Due to the duplicate hardware ID of the Symantec Endpoint Client (SEP) on the Linux Operating System (OS), the client reporting to the Symantec Endpoint Protection Manager (SEPM) gets deleted from the console after a couple of heartbeat intervals.
The following issues are observed with the SEP client on Linux OS:
SEPM and SEP client version 14.x
Virtual Machine[VM] deployed from the same snapshot with the Linux Operating system along with the SEP client. That is the reason SEP clients report with the duplicate "Hardware Key and Agent ID and MAC address".
<SSARegData NameSpace="rpc"><AgentInfo DomainID="xxxxx" AgentType="105" AgentID="xxxxx" HardwareKey="xxxxx" UserDomain="root" LoginUser="root" ComputerDomain="xxxxxxxx" ComputerName="xxxx" PreferredGroup="My Company\Default Group" SiteDomainName="" AgentPlatform=""/><SSAHostInfo><NetworkIdentity UserDomain="root" LogonUser="root" HostDomain="xxxxxxxxxx" HostName="<xyzxyz>" HostDesc="Symantec SVA"/><SSAProduct Version="14.0.3876.1100"/><SSAOS Type="553648128" Version="" Desc="Linux" Kernel="4.18.0-372.9.1.el8.x86_64" ServicePack="" OsBitType="x64"/><Processor ProcessorClock="2593" ProcessorNum="2" ProcessorType="Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz"/><Memory Size="3913031680" Free="285929472"/><BIOS Version="6.00" SerialNumber="VMware-xxxxx" Manufacturer="Phoenix Technologies LTD" UUID="xxxxx"/><Motherboard Manufacturer="Intel Corporation"/><DNSs><DNS Address="xxxxxx"/><DNS Address="xxxxxxxx1"/></DNSs><SSAUTC Bias="-330"/><SSANICs><SSANIC Ip="xxxxxxx" Mac="xxxxx" Gateway="xxxxxx" SubnetMask="255.255.255.0"/></SSANICs></SSAHostInfo></SSARegData>
**
09/07 15:55:20 [32644:28104] CHttpReg::ParseData.. Parsed values => s_origin_length (m_iRegDataLen)=1383 sygate-ssn (m_dwCSN)=59015 s_session_id (m_sSessionID)=E0391FC11A454F8C301D9D6275C1D65C sDataForwared = <?xml version="1.0" encoding="UTF-8"?>
<SSARegData NameSpace="rpc"><AgentInfo DomainID="xxxxx" AgentType="105" AgentID="xxxxx" HardwareKey="xxxxx" UserDomain="root" LoginUser="root" ComputerDomain="xxxxxxx" ComputerName="xxxxxxxx" PreferredGroup="My Company\Default Group" SiteDomainName="" AgentPlatform=""/><SSAHostInfo><NetworkIdentity UserDomain="root" LogonUser="root" HostDomain="xxxxxxxxx" HostName="<abcabc>" HostDesc="Symantec SVA"/><SSAProduct Version="14.0.3876.1100"/><SSAOS Type="553648128" Version="" Desc="Linux" Kernel="4.18.0-372.9.1.el8.x86_64" ServicePack="" OsBitType="x64"/><Processor ProcessorClock="2593" ProcessorNum="2" ProcessorType="Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz"/><Memory Size="8140886016" Free="1052176384"/><BIOS Version="6.00" SerialNumber="VMware-xxxxx" Manufacturer="Phoenix Technologies LTD" UUID="xxxxx"/><Motherboard Manufacturer="Intel Corporation"/><DNSs><DNS Address="xxxxxxxx"/><DNS Address="xxxxxxxx"/></DNSs><SSAUTC Bias="-330"/><SSANICs><SSANIC Ip="xxxxxxxxxx" Mac="xxxxx" Gateway="xxxxxxxxx" SubnetMask="255.255.255.0"/></SSANICs></SSAHostInfo></SSARegData>
As per product design, the Hardware key is calculated as MD5 Hash of the first Nic's Mac address, so the VMs with the same MAC address would generate duplicate hardware key for the SEP client.
Steps:
This issue is addressed in the SEP 14.3 RU8, Hardware ID will be generated based on UUID (/opt/Symantec/cafagent/bin/machine_instanceid.txt that comes from /sys/class/dmi/id/product_uuid). See Repair duplicate client IDs on cloned Endpoint Protection clients - [Additional information] section in detail.
Check . What's new for Symantec Endpoint Protection 14.3 RU8?
To determine agents affected by duplicate Hardware ID, see Repair duplicate client IDs on cloned Endpoint Protection clients - [Step 1: Identify the clients] section.