the process of cleaning out the corrupt definitions. See http://www.symantec.com/business/support/index?page=content&id=TECH93036

     



  • 6.  RE: SEP 12.1 Client downloading large amounts of data

    Posted Aug 09, 2012 04:06 AM

    What about your client disk space? Does it have more than 1gb of free?

     

    also did you use custom port? it should be port 80 normally... try the netstat suggested by SMLat

    if not you may also use fport.exe by foundstone



  • 7.  RE: SEP 12.1 Client downloading large amounts of data

    Posted Oct 03, 2012 02:31 PM

    Please check number of contents using following.

    1. In the Symantec Endpoint Protection Manager console, click Admin > Servers > Local Site.
    2. Right-click Local Site and select Edit Properties.
    3. Click LiveUpdate.
    4. Under "Disk Space Management for Downloads", select the number of content revisions to be retained.