search cancel

Emailed SEP weekly report only shows, "An unknown error occurred"

book

Article ID: 238745

calendar_today

Updated On:

Products

Complete Endpoint Defense (with SEP)

Issue/Introduction

Symantec Endpoint Protection Weekly(or any scheduled) report, when emailed only shows "An unknown error occurred." and there is no data in the report. At the same time it is possible to run the report from the Web Portal and the SEPM Console and it shows properly. 

Cause

scm-server.log:

2021-12-02 10:00:41.737 THREAD 38 FINE: ReportWriter: generating a report for https://<SEPM:port>/Reporting/Reports/weekly_report.php?filReport_Idx=16 with 6 args (timezone)

2021-12-02 10:00:49.026 THREAD 38 FINE: Sending mail to:[email protected]

 


std-out.log:

2021-12-02 10:00:50.383 THREAD 38 INFO: DATA
2021-12-02 10:00:50.395 THREAD 38 INFO: 354 Enter mail, end with a single "."
2021-12-02 10:00:50.396 THREAD 38 INFO: Date: Thu, 2 Dec 2021 10:00:50 -0800 (PST)
2021-12-02 10:00:50.396 THREAD 38 INFO: From: [email protected]
2021-12-02 10:00:50.396 THREAD 38 INFO: Reply-To: [email protected]
2021-12-02 10:00:50.396 THREAD 38 INFO: To: user_mail
2021-12-02 10:00:50.397 THREAD 38 INFO:  user_mail
2021-12-02 10:00:50.397 THREAD 38 INFO: Message-ID: <[email protected]>
2021-12-02 10:00:50.397 THREAD 38 INFO: Subject: Scheduled Report: Executive Weekly Summary Report
2021-12-02 10:00:50.397 THREAD 38 INFO: MIME-Version: 1.0
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Type: multipart/mixed; 
2021-12-02 10:00:50.397 THREAD 38 INFO:  boundary="----=_Part_326_980412050.1638468050262"
2021-12-02 10:00:50.397 THREAD 38 INFO: ------=_Part_326_980412050.1638468050262
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Type: text/plain;charset=UTF-8
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Transfer-Encoding: 7bit
2021-12-02 10:00:50.397 THREAD 38 INFO: Report scheduled by: admin.
2021-12-02 10:00:50.397 THREAD 38 INFO: Server name: SEPM_name.
2021-12-02 10:00:50.397 THREAD 38 INFO: IP address: SEPM_IP.
2021-12-02 10:00:50.397 THREAD 38 INFO: Report generated on: Dec 2, 2021 10:00:49 AM.
2021-12-02 10:00:50.397 THREAD 38 INFO: Report type: Risk Report.
2021-12-02 10:00:50.397 THREAD 38 INFO: Report description: Created automatically during product installation..
2021-12-02 10:00:50.397 THREAD 38 INFO: See attached report.
2021-12-02 10:00:50.397 THREAD 38 INFO: ------=_Part_326_980412050.1638468050262
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Type: text/html; charset=us-ascii; 
2021-12-02 10:00:50.397 THREAD 38 INFO:  name="Executive Weekly Summary Report_Dec 2_ 2021 10-00-49 AM
2021-12-02 10:00:50.397 THREAD 38 INFO:  024.html"
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Transfer-Encoding: 7bit
2021-12-02 10:00:50.397 THREAD 38 INFO: Content-Disposition: attachment; 
2021-12-02 10:00:50.398 THREAD 38 INFO:  filename="Executive Weekly Summary Report_Dec 2_ 2021 10-00-49 AM
2021-12-02 10:00:50.398 THREAD 38 INFO:  024.html"
2021-12-02 10:00:50.398 THREAD 38 INFO: Content-ID: Executive Weekly Summary Report_Dec 2_ 2021 10-00-49 AM 024.html
2021-12-02 10:00:50.398 THREAD 38 INFO:   <html>
2021-12-02 10:00:50.398 THREAD 38 INFO:     <head>
2021-12-02 10:00:50.398 THREAD 38 INFO:       <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
2021-12-02 10:00:50.398 THREAD 38 INFO:                 <link href="../Resources/styles.css" rel="stylesheet" type="text/css">
2021-12-02 10:00:50.398 THREAD 38 INFO:                 <meta http-equiv="Pragma" content="no-cache">
2021-12-02 10:00:50.398 THREAD 38 INFO:                 <meta name="DownloadOptions" content="noopen">
2021-12-02 10:00:50.398 THREAD 38 INFO:                 <meta http-equiv="Expires" content="-1">
2021-12-02 10:00:50.398 THREAD 38 INFO:       <title>Message</title>
2021-12-02 10:00:50.398 THREAD 38 INFO:     </head>
2021-12-02 10:00:50.398 THREAD 38 INFO:     <body>An unknown error occurred.</body>
2021-12-02 10:00:50.398 THREAD 38 INFO:   </html>
2021-12-02 10:00:50.398 THREAD 38 INFO:   
2021-12-02 10:00:50.398 THREAD 38 INFO: ------=_Part_326_980412050.1638468050262--
2021-12-02 10:00:50.398 THREAD 38 INFO: .
2021-12-02 10:00:50.412 THREAD 38 INFO: 250 2.5.0 Ok
2021-12-02 10:00:50.412 THREAD 38 INFO: DEBUG SMTP: message successfully delivered to mail server
2021-12-02 10:00:50.412 THREAD 38 INFO: QUIT

Resolution

The report converter (ReportConverter.php) removes any instances of the script tags in the report content html.
It is using the regular expression (regex) when performing a search and replace.
The report content is becoming null or empty in report converter.

The issue is reproduced when the report content length of the emailed report is 3300734 characters.
The regex pattern in the report converter will make use of backtrack and recursion, and the maximum limit of characters has been reached.

The following are default configurations in PHP:
pcre.backtrack_limit "1000000"
pcre.recursion_limit "100000"

 

Please try the workaround of increasing the maximum limit in the PHP configuration file:


1. Add the following in SEPM\Php\php.ini
pcre.backtrack_limit=10000000
pcre.recursion_limit=1000000


2. Then, restart the SEPM service and SEPM Webserver service.