search cancel

GetCommand 404 OpenFailed: Error (2) while opening the Command file

book

Article ID: 163846

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You find that a large number of GetCommand 404 OpenFailed: Error (2) while opening the Command file entries are being created in your Symantec Endpoint Protection Manager (SEPM)'s exsecars.log.

These errors may or may not be accompanied by unexpected server errors on your SEPM, with the stack trace showing error com.sygate.scm.server.logreader.ParseException (7): Invalid log record: String found instead of integer

SEPM exsecars.log

GetCommand 404 OpenFailed: Error (2) while opening the Command file

SEP Sylink/CVE debug log

[Command] Downloading command from: http://SEPM:8014 
...
[Command] HTTP failure code: 404, Response Data: 
[Command] Failed to download command 1F618C12C0A8687A00F099461C4857CC from SEPM. Error: 5 

Environment

  • SEPM
  • SEP for Windows

Cause

SECARS is an Apache server plugin that is the broker for communication between SEPM and the Symantec Endpoint Protection (SEP) client. Missing command files in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command will lead to a failure to download them on the client and numerous errors in relation to the same on the SEPM.

The issue can be reproduced in the following manner:

  1. From SEPM, issue an Update Content command to a client. Three files will appear in folder C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command.
  2. Delete the files. Exsecars.log will show numerous GetCommand 404 OpenFailed: Error (2) while opening the Command file errors shortly thereafter.

Resolution

There are two possible workarounds:

Workaround 1

  1. Stop the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
  2. Delete the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command folder.
  3. Start the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services
  4. Verify that the command files are generated in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command.
  5. Verify the issue is no longer present in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\exsecars.log

Workaround 2

  1. On the affected client, delete registry keys HKEY_LOCAL_MACHINE\SOFTWARE\{Wow6432Node\}Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\Command{GUID,Size}. For a large number of clients, this can be achieved using a Host Integrity policy that performs the same actions when those keys are found to be present (see Delete Command{GUID,Size} keys if present.dat in attachment).
  2. Restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services