search cancel

Endpoint Protection clients stop communicating with Endpoint Protection Manager until SMC is restarted

book

Article ID: 173737

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have Symantec Endpoint Protection Manager (SEPM) 14.2 MP1. You previously upgraded your Symantec Endpoint Protection (SEP) clients to 14.2 MP1 because you had a lot of offline clients. While the upgrade resolved the issue for most clients, there still are some that just stop communicating. Restarting the SEP Management Client (SMC) allows the client to start communicating again.

  • cve-action.log shows GetIndexXml and GetGlobalIndex operations as the last operations. 
  • cve.log shows SEP failed to update Sylink CommunicationStatus and public opstate LastServerIP
  • The SEP system log may show a gap for several days between SMC stopping and the next entry. 
  • cve.log may also indicate a AddFirewallState Failed to get security engine error and/or that an exception occurred while retrieving ATPInfo.
  • dump analysis output of a ccSvcHst.exe process dump generated when the issue occurs shows a wait for a single object. A dump of all the process threads indicates the wait is due to a libcurl operation, after a set of such operations is initiated by the SMC:

STACK_TEXT: 
0018f7c0 772565ac 7527179c 0000017c 00000000 ntdll!KiFastSystemCallRet
0018f7c4 7527179c 0000017c 00000000 00000000 ntdll!NtWaitForSingleObject+0xc
0018f830 76b9c533 0000017c ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98
0018f848 76b9c4e2 0000017c ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75
0018f85c 767b7be6 0000017c ffffffff e00bc5a6 kernel32!WaitForSingleObject+0x12
[...]

0:000> ~*kv
[...]
80 Id: 534.d24 Suspend: 0 Teb: 7ff4e000 Unfrozen

ChildEBP RetAddr Args to Child
00 0ee8c9b0 772565ac 748a6eff 00001b7c 00000001 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0ee8c9b4 748a6eff 00001b7c 00000001 0ee8c9dc ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02 0ee8c9f4 748a6d20 00001b7c 000026e0 00000001 mswsock!SockWaitForSingleObject+0x1ba (FPO: [Non-Fpo])
03 0ee8cae0 7737673e 00000000 0ee8cbd4 00000000 mswsock!WSPSelect+0x3a6 (FPO: [Non-Fpo])
04 0ee8cb60 66577527 00000000 0ee8cbd4 00000000 ws2_32!select+0x494 (FPO: [Non-Fpo])
05 0ee8cee0 66572b7b 0ee8cf34 00000001 000003e8 libcurl_openssl!Curl_poll+0x287 (FPO: [3,214,0]) (CONV: cdecl)
06 0ee8cf84 6656d88f 0f49b1b8 00000000 00000000 libcurl_openssl!curl_multi_wait+0x26b (FPO: [5,33,0]) (CONV: cdecl)
07 0ee8cfb4 6656d83d 0f49b1b8 0c24a4d0 032cf408 libcurl_openssl!easy_transfer+0x2f (FPO: [1,3,4]) (CONV: cdecl) 
08 0ee8cfc8 6656d38b 03444bb0 00000000 684282f9 libcurl_openssl!easy_perform+0xcd (FPO: [2,0,4]) (CONV: cdecl)
09 0ee8cfd4 684282f9 03444bb0 f85204bf 00000000 libcurl_openssl!curl_easy_perform+0xb (FPO: [1,0,0]) (CONV: cdecl)
0a 00000000 00000000 00000000 00000000 00000000 SepManagementClient+0xf69
[...]

Cause

The client stops communicating with SEPM because the send command sent to libcurl by our Communicator for Virtual Environments (CVE) does not contain a time-out. As a result of that, libcurl may at times wait for a Windows socket indefinitely.

Note

CVE is the communication library used by the SEP client to communicate with SEPM. It is not only used in virtual environments; its name is a holdover from the period in which it was developed (its first implementation was for some of the virtual appliances we integrated with). CVE replaces Sylink, which was the communications library in SEP prior to version 14.2. It makes use of libcurl, an open-source, multi-platform, multi-protocol file transfer library.
Common CVE operations include GetATPInfo, GetContentItem, GetIndexXml, GetGlobalIndex, UploadOpState and UploadLogs.

Environment

  • SEP 14.2 MP1

Resolution

This issue is fixed in Symantec Endpoint Protection 14.2 RU1 MP1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here

Please note that client-server communication could fail due to any number of reasons. This TECH note only applies to the specific set of conditions outlined in the Error section. If unsure, please contact Symantec Support.