DLP Endpoint Agent Status Troubleshooting

book

Article ID: 156227

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

Agent status in the agent overview can be green (OK), Yellow (Warning) or Red (Critical). 

Resolution

Refer to our Online Help for the most current list.

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/about-discovering-and-preventing-data-loss-on-endp-v98548126-d294e27/about-symantec-dlp-agent-administration-v15602303-d294e14975/about-agent-events-v23016027-d294e3658/troubleshooting-agent-alerts-v96219328-d294e15658.html

Table: Troubleshooting agents with Warning agent alert

Agent alert

Cause

Fix

DLP Outlook plug-in tampered with

The Outlook plug-in was modified, disabled, or deleted.

To fix the issue:

  • Restart Outlook.

  • Verify that the Outlook plug-in Outlook2k3 Add-in is enabled in Outlook.

  • Run Outlook for at least 15 seconds, then restart Outlook.

  • Confirm that the Outlook plug-in Outlook2k3 Ad din is enabled.

DLP Outlook plug-in installation failed

The Outlook plug-in installation failed.

Run the AgentInstaller.msi manually to repair the agent installation.

DLP Lotus Notes plug-in tampered with

The Lotus Notes plug-in was modified.

To fix the issue:

  • Restart Lotus Notes.

  • Uninstall the agent.

  • Restart the endpoint and install the agent.

DLP Lotus Notes plug-in installation failed

The Lotus Notes plug-in installation failed.

Run the AgentInstaller.msi manually to repair the agent installation.

DLP AIM plug-in tampered with

The AIM plug-in was modified or the plug-in installation failed.

To fix the issue:

  • Restart AIM.

  • Uninstall the agent.

  • Restart the endpoint and install the agent.

DLP AIM plug-in installation failed

The AIM plug-in installation failed.

Run the AgentInstaller.msi manually to repair the agent installation.

Active Directory user group resolution failed

Active Directory permissions conflict with Symantec Data Loss Prevention (DLP) permissions. Also, Active Directory may not have attributes.

Verify that the credentials that are passed to the agent have necessary permissions to extract logged-in user information from Active Directory.

Agent is disabled by enforce user

 The administrator who executed the Disable troubleshooting task on the Agent List screen disabled the agent.

Start the Windows agent using the Agent List screen. You can also start the agent by using the sc command.

For Mac agents, you must use the agent_start tool to start the agent.

Agent requires restart

The administrator can either disable or enable data loss monitoring on endpoints by executing the Disable or Enable troubleshooting task on the Agent List screen. Monitoring is enabled by default after the agent installation. However, when the administrator executes the Enable or Disable tasks and the agent is busy, the agent remains in a Warning state.

Restart the agent on the Agent List screen.

 

Agent crash dump available on endpoint for analysis

If the agent crashes, the Enforce Server displays the Warning agent alert type. In this scenario, a log file is created that Symantec Support can use to troubleshoot why the agent crashed.

Agent crashes can be caused by the following:

  • Temporary environment issues

  • Unknown agent issues

If the agent crashes often, contact Symantec support and provide the crash dump files available at the path /AgentInstallDirectory/_MemDumpFiles/ on the endpoint.

To fix the issue:

  • Shut down the agent on the Agent List screen.

  • Collect the crash dump files ( *.dmp ) from the path /AgentInstallDirectory/_MemDumpFiles/ on the respective endpoint.

  • Delete the crash dump files.

  • Restart the agent on the Agent List screen.

Agent version is older than Enforce Server version

The agent is one version older than the Endpoint Server version to which it connects. For example, if the Endpoint Server is version 12.0 and the agent is 11.x, a Warning agent alert type displays. The features available in the Enforce and Endpoint Server are not available for these agents. DLP identifies these agents with a Warning alert because these agents do not provide current DLP features.

Upgrade the agent to the latest version.

Agent group attribute discovery failure

Occurs if the agent cannot collect required data from Active Directory, which prevents the Enforce Server from moving the agent into an agent group. The agent cannot collect data if there is an issue with Active Directory permissions or if required attributes are missing from Active Directory.

To fix the issue:

  • Verify Active Directory attribute query syntax.

  • Use AttributeQueryResolver.exe to test Active Directory queries that are defined in the Enforce Server.

Agent group conflicts

The Endpoint Server automatically assigns the agent to an Agent Group depending on the endpoint attributes set during the Agent Group setup. If the endpoint meets multiple Agent Group conditions, the Warning alert is thrown.

To fix the issue:

  • Review Agent Group settings.

  • Recreate the agent group and use attributes that satisfy the conditions of the agent.

Table: Troubleshooting agents with Critical agent alert

Agent alert

Cause

Fix

Agent is not reporting

The agent has not reported to an Endpoint Server within the specified period of time. If the agent does not report after 18 hours, then DLP identifies the agent as not-reporting. Not-reporting agents do not receive the latest policies and configuration information, so they are marked with a Critical agent alert.

To fix the issue:

  • Verify that the endpoint where the agent is installed exists. If it does not exist, you can delete the agent from the Enforce Server.

  • Verify that the agent is running on the endpoint.

  • Verify the network connection between the Endpoint Server and the endpoint.

Agent version is not supported

The agent is two versions older than the Endpoint Server version to which it connects. For example, if the Endpoint Server is version 12.0 and the agent is 10.x, a Critical agent alert displays. The features available in Enforce and Endpoint Server are not available for these agents. DLP identifies these agents with a Critical alert because these agents do not provide current DLP features and may not operate as designed.

Upgrade the agent to the latest version.

File system driver is down

The agent service cannot communicate with the DLP driver installed on the endpoint. Communication may not occur for the following reasons:

  • The file system drivers have been deleted.

  • DLP identifies the driver as invalid. This sometimes occurs when the driver has been modified.

  • Communication between DLP and the agent driver is broken due to attack.

To fix the issue:

  • Restart the endpoint.

  • Reinstall the agent.