Endpoint Protection clients stop reporting their status to the Endpoint Protection Manager after upgrading to 14.2
search cancel

Endpoint Protection clients stop reporting their status to the Endpoint Protection Manager after upgrading to 14.2

book

Article ID: 172717

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading Symantec Endpoint Protection (SEP) to 14.2 on 64-bit systems, some clients fail to properly report their status within the Endpoint Protection Manager (SEPM). 

This can include the following conditions:

  • Clients are not included in the SEPM's Computer Status report.
  • Clients do not appear in the Clients tab in the SEPM Console. 
  • Clients may still show a "Green Dot" suggesting successful communication with the SEPM.

ersecreg.log:

04/04 10:48:45 [916:4272] ###.###.###.###<AgentInfo PreferredMode="1" DomainID="################################" AgentType="0" AgentID="################################" HardwareKey="################################" UserDomain="####" LoginUser="####" ComputerDomain="####" ComputerName="####" PreferredGroup="################################" SiteDomainName="" AgentPlatform="Windows%20Server%202012%20R2"/> AgentID=################################ AgentType=0 ComputerID=################################ Hash Key=################################

Environment

Clients that were upgraded to SEP 14.2.

Cause

Some upgraded 64-bit SEP clients do not have a registry value needed to register with the SEPM correctly.  Specifically, "ClientType" is missing from HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink on these systems.

Root Cause:

  1. The upgrade logic for the SEP client will overwrite the SYLINK key in the Wow6432Node hive if the SYLINK key is present in the native hive. This causes the ClientType value to be deleted. In versions prior to 14.2, this was mitigated by code in the Sylink module which would restore the value if it was missing during service startup. 
  2. 14.2 replaced the Sylink module with the Communication Module (CM).  CM does not have functionality to restore the ClientType value. Since the value is missing, it sends '0' as the AgentType to the SEPM. 

Resolution

This issue is fixed in Symantec Endpoint Protection client 14.2 RU1.  For information on how to obtain the latest build of Symantec Endpoint Protection, read
TECH 103088: Download the latest version of Symantec Endpoint Protection

You can use one of the following workarounds until a fix is available.

  1.  Running a repair of the SEP installation will add the registry value and fix the issue.
  2. Manually adding the ClientType registry value (DWORD, decimal value of 105) will also fix the issue.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink]
    "ClientType"=dword:00000069
  3. The attached Host Integrity policy can also be used to check clients for the missing ClientType value and replace it if needed. 

 

Additional Information

ESCRT-205

Attachments

HI Policy - Set ClientType value.zip get_app
Powered by Wolken Software