"Unexpected server error" in 14.3 RU2 SEPM when Upload quarantined files from clients is enabled
search cancel

"Unexpected server error" in 14.3 RU2 SEPM when Upload quarantined files from clients is enabled

book

Article ID: 220566

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After enabling "Upload quarantined files from the clients." setting in SEPM Domain settings, "Unexpected server error" messages may be present in the SEPM admin page or Server Activity logs.  The error messages start after a client has quarantined a file with an & in the name and/or path. Auto-upgrade of the clients may fail as well.

The following errors may also been seen in the logs below.

std-out-#.log

YYYY-MM-DD HH:MM:SS.XXX THREAD 41 SEVERE: [Fatal Error] :1:96: The entity name must immediately follow the '&' in the entity reference.

 

scm-server-#.log

YYYY-MM-DD HH:MM:SS.XXX THREAD 41 SEVERE:  in: com.sygate.scm.server.task.IISCacheTask
com.sygate.scm.common.configobject.ValidationException: CommandParameter: invalid content!
 at com.sygate.scm.common.configobject.schema.CommandParameter.exportToElement(CommandParameter.java:194)
 at com.sygate.scm.common.configobject.schema.Command.exportToElement(Command.java:552)
 at com.sygate.scm.common.configobject.AbstractSchema.getDocument(AbstractSchema.java:69)
 at com.sygate.scm.common.configobject.AbstractSchema.writeXML(AbstractSchema.java:77)
 at com.sygate.scm.server.task.IISCacheTask.publishCommand(IISCacheTask.java:1573)
 at com.sygate.scm.server.task.IISCacheTask.updateCommandCache(IISCacheTask.java:1326)
 at com.sygate.scm.server.task.IISCacheTask.execute(IISCacheTask.java:386)
 at com.sygate.scm.server.task.MonitoredTimerTask.run(MonitoredTimerTask.java:45)
 at java.base/java.util.TimerThread.mainLoop(Timer.java:556)
 at java.base/java.util.TimerThread.run(Timer.java:506)

 

exsecars-a.log (This will only be seen if auto-upgrade is being attempted and failing due to this issue)

Secars not yet ready to handle client upgrade package info requests. Sent 469 reply and the return code: 1

Environment

14.3 RU2 or 14.3 RU3

Cause

An & (ampersand) in the name and/or path of quarantined file.

Resolution

This issue is fixed in Symantec Endpoint Protection 14.3 RU4.  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

If upgrade is not possible at the time, to workaround find the file`s name containing the "&" on the SQL DB:

SELECT SJ.COMMAND_ID, SC.COMPUTER_NAME, SJ.COMMAND_NAME, C.SUB_STATE_DESC, C.STATE_ID, DATEADD( ss, SJ.TIME_STAMP / 1000, '19700101')as LastMoidified FROM COMMAND C
LEFT JOIN SEM_JOB SJ ON SJ.COMMAND_ID = C.COMMAND_ID
LEFT JOIN V_SEM_COMPUTER SC ON SC.HARDWARE_KEY = C.HARDWARE_KEY
WHERE C.SUB_STATE_DESC LIKE '%&%'
ORDER BY SJ.TIME_STAMP DESC

Then remove the ID issuing:

DELETE from BASIC_METADATA where ID = '<ID>'
DELETE from COMMAND where COMMAND_ID = '<ID>'

Additional Information

ESCRT-7594

Powered by Wolken Software