You discover an increase in disk space utilization where the Symantec Endpoint Protection Manager (SEPM) is installed. Specifically, the file \SEPM\apache\logs\error-xxx standard time.log file has consumed all available disk space.
Within the \SEPM\Apache\logs\error-xxx standard time.log you may see repeated entries like the following:
[Tue Aug 11 22:46:58.920957 2015] [isapi:warn] [pid 2612:tid 3244] (OS 87)The parameter is incorrect. : [client 10.250.60.192:62312] AH02115: HSE_STATUS_ERROR result from HttpExtensionProc(): D:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/Inetpub/secars/secars.dll
[Tue Aug 11 22:46:59.061583 2015] [isapi:warn] [pid 2612:tid 3244] (OS 87)The parameter is incorrect. : [client 10.250.60.192:62313] AH02115: HSE_STATUS_ERROR result from HttpExtensionProc(): D:/Program Files (x86)/Symantec/Symantec Endpoint Protection Manager/Inetpub/secars/secars.dll
[Tue Aug 11 22:47:58.856889 2015] [mpm_winnt:error] [pid 2612:tid 3228] (OS 64)The specified network name is no longer available. : [client 10.250.26.103:4140] Thread(6360) TransmitFile failed, socket: 03820, Threads ready: 322, URI: GET /content/%7B535CB6A4-441F-4e8a-A897-804CD859100E%7D/150810024/Full.zip HTTP/1.1
This combination of logs shows that a client was attempting to download a full.zip for Antivirus definitions, and the connection experienced a disconnect (either expected or unexpected.) When this error is seen when a client is attempting to download a full.zip, the disconnect is likely an expected result of data not being transmitted in a timely fashion within TCP parameters. Clients may be remote from the SEPM and/or having access to limited bandwidth or congested bandwidth to the SEPM to download content
httpd.exe (Apache) is running 100% of the cpu and apache can't handle new requests to secars.dll from clients
If clients listed in the Apache error log appear to be from the same subnet consider adding a Group Update Provider for that physical site. If the network is stated to be robust between the client and SEPM, obtain a wireshark capture from the client and review for expected or unexpected cause of the port closing that client was using to download content from SEPM
For instances where httpd.exe runs at 100% cpu, ensure the client is at least on version 12.1 RU1 (etrack 2479435) otherwise perform troubleshooting of high cpu utilization and collect SymHelp, etc
Subscribing will provide email updates when this Article is updated. Login is required.