Showing posts with label Symantec EndPoint Protection. Show all posts
Showing posts with label Symantec EndPoint Protection. Show all posts

Tuesday, 23 April 2013

Move the Symantec SEM5.db file to another partition

We have an SBS 2008 Standard setup that’s getting really tight on the system drive.

We’ve pretty much moved everything and anything we can off of the system partition to keep space as free as possible.

One of the last pieces to be moved is the SEM5.db file that runs around 2GB or more.

To move that file we followed these instructions:

  1. Go to services.msc
  2. Stop the Symantec Endpoint Protection Manager Service
  3. Stop the Symantec Embedded Database Service
  4. Go to \Program Files\Symantec\Symantec Endpoint Protection Manager\db and cut the sem5.db file and paste it to the new drive
  5. Click Start
  6. Click run
  7. Type regedit
  8. Go to HKey_Local_Machine\system\CurrentControlSet\Services\ASANYs\Parameters\ click on the Parameters option in the right hand side column and change the path of the sem5.db database file to the new location as New Drive:\Folder name
    • Our folder: image
  9. Restart the Symantec Embedded Database Service from services.msc
    • NOTE: We were able to log on to the SEP Management Console once we had both services started at this point.
  10. Go to Administrative Tools
  11. Click on Data Sources (ODBC)
  12. Click on System DSN tab
  13. Click on Configure button
  14. Highlight the database tab and replace the path for the sem5.db file and ensure connectivity by clicking on Test Connection
  15. Go to Management Server configuration Wizard and perform the server reconfiguration

That freed up over 2GB of storage space which at this point for this particular SBS is _a lot_ of space to be had! :)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
www.thirdtier.net/enterprise-solutions-for-small-business/

Windows Live Writer

Monday, 7 May 2012

Automatic Script to Recreate the SEPM SEM5.LOG to Free Up Disk Space

We are finding that the server where the Symantec Endpoint Protection management console resides on gets its disk filled up with the SEM5.LOG over time. This is with the most recent edition that was apparently supposed to fix this problem.

Since we have Small Business Edition we are not able to trim that log using the SEP Console.

So, we set up the following script in a BAT file that we will set to run every week or day depending on log growth rate to keep that log size in check:

REM Change the extension to .BAT please!
REM Created by Philip Elder of MPECS Inc. http://blog.mpecsinc.ca
net stop SQLANYs_sem5
net stop semsrv
CD "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\"
attrib -r sem5.log
del sem5.log
CD "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32"
dbsrv11 -f "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\sem5.db"
net start SQLANYs_sem5
net start semsrv

A copy of the batch file resides in a text file here:

  • Symantec Endpoint Protection Database Log Reset BAT (Direct link to the TXT file so right click and Save As).
    • Change the TXT extension to BAT.
    • Right click and Run As Admin to run manually.
    • Set credentials and run with the highest privileges in Task Manager
    • Add a “Pause” underneath everything for a version of the BAT on the desktop to be used to run the script manually. Results then stay in the CMD window until we hit a key.

The BAT file nested in the Task Manager:

image

The log file before the script runs:

image

Note that the above log file was a just deleted and recreated one used in our testing.

image

The log file comes back in weighing in at a paltry 8KB!

We keep a copy of the file in the admin’s Downloads folder that is used to run the scheduled task with all PAUSE commands removed. We keep a copy of the file on the desktop that has PAUSE commands in it that we use to test the script and/or run it manually when we are logged into the server.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Friday, 24 February 2012

Symantec EndPoint Protection CleanWipe Tool: Stuck at Gathering Required Information

We were working with a particularly problematic Symantec EndPoint Protection endpoint that always caused the user’s account to lock out when they came back into the office with their laptop.

The lockout would happen only after they had plugged into another network to gain access to the Internet. With the v11.x client we removed the Administrator Scan in the SEP Console on the management server and the problem went away.

But, once we replaced the backend and the client on this machine the lockout behaviour came back. Removing the Administrator Scan from the management console did not remove the lockout behaviour in this version as it had for v11.x.

So, we opened a case with Symantec and obtained a copy of the CleanWipe utility.

Once we ran the utility we said Yes to all of the options and then waited, and waited, and waited. The last warning indicated 30 minutes or more to run the registry clean-up be we were not getting anywhere after 2 hours.

image

In the end we needed to use Task Manager to kill ccSvcHst.exe process and then rename it in Windows Explorer as in the snip above. The CleanWipe process continued on from there by requesting a restart.

The whole process took 3 reboots to complete.

Once done we were able to install the SEP v12.x client.

Now, hopefully whatever was causing the lockout problem will be gone.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Thursday, 9 February 2012

Moving from Unmanaged or Nonexistent SEP Management Server to a New Management Server

We have a whole bunch of clients to change over to a new management server for Symantec EndPoint Protection version 12. The previous server was offline so no work could be done to allow changes.

Between the above articles we were able to piece together what we needed to do:

  1. Export a new Sylink.XML file from the new SEP Management server.
  2. Rename the exported XML file to Sylink.XML
  3. Stop SEP on the client we need to change.
  4. Copy the new Sylink.XML file over the existing file(s)
  5. Start SEP on the client.
  6. Open the client console.
  7. Click Help then Troubleshooting.
  8. The Management tab should reflect the new server’s IP as should the Connection Status tab.

Note that on Windows XP the Sylink.XML file is buried

  • C:\Documents and Settings\All Users\Application Data\…

We just saved ourselves a huge amount of time.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Tuesday, 10 January 2012

Symantec EndPoint Protection Manager Console Admin Password Reset

To reset a lost admin password for the Symantec EndPoint Protection Manager console we run the ResetPass.bat file found in:

  • C:\Program Files (x86)\Symantec\Symantec EndPoint Manager\Tools

The PDF for the batch file:

image

In our attempts to initially figure out the password we locked the account out:

image

The default lockout period is 15 minutes.

Once the lockout event was released we were able to log on. Note that we were first prompted to change the password prior to getting into the SEP Console.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Thursday, 8 December 2011

Symantec Endpoint Protection SBE 12.x Updates

We are just getting a newly migrated network online with their virus protection. In this case they are too large for Microsoft’s Security Essentials product so we ran with SEP.

This is what FileConnect looked like today:

image

Note the posting date for most files as being November 16th.

As with previous versions if any clients are resident on the current user machines they may need to be manually removed prior to delivering the new client to them.

We will be configuring the Windows Firewall to allow for remote delivery of any and all client updates. So, hopefully we will not need to go through the manual remove and replace process.

We run with Symantec over other products because the name is known to our clients and it does a relatively decent job of protecting the network.

We also mandate UAC via Group Policy and in more security conscious environments utilize Group Policy Preferences to disable all local admin accounts except a restricted domain account that is delivered via Group Policy Preferences into the local admin group. We then keep control over that user account’s password to allow for some change control.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Tuesday, 1 March 2011

Symantec EndPoint Protection Error – Failed to connect to the server

When logging into the SEP management console we received the following error:

image

Error

Failed to connect to the server.

Make sure that the server is running and your session has not timed out.
If you can reach the server but cannot log on, make sure that you provided the correct parameters.
If you are experiencing network issues, contact your system administrator.

Well, none of the above seemingly turned out to be the problem.

A quick search turned up the following:

image

For whatever reason the SEP Manager was not running. Once started the management console opened with no issue.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Thursday, 3 February 2011

Symantec LiveUpdate Certificate Expiring Soon

On certain versions of Symantec’s LiveUpdate product the Symantec root certificate will be expiring on April 30, 2011.

A grid of products impacted by this problem:

image

The updates look to be had from Symantec’s support portal which may require an up to date product license.

Note that the impact of the certificate expiration for products impacted by this situation is no more A/V updates!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Monday, 1 March 2010

Symantec EndPoint Protection – Temp Virus Update Files Not Deleted

This is a bit of an old issue, but it reared its head on one of our client servers that is not being managed in an ongoing basis by us.

This is what we found using the free utility called TreeSize Free:

image

Now, SEP on this server is not up to date yet, so we will temporarily delete the .TMP files until we can actually get in there and update SEP to the newest release.

MRU5 or later fixes this problem.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Monday, 24 August 2009

Installing Symantec EndPoint Protection On Windows Server 2008

We have a fresh Windows Server 2008 Standard x64 server that we are installing SEP on. The server is a member server on an SBS 2003 R2 Premium domain.

When we started the SEP setup routine, we were greeted with:

image

The following IIS configuration is required:

  • IIS 7 installed and running.
    • ASP.NET + prerequisites are required.
    • CGI
    • IIS 6.0 Management Compatibility.

Once IIS and the required components are installed, the following two default ports need to be added to the Windows Firewall with Advanced Security:

  • Client Inbound Traffic: 8014
  • Server Management Console: 8443

From there, SEP should install with no issues.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Saturday, 23 May 2009

SBS 2008 – Symantec EndPoint Error – Unable to communicate with reporting component

All of our Symantec EndPoint Protection (SEP) installs have been flawless up until today.

image

Error

Unable to communicate with the reporting component.

Trying to find the solution in the midst of all of the fluff that comes up while searching for it has been tough!

The following Symantec knowledge base article helped us out:

First, we needed to correct the ODBC settings. Since we are on SBS 2008, we need to access the 32bit version of the ODBC manager.

  1. Start –> Run –> odbcad32.exe [Enter]
  2. UAC: Continue
  3. System DSN tab:
    • ODBC: Leave
    • Login:
      • User ID: DBA
      • Password: Same as your SEP Admin
    • Database:
      • Server Name: MY-SBS
    • Network:
      • TCP/IP: SBS IP Address
    • Advanced:
      • Leave alone.
  4. Click the ODBC tab and click the Test Connection button.

You should see:

image

From there, elevate a command prompt and:

  • iisreset [Enter]

The second part of the mentioned article indicated that we should change the service associated with the DefaultAppPool. We did not do this since so many services depend on that pool.

After resetting IIS, restart the two Symantec services and you should see:

image

At least we are not looking at a reinstall!

Note that the Symantec communication ports need to be added to the SBS 2008 Windows Firewall with Advanced Security:

  • Admin site: 8014
  • Admin communication: 8443

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Friday, 6 March 2009

SBS 2008 – Disable or Remove A/V Prior to Running the SBS Connect Wizard

When it comes time to add a new workstation or laptop to the SBS 2008 domain, keep in mind that the SBS Connect Wizard makes a number of critical changes to the system.

These changes happen in the way of software additions such as the new SBS Vista Gadget, local profile configuration, registry changes, and the domain configuration to mention a few.

Because of the nature of these changes, it is a good idea to not have any third party AntiVirus (A/V) products installed or active at the time the SBS Connect Wizard will be used.

Since it is our preference to run a server managed A/V product such as Symantec’s EndPoint Protection MR4 on our SBS 2008 domains, we install the software after the system has been connected to the domain.

If there is an A/V product already installed on the system either remove it in preparation for the SBS domain join, or at least disable it prior to running the SBS Connect Wizard.

We have seen instances where third party A/V products have put up a barrier when the SBS Connect Wizard has been used and thus caused the domain join, local profile configuration, and SBS configuration changes to fail.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer

Wednesday, 11 February 2009

Symantec Endpoint Protection MR4 Memory Footprint and CPU Usage

A while back, we blogged about Symantec Endpoint Protection (SEP) and how much of a memory hog it was: SBS on dual Xeon E5345 Quad vs. 5130 Dual Core + Symantec EndPoint Memory Costs.

We just finished our first site A/V migration off of Trend’s Worry Free Business Security back to Symantec’s Endpoint Protection in its MR4 version. In this case, as well as it will be at the other Trend sites we have, we paid for a 1 year gold maintenance SEP agreement for the client’s site, removed the Trend product, and installed SEP at no cost to our clients.

Our Trend odyssey can be read here:

Given our past experience with SEP RTM, the one main concern we had was with memory usage.

We were fortunate that in this case, we had a second server with Windows Server 2008 Standard x64 installed running a number of different roles on the SBS 2003 domain. The box has 16GB of RAM installed, so memory should not be an issue.

Here are a couple of screenshots of SEP up and running on the Win2K8 x64 box:

09-02-11 Symantec - Program Footprints

Symantec Endpoint Protection MR4 x64 Memory Footprint (SEP Client and SEP Management Server): ~200MB

The above screenshot was taken after about 3 days of the server being in production. The memory footprint out of the box was not a whole lot less than that.

Wow! What a huge step down in memory consumption versus the previous versions of the product.

Symantec utilizes SQL Anywhere for their database structures:

09-02-11 Symantec - Db SQL Anywhere footprint

SEP MR4 SQL Anywhere Memory Footprint: ~82MB

The combined total RAM usage of the product on the management server is less than 250MB! That is an awesome achievement. Especially since that number includes both the client and management components.

The SEP client on the workstations has also taken a huge step down in its memory consumption:

09-02-11 Symantec SEP MR4 on Windows Vista

SEP MR4 Windows Vista Enterprise Client Memory Footprint: ~30MB

 09-02-11 Symantec SEP MR4 on Windows XP Pro

SEP MR4 Windows XP Professional Client Memory Footprint: ~15MB

It looks as though both the server and workstation versions were slimmed right down.

Besides the memory footprint reduction, the CPU resources that the server A/V and client workstation A/V uses has been drastically reduced. In our workstation VMs, the client would run around 3-5% of the CPU cycles during intensive usage while on physical laptops and workstations that number would barely approach 1-3% during intensive usage.

On the server side, Live Update is set up to run update checks hourly, and it does seem to be pulling a good number of updates down for each SEP component during those update sessions. So, it looks as though Symantec is also keen on having the product as up to date as possible.

Now, whether our SEP clients remain virus free will be another thing to see yet.

But, given the fact that none of our clients had a virus problem while on Symantec’s previous generation corporate products, we are counting on SEP to keep that virus free legacy alive.

NOTE: We do not install third party firewall components on servers or workstations. We only install the A/V and malware components.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer