Symantec Endpoint Protection Manager (SEPM) doesn't show "Virus definitions" and "Last Scan" info about managed Symantec Endpoint Protection clients (SEP-Client).

book

Article ID: 177673

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Why SEPM is not showing info about virus definitions in use and time of last scan run on SEP Clients?

Symptoms
- SEPM shows in client grous, with "Protection Technology" view, under "Virus definitions" column ="Not reporting status".


- Symantec Endpoint Protection client (SEP-Client) is not sending info about virus definition and last scan to Symantec Endpoint Protection Manager (SEPM).
You can see in sylink logging that many info are not posted from SEP-Client to SEPM (see "Reference" section) and "<RTVScanRunning>0</RTVScanRunning>".

- You can see the following code snippet in the resulting debug.log when the Symantec Management Client is restarted:

10/15 07:54:20 [3992:3004] AVMan: invoking GetOpStateString.
10/15 07:54:20 [3992:3004] AVMan: Entering GetOpStateString
10/15 07:54:20 [3992:3004] AVMan: Error 0x80070005 occured creating COM object!
10/15 07:54:20 [3992:3004] AVMan: Leaving GetOpStateString
10/15 07:54:20 [3992:3004] AVMan: invoking FreeOpStateStringPtr.
10/15 07:54:20 [3992:3004] AVMan: Entering FreeOpStateStringPtr

 

Cause

This issue can be caused having a Group Policy Object applied to the computer clients that affects the Symantec Endpoint Protection or Symantec Antivirus services.

Resolution

Remove the portion of the Group Policy Object that applies a start type or permissions to the Symantec Endpoint Protection or Symantec Antivirus services.



How to show current GPO's applied to services:

  1. Start -> Run -> "rsop.msc"
  2. On the left hand side, follow the tree: Computer Configuration -> Windows Settings -> Security Settings -> System Services
  3. On the right hand side, find "Symantec Endpoint Protection" The "Startup" and "Permission" columns need to be blank. If they are not, the GPO applying this policy will be listed under the column "Source GPO"
  4. On the Domain Controller side, where this GPO is configured, it might list "Symantec Antivirus" instead of "Symantec Endpoint Protection." Either one will apply to SEP because both services have the same real name as each other, only the display name is different.




Technical Information

Sylink Logs from issued SEP-client and working SEP-client:

 
 SEP Clients are not sending AVMAN infos about virus-defs in use, last-scan, etc.etc.  during process <mfn_PostAgentInfo>:

 
 Some fields missing are:
------------------------------------------------------------------------------
<PatternFileRevision>40</PatternFileRevision>
<UsingPattern>2968104</UsingPattern>
<PatternFileSequence>95106</PatternFileSequence>
<PatternFileDate>270405000000</PatternFileDate>
<TimeOfLastVirus>270405082801</TimeOfLastVirus>
<TimeOfLastScan>000000000000</TimeOfLastScan>
------------------------------------------------------------------------------

 -- This is issued client <mfn_PostAgentInfo> log taken from SylinkMonitor :

05/06 16:45:10 [1380] <mfn_PostAgentInfo>Volatile op-state damper: 0, Interval passed: 158
05/06 16:45:10 [1380] <mfn_PostAgentInfo>Free memory difference: 11997184, Threshold: 74347920
05/06 16:45:10 [1380] <mfn_PostAgentInfo>Free disk space difference: 61440, Threshold: 1440336690
05/06 16:45:10 [1380] <PostEvent>going to post event=EVENT_SYLINK_QUERY_COMMANDSTATUS
05/06 16:45:10 [1380] <PostEvent>done post event=EVENT_SYLINK_QUERY_COMMANDSTATUS, return=0
05/06 16:45:10 [1380] <mfn_PostAgentInfo><?xml version='1.0' encoding='UTF-8' ?>
<SESAgentOpState AgentID="10D7B4820A0A034100D2B918494834D4" Timestamp="1241617510049"><TechID Name="AVMan"><Data><![CDATA[<avstate version="1.0"><RTVScanRunning>0</RTVScanRunning></avstate>]]></Data></TechID>
<TechID Name="LUMan"><Data><![CDATA[<lustate><lastUpdateTime>1236276279827</lastUpdateTime></lustate>]]></Data></TechID><TechID Name="SEP"><Data><![CDATA[<SSAInfo NameSpace="rpc" AgentID="10D7B4820A0A034100D2B918494834D4" ComputerID="AAAC0FAD0A0A034100D2B918D6AF5C3B" HardwareKey="5C1FC4BEFC7BDA6F08B0EEDEAC7F3C9D" GroupID="DD44DED20A0A0341011C4E175BC00FCA">
<AgentHIInfo Status="1" ReasonCode="0" ReasonDescForFailure="Host Integrity check passed"/>
<SSAHostInfo>

------------------------------------------------------------------------------------------------------------

 -- This is a correct and complete <mfn_PostAgentInfo> log:

05/06 15:32:54 [3148] <mfn_PostAgentInfo>Volatile op-state damper: 0, Interval passed: 1241616774
05/06 15:32:54 [3148] <mfn_PostAgentInfo>Free memory difference: 1686470656, Threshold: 0
05/06 15:32:54 [3148] <mfn_PostAgentInfo>Free disk space difference: 3390078976, Threshold: 0
05/06 15:32:54 [3148] <PostEvent>going to post event=EVENT_SYLINK_QUERY_COMMANDSTATUS
05/06 15:32:54 [3148] <PostEvent>done post event=EVENT_SYLINK_QUERY_COMMANDSTATUS, return=0
05/06 15:32:54 [3148] <mfn_PostAgentInfo><?xml version='1.0' encoding='UTF-8' ?>
<SESAgentOpState AgentID="9F1B21280AA0138300BE8C3EE6470CD7" Timestamp="1241616774734">
<TechID Name="AVMan"><Data><![CDATA[<avstate version="1.0"><RTVScanRunning>1</RTVScanRunning><PatternFileRevision>40</PatternFileRevision><UsingPattern>2968104</UsingPattern><PatternFileSequence>95106</PatternFileSequence><PatternFileDate>270405000000</PatternFileDate><TimeOfLastVirus>270405082801</TimeOfLastVirus><TimeOfLastScan>000000000000</TimeOfLastScan><WorstInfectionType>0</WorstInfectionType><OnOff>1</OnOff><SymProtectOnOff>1</SymProtectOnOff><SymSentryInstalled>0</SymSentryInstalled><SavProductVersion>148313068</SavProductVersion><Licensed>0</Licensed><LicenseStatus>0</LicenseStatus><LicenseExpirationTime>000000000000</LicenseExpirationTime><DecAbiVer>1.1.1</DecAbiVer><EraserEngineVer>7143425:61</EraserEngineVer><Moniker Id="{C25CEA47-63E5-447b-8D95-C79CAE13FF79}" Version="1.5.0" Seq="80929016" Owner="SyKnAppS"  /><Moniker Id="{E5A3EBEE-D580-421e-86DF-54C0B3739522}" Version="MicroDefsB.CurDefs" Seq="90505018" Owner="SyKnAppS"  /><Moniker Id="{812CD25E-1049-4086-9DDD-A4FAE649FBDF}" Version="MicroDefsB.CurDefs" Seq="90505018" Owner="SyKnAppS"  /><Moniker Id="{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}" Version="6.1.0" Seq="80820001" Owner="COH"  /><Moniker Id="{C13726A9-8DF7-4583-9B39-105B7EBD55E2}" Version="6.1.0" Seq="80820001" Owner="COH"  /></avstate>]]></Data></TechID>
<TechID Name="LUMan"><Data><![CDATA[<lustate><lastUpdateTime>1241609304937</lastUpdateTime></lustate>]]></Data></TechID><TechID Name="SEP"><Data><![CDATA[<SSAInfo NameSpace="rpc" AgentID="9F1B21280AA0138300BE8C3EE6470CD7" ComputerID="2BFAA5570AA0138300BE8C3E2EAB3422" HardwareKey="63EBD3D376B1CAE51B8A79C5D9C65CE7" GroupID="483B28900AA0121000D37F4B8033E256">
<AgentHIInfo Status="3" ReasonCode="0" ReasonDescForFailure="Host Integrity check is disabled."/>
<SSAHostInfo>
------------------------------------------------------------------------------------------------------------