ISL04 : Troubleshooting SEP 12.1 Marcus Brownell (RPM) & Martial Richard (TFE) ISL04 1
Symantec Endpoint Protection Investigator Curriculum 2
Methodology ISL04 WORLDWIDE TECHNICAL SYMPOSIUM 2012 3
From I have a problem to what problem? Gather evidence Research Fix & Validate User s opinion ;) Log Behavior reproduced Tools Debug Knowledge base Phone a friend Re boot Re configure Re consider design Upgrade 4
Interacting with support Gather logs and screenshots Sum up the issue in a few sentences and be as precise as possible Run SymHelp or the Symantec Support Tool Get your customer ID or Entitlement Nr ready 8
SEP SOS 101 Common pain points, logs and tools to know about ISL04 WORLDWIDE TECHNICAL SYMPOSIUM 2012 9
SEP infrastructure pain points Content INTERNET Liveupdate Database SEPM Management & Content Content & Reputation SEP Clients 10
Common root causes Misconfiguration Network or system issue Implementation issue (system requirements / architecture ) Specific environment Bug An issue is not always a bug. A bug is always an issue. 11
SEPM Hot places Content Communication Distribution Monitor View Management Server List Client deployment report \inetpub\content Location awareness settings \inetpub\packages \data\outbox\agent\<groupid> Firewall policy Msi logs (local on the endpoint) Httpd log \data\outbox\agent\<groupid> Tomcat logs 12
SEP client hot places Content Communication Distribution \inbox Troubleshooting screen \Connection C:\temp Log.lue Windows & SEP firewall %temp%\sep_inst.log (msi) Smc debug log Sylink.xml System resource Rtvscan.log Smc debug log Event log 13
Automated support tools SEP Support tool From help Menu No Windows 8 /2012 support SEP Only Symhelp From KB All windows versions Multiples products 14
SymHelp switches -h Display this help page -noup Do not check for an updated version of Symantec Help -disable Disable debug mode for installed products. Use -enable to enable debug mode. -enable Enable debug mode for installed products. Use -disable to disable debug mode. -lang language-id Set the display language using the two-letter ISO 639-1 language ID -s Run Symantec Help in silent mode. -healthchk Scan for the health of all installed products. -prechk Scan for pre-install requirements of all supported but not installed products. -bestchk Scan for best practices in all installed products. -forsupport Collect full data for support. -open filename Open an existing report. -dest Destination directory. If not specified, the default destination is c:. Set the default location for saving reports. -ftpup Perform the update check using only FTP. -httpup Perform the update check using only HTTP. -wizno Do not run in wizard mode. -wizprod Run in product wizard mode. 15
SEP Support Tool -client Run a client pre-install report -console Run a console pre-install report -debug Enable debug mode for troubleshooting -def Collect data on virus definitions -fg Collect full data -h Display this help page -lp Collect load point data -msiapifeatures Use legacy method to collect MSI-installed product information -noup Do not check for an updated version of the tool -out dir Set the default location for saved reports -s Run in silent mode -spe Starts the Support Tool with the Power Eraser Option selected -speonly Runs the Support Tool silently with Power Eraser -spexml Creates an XML version of the Power Eraser results -qg Collect quick data -version n Set the target version of SEP/SPC for the pre-install reports (11, 12 or 12.1) 16
-deepdata : WPP Logging with SEP support tool WPP logging (new in SEP 12.1) collects logs for the following: Symantec Security Technology and Response (STAR), which includes file-, network-, behavior-, reputation-, and remediation-based technology Live Update Engine (LUE) SONAR The Symantec Endpoint Protection installer The benefit of moving to WPP logging is that WPP supports kernel-mode and user-mode tracing. For example: Auto-Protect and SONAR use kernel-mode logging. The client UI and LUE use user-mode logging. WPP logs are only interpreted by Symantec Technical Support. 17
Exercise 1 Communication breakdown ISL04 WORLDWIDE TECHNICAL SYMPOSIUM 2012 18
Synopsis Time to complete 20 mins Windows XP SP3 SEP freshly installed Never connected to the SEPM No green dot Windows login Administrator Symc4now! SEPM Login admin Symc4now! 19
Exercise 2 Content update ISL04 WORLDWIDE TECHNICAL SYMPOSIUM 2012 20
Synopsis Time to complete 25 mins Client AV update is out of date: Fix the issue. DO NOT RUN LIVEUPDATE ON THE SEPM Windows login Administrator Symc4now! SEPM Login admin Symc4now! 21
Exercise 3 Freeform lab ISL04 WORLDWIDE TECHNICAL SYMPOSIUM 2012 22
Synopsis Time to complete 35 mins Break something on your SEPM (service set to manual, folder rights ) Switch with your neighbor Use the SymHelp tool and other tools to figure out the issue. Windows login Administrator Symc4now! SEPM Login admin Symc4now! 23
Next steps Bookmark Symantec support & security response site SYMC only :Get VM and lab guides (symapps) Everyone: Slides and lab guides SymIQ for Partners Practice troubleshooting methodology as soon as you can. 24
Digging Further SymIQ for Partners Release notes & manuals KB articles Connect forum Connect calls for Technical Champions 25
Commercial break. 26
Congratulations! You are now officially SEP Investigators However there s always room for improvement. Any questions? >_ 27
Thank you! Martial RICHARD & Marcus Brownell Martial_richard@symantec.com Marcus_brownell@symantec.com Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. ISL04 28