Endpoint Protection clients stop communicating with Endpoint Protection Manager until SMC is restarted
Last Updated February 22, 2019
You have Symantec Endpoint Protection Manager (SEPM) 14.2 MP1. You previously upgraded your Symantec Endpoint Protection (SEP) clients to 14.2 MP1 because you had a lot of offline clients. While the upgrade resolved the issue for most clients, there still are some that just stop communicating. Restarting the SEP Management Client (SMC) allows the client to start communicating again.
SEP 14.2 MP1
cve-action.log shows GetIndexXml and GetGlobalIndex operations as the last operations.
cve.log shows SEP failed to update Sylink CommunicationStatus and public opstate LastServerIP.
The SEP system log may show a gap for several days between SMC stopping and the next entry.
cve.log may also indicate a AddFirewallState Failed to get security engine error and/or that an exception occurred while retrieving ATPInfo.
dump analysis output of a ccSvcHst.exe process dump generated when the issue occurs shows a wait for a single object. A dump of all the process threads indicates the wait is due to a libcurl operation, after a set of such operations is initiated by the SMC:
The client stops communicating with SEPM because the send command sent to libcurl by our Communicator for Virtual Environments (CVE) does not contain a time-out. As a result of that, libcurl may at times wait for a Windows socket indefinitely.
CVE is the communication library used by the SEP client to communicate with SEPM. It is not only used in virtual environments; its name is a holdover from the period in which it was developed (its first implementation was for some of the virtual appliances we integrated with). CVE replaces Sylink, which was the communications library in SEP prior to version 14.2. It makes use of libcurl, an open-source, multi-platform, multi-protocol file transfer library.
Common CVE operations include GetATPInfo, GetContentItem, GetIndexXml, GetGlobalIndex, UploadOpState and UploadLogs.
Symantec is aware of this issue and will update this article when a solution becomes available. Click the Subscribe to this Article button to be notified of future updates through email.
Please note that client-server communication could fail due to any number of reasons. This TECH note only applies to the specific set of conditions outlined in the Error section. If unsure, please contact Symantec Support.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe