• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Symantec Endpoint Protection woes

P

Paperlantern

Platinum Member
Just curious if anyone has run into this issue before.

I have a few machines that are refusing to update the Proactive Threat Protection definitions. I install it fresh, and of course the definitions are from like late 2008, whatever definitions they threw into the install. This is the latest install version ending in 5002.333. So, after the install, it comes up, you can see the definitions for both AV and PTP are out of date, leave it site for 10 or 15 minutes, go back, and the AV updates to current, but the PTP defs are still 2008 and will remain that way, eventually the program realizes they are old, removes the green check by them, turns it red and says "Waiting for updates", but they NEVER come.

Ive tried Clean Wipe and then another clean install of the program. Nothing. I'm worried something is severely wrong. Other machines that are already deployed are updating, its only these new ones i'm imaging from a image ive had since about January (We have updated Symantec since then,Ive been uninstalling the old version, and installing the new, which has been fine up until now. Other images taken around the same time for different hardware still work fine. Uninstall old version, install new version, all defs update within a few minutes, only this one image has the problem). I'm stumped and Im looking for anyone with Symantec Endpoint experience that MAY have run into this to help. I know its a deusey, and I know symantec isnt the BEST, but its what my boss committed to and its what we have. Thanks in advance for any help.
 
what version of SEPM manager are you running? If you are currently running MR4, you need to update to MR5. As well, you may want to put a post in the symantec support forums. they're pretty quick about giving responses.

As for here, Are you pushing the new client out from the SEPM or installing the client? Or do you already have the client installed from the fresh workstation image? If anything I would try replacing the sylink.xml file using the sylink replacement tool (check the symantec cd). the sylink file is located in Program files > symantec > symantec endpoint manager > data > outbox > agent > (102470213974) <---this is just a representation > sylink.xml

to verify you have the correct sylink file, open the file using wordpad, and ensure that you picked the file that contains the DEFAULT GROUP. once you have the correct copy, copy and paste it to a share that you can browse to from the problem workstation. take the replacement tool and place it in the share as well.

on the prblem workstation, go to start > run > type smc -stop and wait for the endpoint shield to disappear in the systray

open the share that contains the sylink tool and the sylink file copy them to your desktop, then run the tool. browse to where the sylink file is located (desktop) and click.

once done, go back to the run live and type smc -start

good luck
 
Last edited:
I assume the MR number is after the 11.0., which is 5002.333, so if that is true, this is MR5 on the server. Im not pushing it out using the SEPM server, but i am executing manually the same file it uses when its pushed.

I will try installing from the CD, if that fails I will try the sylink file deal. Thanks!

EDIT* Okay, the ONLY sylink.xml file i found was in Program Files\Symantec\Symantec Endpoint Protection. There is no Data folder in there at all. So i decided to replace that one anyway just to see what happens. I copied it directly off the CD. Restarted SEP with the command you gave, waited a little while, nothing, so I rebooted for gigles. Nothing. Proactive Threat Protection remains at Monday, September 29, 2008 r17. And it has a green check! Like everything is hunky dory! I dont get it!
 
Last edited:
You are using a sys-prepped image right? Unique SID on each machine?

If you enable liveupdate in your policy (we do when the PC is on an external/home IP range) does that work?
 
Gunbuster said:
You are using a sys-prepped image right? Unique SID on each machine?

If you enable liveupdate in your policy (we do when the PC is on an external/home IP range) does that work?
Click to expand...

Image is PIT (point in time), no sysprep, we only have like, 2 different types of machines, no reason to sysprep. I haven't tried enabling update from external yet, its still from SEPM, it is SUPPOSED to work this way, i shouldn't HAVE to make them go get their own from the Internet.

EDIT* If i enable live update and kick it off, yes it works. I didnt try letting it sit to see if it would update on its own however.
 
Last edited:
September 29, 2008 sounds pretty old, what is the old client version? I only ever had the problem you describe with 11.0.3001.2224

Though it may be a SEPM issue I would use this as an excuse to build a new image with a clean RU5 install and no legacy bugs. (the issues in RU5 are enough to deal with)
 
Gunbuster said:
September 29, 2008 sounds pretty old, what is the old client version? I only ever had the problem you describe with 11.0.3001.2224

Though it may be a SEPM issue I would use this as an excuse to build a new image with a clean RU5 install and no legacy bugs. (the issues in RU5 are enough to deal with)
Click to expand...

Well the old one was RM4 of some flavor, id have to load the image with it still installed to find out the exact number, i dont have one readily available without dumping the image down again, and that takes 1 and a half hours. Yes the defs are old, i was floored, seeing as we got this version of SEP from Symantec in february. So i dont know where its getting those defs from. Especially after using cleanwipe on the existing install before upgrading. There should be NOTHING left, they have to be the defs included with the package.

The problem im running into is it will take me at least 20 hours of time to recreate this image, these are high end workstations with several database connected financial programs, and case management software suites, all with multiple revisions and patches that need applied, Id rather wrestle with this one issue for those 20 hours then to have to sit through that again, but trust me the thought had crossed my mind. I'm about 3 hours deep into it now.
 
Last edited:
Well at about the 4 hour mark of working on fixing the problem with the current image i said the hell with it. I went out on the floor to a machine just like the one im working with, hijacked that machine of a user that was out or at lunch, made sure the SEP was up to date, meaning it was functioning properly, yanked the hard drive and ghosted it disk to disk, threw thier drive back in and they never knew it was ever missing. Then i cleaned up thier install, removed all the profiles and temp files, uninstalled anything that user had installed and didnt actually need on the image and just made a new image out of it. I'd love to know what the problem was but I couldnt be bothered to sink any more time into it. Thanks for all the replies and suggestions.
 
Wait, you take an old image from a users desk and just keep slopping around with it to make it your "new" image? This would be why you have problems.

New image to me means fresh install from a current service pack CD, Drivers slipstreamed, patches installed, latest fresh versions of your core apps installed and then Sysprepped or whatever you do (I sure hope your method is creating unique SID's)
 
Hi Paperlantern,

While searching for a solution to another problem I'm working on, I noticed this topic and thought I would respond, especially since I support SEP.

While CleanWipe does "occasionally" do a good job with removing a SEP install, it does not always work. Typically, we recommend uninstalling the software through Add/Remove Programs first. If that doesn't work, manually uninstall. If that doesn't work, try CleanWipe. Here's a link to our online KB article for manual uninstall instructions:


Title: 'How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions'
Document ID: 2007073018014248
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248?Open&seg=ent

With regard to the problem of PTP definitions not updating, you might try deleting this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymHeurProcessProtection

Be sure to make a backup first, of course! 🙂

That's about all I got for now 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top