Justed wanted to share... Every now and then I have came across SEP clients that SEP services won't start... Upon futher investigation I have determine the SEP policies have became corrupted, which prevents the SEP client from starting. The syslog.log located in the (ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config) directory shows entries of the failed SEP policy loading...
Image may be NSFW.
Clik here to view.
Based on Symantec Article http://www.symantec.com/docs/TECH96760 & tech173484 the cause of the SEP policy corruption is when new policy being distrubuted and there is a network outage or someone shuts there pc down during the distrubution of the SEP policy. The policy update does not fully complete causing the SEP policy serfdat.dat located in the (ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config) directory to be corrupted.
To fix copy a good SEP policy serf.dat to the (ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config) directory and restart SEP (SMC -start) at the dos prompt.
Using Altiris I have automated the process of fixing the corrupted SEP policies. In summary I have created a software package that includes a good SEP policy serf.dat and batch file that includes commands that checks the SEP syslog.log file for the phrase "Manager cannot load server policy" if detected, the bad serf.dat is renamed and the new serf.dat is copied and the SEP services is restarted.
batch file to fix a corrupted SEP policy@echo off echo Checking the SEP install Path if NOT "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto X86 :SEPPATH echo Checking the SEP client programdata path if exist "%programdata%\Symantec\Symantec Endpoint Protection\CurrentVersion" ( echo.
echo. if exist "%sepdata%\Data\Logs\syslog.log" ( echo. findstr /c:"Manager cannot load server policy" %seplog% > c:\sepchk.txt |
The content of the Software pacakge includes two files
Image may be NSFW.
Clik here to view.
the software package includes the batch file and is replicated to my Site Servers
Image may be NSFW.
Clik here to view.
A Job/Task is created and used along with a custom report using the antivirus inventory data to indentify sep clients with old defintions and/or SEP services stopped...
Image may be NSFW.
Clik here to view.
It works pretty good and beats having to do it manually.