You are on page 1of 16

TROUBLESHOOTING GUIDE V1.

Introduction
For any troubleshooting looking at logs, Windows Event viewer, memory dumps etc for
clues. This always helps. Please find the following guide on which logs would help for
troubleshooting the common issues seen in Symantec Endpoint Protection.
The issues include Java -1, Reporting component, Replication, Liveupdate, application(s)
crashing, etc. This is no specific order.
When advancing a case to the Backline team it is mandatory that the logs and
information be latest, else the Backline team would ask to get the latest logs and this
would hamper case resolution or may even reject/close the escalation task.

Contents
Introduction........................................................................................................1
Contents..............................................................................................................2
Java -1................................................................................................................3
Reporting Component..........................................................................................4
BSOD...................................................................................................................4
Client Not Reporting Status.................................................................................4
Client getting converted to User mode.................................................................5
Firewall issues.....................................................................................................7
Replication..........................................................................................................7
Failover Load balancing.......................................................................................7
Client communication..........................................................................................7
Location Awareness/Switching...........................................................................8
GUP Issues..........................................................................................................8
Liveupdate issues................................................................................................8
Application crashing with SEP installed...............................................................9
Email notification................................................................................................9
Active Directory and LDAP integration.................................................................9
Installation issues.............................................................................................10
Miscellaneous....................................................................................................10

References........................................................................................................10

Java -1
1) Check the Windows Event viewer for errors, warning, etc. with regards to the
issue.
2) Check the scm-server.x-logs for HTTP, secars, etc. errors.
3) Check the catalina.out file for port conflicts and server certificate tampering.
4) If the SEPM is configured with a SQL server check the SQL server logs for errors.
5) Check if the SEPM default file permissions are set correctly following KB article:
2008120211395048
6) Enable IIS logging and check the IIS logs.
7) Check if the DefaultAppPool in IIS is stopped.
8) Checked the HTTPERR logs.
Reporting Component
1) Test ODBC connection.
2) Check the scm-server.x-logs for HTTP, secars, etc. errors.
3) Check the catalina.out file for port conflicts and server certificate tampering.
4) If the SEPM is configured with a SQL server check the SQL server logs for errors.
5) Enable PHP debugging to for errors.

6) Check if the SEPM default file permissions are set correctly following KB article:
2008120211395048
7) Check if there is any other PHP version installed on the server.
8) Enable IIS logging and check the IIS logs.
9) Check if the DefaultAppPool in IIS is stopped.
10)

Check the HTTPERR logs.

11)

Check IE security settings.

12)

Check Windows HOST file.

BSOD
1) Gather the memory/kernel dump (mini or Full).
2) If the customer has spoken to Microsoft for memory/kernel dump, gather the
Microsoft analysis.
3) Check the Windows event viewer for any errors, warnings, etc. with regards to the
BSOD.
4) SEP Support tool logs.

Client Not Reporting Status


On the SEPM side check:
1) Permissions on the SEPM folder following KB article:
2) DAT or tmp file accumulation in the SEPM\Data folder. These files can be deleted.
3) The following logs need to be checked to see if the DAT files are processed
correctly by the SEPM. DAT files sent by the client holds the operational state of
SEP:

AgentLogCollector.log
ApplicationCollector.log
AgentInfoTask.log

4) If the SEPM is processing the DAT files in the SEPM\Data folder, there is a chance
the SEPM is not able to pull the client information from the database it is
configured to use.
a) Test the ODBC connection.
b) If SEPM is configured to use the Embedded database check the scm-serverx.logs for any errors.
c) If SEPM is configured to use a SQL server check the SQL error logs for any
errors along with the scm-server-x.logs.
5) Check the Antivirus and Antispyware policy Miscellaneous option to see if the
client is set to forward the correct set of logs.
6) Navigate to Clients Policy tab and check the Client log settings to see if the
options are checked.
On the SEP client side check:
1) Run the Sylink monitor to see if the client is forwarding the op-state information. If
the sylink log shows no op-state information, then check if there is a GPO applied
on the Symantec Antivirus service.
Please note: Symantec does not recommend any Group Policy to be applied on
the services.
2) In the sylink log check if there are any HTTP errors while the client is trying to
upload the logs to the SEPM.
Client getting converted to User mode
With regards to this issue, we need to ask these question:
1. Is Active Directory OUs imported into the SEPM?
2. What version of SEP has the customer installed?
3. Are the client computers in a Mixed environment, i.e Domain and Workgroup?
4. Did this issue start recently or was it right from the beginning, i.e from the first
time the customer installed SEPM and then pushed the installation to the clients?

5. How is the customer installed SEP, i.e a) using Migration and deployment wizard,
3rd party deployment, copying the client package on a network share and then
going to the client computer and running the install, copying the client install
package locally on the client computer and asking the user to run the install or
after copying the client install package is he logging on to the computer using the
Local Administrator account and then running the install, etc.

How to troubleshoot this issue?


PART 1: Troubleshooting:
1. Enable the SEPM Log level to FINEST and restart the SEPM services.
2. If the customer has a client computer on which does not have SEP, push the
client install package on to it. Once the install is done reboot the computer.
3. After the reboot gather the SEPM Tomcat logs.
PART2: Log reading:
Agent Register log, Exsecreg log, scm server log, Sylink log and getting the data
imported from SEM5 database will help us understand the root cause of the issue.
Agent Register log: This will help us see if the client entry was previously present and
how the client is registering (in user mode or computer) with the SEPM. This log will
clearly tell you what mode it is registering. Please find the snippet from the log from
another case.
2010-06-21 15:33:04.159 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerClient: Beign...
2010-06-21 15:33:04.175 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerClient: time checkDomainIdExistence=1277098384175
2010-06-21 15:33:04.175 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerClientMain: Beign... client=Computer XA04\melbourne.vic.gov.au

2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>


registerClientMain: Done! (exactly matched in user mode - update) client
id=79CD99CCAC10FADA01D23E75D09AB18E
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerClient: Query Done! client id=79CD99CCAC10FADA01D23E75D09AB18E
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerComputer: Beign... computer id=F8230EE5AC10FADA01D23E75A9668B26
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerComputer:
Query
Done!
foundExisting=true,
computer
id
=F8230EE5AC10FADA01D23E75A9668B26
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerAgent: Beign...
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
registerAgent:
Query
Done!
foundExisting=true,
agent
id=81FB2F23AC10FADA01D23E75CC29F4BC
2010-06-21 15:33:04.206 WARNING: AgentRegisterThread: AgentResquteHandler>>
update Client, client id=79CD99CCAC10FADA01D23E75D09AB18E
2010-06-21 15:33:04.222 WARNING: AgentRegisterThread: AgentResquteHandler>>
update Computer, computer id=F8230EE5AC10FADA01D23E75A9668B26
2010-06-21 15:33:04.237 WARNING: AgentRegisterThread: AgentResquteHandler>>
update Agent, agent id=81FB2F23AC10FADA01D23E75CC29F4BC
2010-06-21 15:33:04.253 WARNING: AgentRegisterThread: AgentResquteHandler>>
agentRegister: Committing db changes...
2010-06-21 15:33:04.253 WARNING: AgentRegisterThread: AgentResquteHandler>>
agentRegister: Closing db connection...
Exsecreg.log: This will tell you how many times the client has registered with the SEPM.
Here you will also see the Agent ID, Computer ID, Domain ID, Hardware ID, Preferred
mode, etc. This will help you to understand if the computer was reimaged or the SEP
was uninstalled or reinstalled. Find the snippet from another case.
(Line#
5473:)
06/21
15:32:59
[2680:2712]
172.16.32.13<AgentInfo
DomainID="06856F18AC10201700D4694F83B1086C"
AgentType="105"
UserDomain="MELBOURNE.VIC.GOV.AU"
LoginUser="adm-grabre"
ComputerDomain="melbourne.vic.gov.au" ComputerName="XA04" PreferredGroup="My

%20Company%5cServers" PreferredMode="1" LegacyAgentID="31EAC64D-4937269D-D1FC-14817F9E64B2"


HardwareKey="A5B97EE1FBEC2BF11A7912FC7B9E5AAD" SiteDomainName=""/>
AgentID=81FB2F23AC10FADA01D23E75CC29F4BC
ComputerID=F8230EE5AC10FADA01D23E75A9668B26
Hash
Key=7D85E66A0BD20054ED8946016F128635
Scm server log: Will tell you if the client is part of the OU or not. Please find the
snippet.
2010-06-21 15:32:59.268 INFO: ============ Not match any item in OU,
preferred group: My Company\Servers =============
PART 3: Client Registration Process:
1) Once Symantec Endpoint Protection (SEP) is installed on the client computer, the
client would access the SEPM and forward the SEPM Domain, Computer Name, Domain
Name, User Name, User Domain, Hardware Key, Preferred Mode, and Preferred Group.
2) A query is executed on the
record that matches the SEPM
client. If a match is found, it
SEPM in Computer Mode. The
client. If no match is found, go

database to check for any non-deleted Computer Mode


Domain and Hardware Key that were forwarded by the
means the client has already been registered with the
group id of the client entry is then returned to the SEP
to step 3.

3) A query is executed on the database to check Computer Mode records that match the
SEPM Domain, Computer Name and Computer Domain that also have no defined
Hardware Key. If a match is found, it means that the SEPM client entry was either
imported from AD or was created by clicking Add Computer Account in the SEPM
console. The group id associated with this client entry is returned to the SEP client. If
no match is found, go to step 4.
4) A query is executed on the database for non-deleted User Mode records that match
SEPM Domain, Hardware Key, User Name and User Domain that were forwarded by the
client. If a match is found, it means the client has already been registered with the
SEPM in User Mode. The group id of the client entry is then returned to the SEP client. If
no match is found, go to step 5
5) A. A query is executed on the database to check for non-deleted User Mode records
that match SEPM Domain, User Name and User Domain and no defined Hardware Key.

If a match is found, it means the SEPM client entry was either imported from AD or was
created by clicking Add User Account in the SEPM console. The group id associated with
this client entry is returned to the SEP client.
5)B. The SEPM then compares Hardware Key, SEPM Domain against non-deleted records
in database. If a match is found, the computer entry has previously existed, but the
user is a new user. New user entry is configured to properly link to the existing
computer entry.
6) If none of the previous steps found an entry to match the client to, the SEPM will then
create a new entry for the client based upon Preferred Mode (computer/user) and
Preferred Group. If the Preferred Group forwarded by the SEP client does not exist in
the SEPM, the Default Group will be used instead.
Firewall issues
If any desired traffic is getting blocked after installing NTP, to isolate the issue;
1) Enable logging on all the Firewall Rules in the Firewall Policy and check the NTP
traffic and packet logs.
2) Uncheck the Firewall rule one by one to see which rule allows the desired traffic.
3) Check if the Client Group is set in the Server mode and not Client mode as in
Client mode the NTP component on the SEP client works as unmanaged.
4) Enable TSE debugging on the SEP client and check the Debug.log to see which
rule is blocking the traffic. TSE debug logs provides the information of the
protocol that getting dropped on blocked by a specific Firewall rule.
Replication
To troubleshoot replication issues. Always enable the SEPM log level to Finest and
restart the SEPM services.
1. Gather SEPM\Tomcat logs from both the sites, if the replication was working
initially and then stopped working.
2. Gather SEPM\Tomcat logs from Site 1 and Install Error logs from New Site, if the
initial replication fails.

3. Note the IP Addresses and Server Names, as this will be helpful to search the
replication log to see which site or server the replication is failing.
4. Database Backup (SQL server or Embedded database) if possible to reproduce the
issue on our end.
5. Wireshark logs to check for network issues.
6. SEP Support tool logs from the sites.
Please note: If there is a proxy configured on the network, telnet to port 8443 will still
show successful.
Failover Load balancing
1) Sylink log of the SEP client would show errors to which SEPM it is trying to register
and if there are any errors while it is trying to register.
2) It is also a good idea to check if the Management server list is configured correctly
and applied to the right group.
Client communication
On the SEP client side:
1) The sylink log helps in troubleshooting client communication issues. The sylink log
provides us with errors at different checkpoints.
2) Looking for HTTP errors and Inet errors in the Sylink logs provides vital clues on
why the client is not communicating with the SEPM.
3) Do a secars test.
4) If we see signature verification failed entries in the sylink log, restore an older
server certificate on the SEPM to see if the client communicates.
On the SEPM side:
1) Check the Exsecreg logs for errors.
2) scm-server-x.log for any errors.
3) Enable IIS logging and check the IIS logs.

4) Check the SEPM Web server Properties to check if there are any IP address(es)
listed in the IP and Domain name restrictions.
5) Any Firewall or proxy blocking http://<server-name>:8014
Location Awareness/Switching
1) Check if the Location awareness policy is configured for the client group. If this is
not configured correctly and there is conflict in the conditions, the SEP client would
switch back to the Default location.
2) Examine SEP clients System Logs to see if the location switching entries are
present.
3) Check the serdef.dat file on the SEP client to see if the location awareness policy
is applied correctly.
4) Enabled Trident or Location awareness debugging on the client and check the
debug log to see if the location conditions are meeting correctly.
GUP Issues
SEPM side:
1) Check if the Liveupdate Policy is configured correctly.
2) If the content definitions on the SEPM is up to date.
GUP side:
1) Check the sylink log to see if the SEP client is downloading the definitions from
the SEPM.
2) Enable SEP Debugging and check the Debug.log to see if there are any errors.
3) Check the SEP System Logs to see if the client is Serving as GUP.
4) Check if the SharedUpdate folder is created once the client is set to act as GUP.
Client taking the updates from the GUP:
1) Ping or do a Tracert to the GUP client on port 2967.
2) Gather the Sylink log to check for the following:

If the SEP client is contacting the GUP client on port 2967.

If there are errors while downloading the GlobalIndex.xml file from the
SEPM.

If
there are any issues while installing the content definitions after
downloading the definitions from the GUP.

Please note: If you set the client to by-pass the GUP after x amount of time in the
Liveupdate Policy, there will be no entries in the sylink log suggesting that it is
contacting the GUP client (http://<GUP-client-name>:2967/content..), however you will
see that the GlobalIndex.xml file is being downloaded by the SEP Client.
Liveupdate issues
SEPM Liveupdate issues:
1) Check the return code after liveupdate fails.
2) Check if the server is behind a proxy or firewall. Configure the Proxy setting on the
SEPM accordingly.
3) Check the log.liveupdate files for errors.
4) Check the Sesmlu.log for errors.
SEP Client Liveupdate issues:
1) Change the liveupdate settings to Interactive in the Control Panel and run
liveupdate to see if what is the LU code.
2) Check the log.liveupdate file for errors.
3) Check the sylink log to see if the client is taking the update correctly from the
SEPM and GUP or if there any definition installation errors.
Liveupdate Administrator Issues:
1) Check if the Liveupdate Administrator is configured correctly.
2) If the schedule downloads are failing check if the server is behind a firewall or
proxy and configure the settings accordingly.

3) If the schedule downloads are failing then set up three download schedules, one
for the 32 bit Virus definitions, one for 64 bit Virus definitions and one for other
definitions like PTP, IPS, etc. to check if this issue environmental or an issue with
the Liveupdate Administrator.
4) Enable Liveupdate Administrator Debugging and collect the luadebuginfo.zip file.
Go through the lua-application.log to check for errors.
Application crashing with SEP installed
With regards to this issue we have to ask the following question:
1) Is this a Network Based application or a stand alone application?
2) Does this Application use some kind of remote database?
3) Does the application stop crashing after uninstalling SEP?
How to troubleshoot this issue:
1) Check Windows Event Viewer for any errors, warning, etc. with regards to the
application in question.
2) If SEP is installed with all the components that is Proactive Threat Protection,
Network Threat Protection and Application and Device control, along with Antivirus
and Antispyware, then uninstall these three components one by one to isolate
which component is causing the issue.
3) Create Centralized exception policy for the application in question in the SEPM.
4) If NTP is causing issues then check if the port used by the application is getting
blocked by examining the traffic and packet logs.
5) TSE debug logs provides the information of the protocol that getting dropped on
blocked by a specific Firewall rule.
6) Check if there are any minidump files created.
7) Run the Process Monitor to capture any kind of events to see what is causing the
application to crash with SEP installed.
Email notification

1) Check if the Mail server settings are correct in the SEPM.


2) Enter the line scm.mail.troubleshoot=1 in the conf.properties file, set the SEPM
Log Level to FINEST and then restart the SEPM services and check the following
logs:

scm-server-x.log
Catalina.out
SecurityNotifyTask.log
ScheduledReportingTask.log

Active Directory and LDAP integration


If you have configured the SEPM to use Directory Authentication and there are errors.
Check the scm-server-x.log for errors
If you have imported Organizational Units (OU) from Active Directory and there are
issues then enable the SEPM Log Level and restart the SEPM services.
This will create the following logs which needs to checked:

ImportADSI-x.log
ConnectDirectoryServer-0.log
ADSITask-x.log

Installation issues
SEPM:
SEPM installation is done in two phases, one is the installation of the core file and the
second is the database creation and configuration.
In phase one gather the SEPM_Inst.log for installation failures.
Please note: The SEPM_Inst.log gets generated in %TEMP% or in %Windir%\temp
locations.
If there are issues during phase two then gather the Install_log.err.
SEP:
Gather the SEP_inst.log.

Please note: The SEPM_Inst.log gets generated in %TEMP% or in %Windir%\temp


locations.
Miscellaneous
DeltacontentTask.log will tell you how long it took for the Delta to be created.
Check LuCatalog.log to see if the SEPM Monikers are registered correctly when
Liveupdate is initiated from the SEPM.
RapidResponseContentTask.log to check if the RapidRelease was applied to the SEPM.
References
2008120211395048 - Default File Permissions for the Symantec Endpoint Protection
Manager Folders
2007090611252048 - How to debug the Symantec Endpoint Protection 11.x client
2007090612034148 - How to debug the Symantec Endpoint Protection Manager console
in Symantec Endpoint Protection 11.x
2008060610493948 SEPM's SESMLU.log

INTERNAL ONLY: How to Increase the Logging Level of the

2009031912491648 - INTERNAL ONLY: Troubleshooting Location Awareness/ALS in


Symantec Endpoint Protection 11
2008091816421848 - Symantec Endpoint Protection Manager Log Collecting Tool
2009030211283748 - How to Collect Troubleshooting Information from LiveUpdate
Administrator 2.x
2010040208473548 - Troubleshooting GUP communication
2008080113533748 - Troubleshooting mail feature of Symantec Endpoint Protection
Manager