After installing the most recent update of the Symanted Endpoint Protection server many (not all) of the clients are showing up on the deployment report with the status of "Cannot deploy. Client version is the same or later than the specified package."
What does it want and how do I fix it?
How can I calculate EPS on a win7 client running Endpoint Protection to estimate the space needed to send logs to ArcSight? Are there any symantec articles that discuss this?
In the Symantec Endpoint Protection Manager I've been attempting to remote push the Symantec Endpoint Protection Client to my company's Windows 7 PCs.The process appears to fail a few seconds after SEPM begins sending the installation files. The deployment status shows a red X and indicates that the process failed.
In the client's event log I noticed a logon failure was showing when I was attempting to send the SEP files. The log indicated the SEP server was trying to logon to the client using NT AUTHORITY\NETWORK SERVICE and that it failed due to an unknown user name or bad password. At the same time the SEP server's log indicated that the process trying to logon to the client was nst.I've attached screenshots of the client and server security event logs showing the logons that failed.
Client log
Server log
If I try to update the same PC using the Push Deployment wizard the SEP client is sent to and installed on the PCs without any issues.
In both the remote push and the push deployment wizard I've used the same credentials to tell Symantec how to connect to the PCs.
Is there way to tell the nst process to use different credentials?
Here is some background information:
SEPM version is: 12.1.6465.6200
SEP Client version is: 121.6318.6100
SEPM is running on Windows 7 Pro 64 Bit
Clients are a mix of Windows 7 Pro 32 and 64 Bit
Our network is a domain controlled by a Windows Server 2003 machine.
Please help, my Symantec Endpoint Protection Manger Service keeps stopping after I start it. Any ideas?
15-10-15 07:26:30.155 THREAD 1 SEVERE: ================== Server Environment ===================
2015-10-15 07:26:30.162 THREAD 1 SEVERE: os.name = Windows Server 2008 R2
2015-10-15 07:26:30.164 THREAD 1 SEVERE: os.version = 6.1
2015-10-15 07:26:30.165 THREAD 1 SEVERE: os.arch = x64
2015-10-15 07:26:30.166 THREAD 1 SEVERE: java.version = 1.7.0_09
2015-10-15 07:26:30.167 THREAD 1 SEVERE: java.vendor = Oracle Corporation
2015-10-15 07:26:30.168 THREAD 1 SEVERE: java.vm.name = Java HotSpot(TM) Client VM
2015-10-15 07:26:30.169 THREAD 1 SEVERE: java.vm.version = 23.5-b02
2015-10-15 07:26:30.170 THREAD 1 SEVERE: java.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre
2015-10-15 07:26:30.171 THREAD 1 SEVERE: catalina.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
2015-10-15 07:26:30.172 THREAD 1 SEVERE: java.user = null
2015-10-15 07:26:30.173 THREAD 1 SEVERE: user.language = en
2015-10-15 07:26:30.174 THREAD 1 SEVERE: user.country = US
2015-10-15 07:26:30.175 THREAD 1 SEVERE: scm.server.version = null
10-05 14:45:00.972 THREAD 1 SEVERE: ================== Server Environment ===================
2015-10-05 14:45:00.973 THREAD 1 SEVERE: os.name = Windows Server 2008 R2
2015-10-05 14:45:00.975 THREAD 1 SEVERE: os.version = 6.1
2015-10-05 14:45:00.976 THREAD 1 SEVERE: os.arch = x64
2015-10-05 14:45:00.977 THREAD 1 SEVERE: java.version = 1.7.0_09
2015-10-05 14:45:00.978 THREAD 1 SEVERE: java.vendor = Oracle Corporation
2015-10-05 14:45:00.979 THREAD 1 SEVERE: java.vm.name = Java HotSpot(TM) Client VM
2015-10-05 14:45:00.981 THREAD 1 SEVERE: java.vm.version = 23.5-b02
2015-10-05 14:45:00.982 THREAD 1 SEVERE: java.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre
2015-10-05 14:45:00.983 THREAD 1 SEVERE: catalina.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
2015-10-05 14:45:00.984 THREAD 1 SEVERE: java.user = null
2015-10-05 14:45:00.985 THREAD 1 SEVERE: user.language = en
2015-10-05 14:45:00.986 THREAD 1 SEVERE: user.country = US
2015-10-05 14:45:00.987 THREAD 1 SEVERE: scm.server.version = 12.1.2015.2015
Version: Mostly 12.1.2.1, but some 12.1.4.1.
Quite a number of both servers and Windows workstations exibit this problem in various incarnations. Stopping and restarting services (sem -stop/-start) has no effect. Applying LiveUpdate usually makes things worse with other messages shown. There is no "FIX" button on the server I am looking at right now.
Sometimes it says Network Threat Protection is malfunctioning, with a FIX button that has no effect.
Almost all of the servers in question with this issue are VMware virtual servers in version 5.5 u2. Workstations are all HP and are pretty basic "terminals".
The rest of the message (example): Proactive Threat Protection is not functioning correctly due to an internal configuration error.
The only solution that I have yet to find that actually works is a reboot, which is not usually a viable alternative for servers.
Is this a known issue and is it being addressed? Or maybe fixed by newer versions?
David
Hi,
We have found that in some of our endpoints SEP got installed as SelfManaged/Unmanaged agent. As a result their entries are not refecting at SEPM console end. Being an administrator we want to find out total no. of such unmanaged/SelfManaged clients are present in our domain network (hostname, ip address etc).
Grateful if you can mention mention the automated procedure to convert SelfManaged client to Managed one (i.e. updating sylink.xml file for all those umnanaged clients at one go).
Hi,
I've done and install of SEPM 12.1.6 MP1a on Windows 2012 R2 and restored the DB on my new server to begin the transfer of clients to the new server.
I imported the new packages and then created MSI exports with my required client installation settings.
Now when i deploy from the console home screen and select 'Deploy existing package' i get the message (and it's a 'message' not and 'error') "Not able to process the specified package. Make sure that a valid package is selected."
But the package seems to load and deploy correctly. Has anyone seen this and/or know why it shows/how toget rid of it?
Cheers,
Rob
Local admin users are capable of terminating the scan process using the Task Manager which results in unfinished scans .
I am looking for options inside SEPM or if it can be achieved by some other means.
Hi All,
Is it possible to see SEP AV defs. status of MAC machines from any other server except SEPM? i.e. Is there any other possibility with the help of which we can see whether the AV is installed at MAC machines or not like we can see from SCCM server in case of windows. Please correct me if I am wrong as you might be able to see that what antivirus is running with what version & defs, status from SCCM server console in case of windows. So, do we have such possibility from MAC machines as well? Please help.
Hi Team,
Could you please share SQL DB Query needed on 2hrs all computer status report to pull from SQL DB.
I have upgraded from Windows 7 to Windows 10.
SEP 12.1.2015 no longer works.
Tried to uninstall it.
Unfortunately, the uninstall process crashes and everything is rolled back.
Need CleanWipe but cannot access the license no.
Thank you for your help
ClaudeCH
Version 12.1.6 MP1 running remote console on Windows 10 (upgrade from 7) when I want to export a log from the monitors page I get the following "Unable to download ****.csv from ###.###.###.###
unable to open this internet site. the requested site is either unavailable or cannot be found. Please tran again later."
could this and MS edge browser issue?
Hey guys,
I cant figure out why we are having Allowed by user action in our risk logs. I thoroughly check the AV Policy for this option and I cant find it. I also check the exception policy and the detected file was not there. Am I missing something here?
Thank you,
HI, i am using sep (symantec endpoint protection ) when i open it i can only see status.
so my question is how can i login to the admin. i can't find the place to login. i want to make changes in it. as like if the virus found allow me to choose what to do with that. either to delet or ignore.
I can only see the lock symbol your administration has locked this service. how can i login to this administration console.
i feel like delet symantec files so that, i can stop this antivirus.
someone please help me with login console... i am getting irritated past several days i can't find it. :(
i dont know who install this antivirus....i search default login user name and password will be. admin admin....but the problem is where shalll i login.
Greetings Everyone!
I am trying to include in my organization's monitoring profile SEP components (SEPM, LUA, etc.) using URLs such as:
http://<hostname>:8014/secars/secars.dll?hello,secars
Essentially, as long as the servers are delivering these pages in a reasonable amount of time, we would consider the server GREEN. However, after monitoring for a while and then establishing a baseline average, we would create alerts when the server consistently begins to deliver responses after a longer interval.
The two URLs above, I know, are good for the SEPM. Can anyone provide good URLs for the other components?
Thanks in advance,
Edwin
Symantec Endpoint Protection (12.1.4013.4013) uninstall continues to roll back on most of my Windows 7 Professional x64 computers.
I have tried to command line using MSIEXEC and the Add/remove Programs GUI but it produces the same issue.
I am using the local administrator account. Attached the uninstall log produced.
Please let me know if you see anything suspicious, this is a widesprear problem at my location.
Hi,
We are having and issue with our notification setup where whenever we receive an event from SEPM, it shows a different value in "Company: " than we expect.
Where is this setting located within SEPM? Is it possible to remove the feature, so that "Company: " doesn't appear in the mail?
Hello:
We are running Endpoint Protection Manager 12.1.6 and recently looked at using the SVA appliances to integrate with VMware vShield. In looking at this closer, it looks like all that the SVA appliances do is allow the SEP agents on each VM to use the Shared Insight Cache. The benefit I can see is that it uses vShield rather than the network for this communication. However, I would like to verify that this is correct, is there any agentless option for Endpoint Protection 12.1.6+ with vShield? I see talk of it but there doesn't seem to be a clear answer.
The second question is, we have followed the instructions to deploy the SVA per ESXi host, installed the VMCI drivers in our VMs, and we are running NSX Manager 6.2. In the NSX Manager logs, I see errors that say "Failed to receive status from Guest Introspection solution Symantec Endpoint Protection". How do I verify that the SVA appliances are registered properly... and that the SEP agents on the VMs are using vShield and that they are using the Shared Insight Cache? The documentation on this is very minimal and I would like to see if things are working correctly.
Any information on this would be very helpful. Thank you for your help.
when i am trying to login to http://yourSEPMIP:9090
i get error login failed.
is there any expert who can solve my problem ?
End Point Protectionを導入しているサーバで、インターネットにつながっていないサーバについて
「ファイル評価ルックアップの警告」という件名のメールで警告が来ますが、この内容の意味(影響)について教えてください。
また、ネット接続をしない状態で、不都合を回避する方法がありましたら教えてください。
↓ 以下、メール本文を切り取り。XXX.XXX.XXX.XXXの部分はサーバのIPアドレス。
5 コンピュータからファイル評価ルックアップの問題が報告されました。
| ||||
| ||||
|
|