Home Forums OS X Server and Client Discussion Questions and Answers Symantec Administration Client for Macintosh

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • April 7, 2008 at 11:12 am #372079
    bentoms
    Participant

    Hi guys,

    I was wondering if any of you had used the Symantec Administration Client for Macintosh when administering your Symantec Antivirus on your Mac Clients.

    The reason I ask is that we are having issues with about 50% of our clients not reporting back to the console as expected & those not reporting back are not able to have commands sent to them.

    All we have is some php errors on the clients & nothing from the Administration Console.

    So any experiences of yours would be great as they will give us a hand with our issue, especially in regards to what ports are used in the command communication between client & server.

    Symantec don’t seem to be able to help so hopefully you guys can!!

    The Macs are running 10.4.11 on PPC & Intel with the 10.1 or 10.2 Symantec mac client.

    The console is on an PPC Xserve running 10.4.11 with admin console version 1.0.2.

    Regards,

    Ben Toms.

    :mrgreen:

    April 8, 2008 at 6:53 pm #372115
    khiltd
    Participant

    And those errors would be…?

    April 9, 2008 at 3:15 pm #372138
    bentoms
    Participant

    Well as mentioned 70 clients are being listed as managed by SACM but only 34 ish are receving commands with the rest not showing as pending or erroring..

    Going through the SMacClientErr.log found in /Library/Application Support/Symantec/SMac/ on the macs that are not receiving commands reveals various error messages,these are:

    Status Report err = -10
    ReportStatus.php error : -10
    Status Report err = -51
    ReportStatus.php error : -51
    Status Report err = -18007
    Status Report err = -18006
    HTTP error -18006, on status post

    Also on some clients the logs are near 9GB in size. Is there anyway of restricting the log length?

    After doing some digging on the SQL DB that is the backend of SACM shows that the clients that are not updating are not receiving the correct ‘command sequence id’ as per the clients that do update.

    So I can see that they are not receiving commands, the issue is really why aren’t they receiving the commands & even though we uninstall & reinstall the client why are they not working???

    April 9, 2008 at 4:07 pm #372139
    khiltd
    Participant

    Well it looks like the implemented the entire thing as a basic web service, so it should be fairly easy to either listen in on the port or check your Apache logs to see what the clients’ requests to the server look like. You should then be able to duplicate them with curl, look at the responses, and figure out what’s going wrong.

    Given the number of Mac viruses out there, it might be simpler to just pull the plug on Symantec; most people did years ago.

    April 9, 2008 at 5:16 pm #372142
    bentoms
    Participant

    Thanks.

    The HTTPD access_log is filled with:

    10.44.62.34 [09/Apr/2008:17:44:49 +0100] “POST /sacm/ReportStatus.php HTTP/1.1” 200 3

    10.44.48.20 [09/Apr/2008:17:43:45 +0100] “POST /sacm/ReportStatus.php HTTP/1.1” 200 4

    Any ideas as to what they might mean??

    Oh & we cannot remove the AV due to our company policy.

    We know the Macs are updating as they have been set to do it at 14:00 everyday, it’s just that our reporting tool is broken for some & not others…..

    April 9, 2008 at 6:39 pm #372144
    khiltd
    Participant

    [QUOTE][u]Quote by: bentoms[/u][p]Thanks.

    The HTTPD access_log is filled with:

    10.44.62.34 [09/Apr/2008:17:44:49 +0100] “POST /sacm/ReportStatus.php HTTP/1.1” 200 3

    10.44.48.20 [09/Apr/2008:17:43:45 +0100] “POST /sacm/ReportStatus.php HTTP/1.1” 200 4

    Any ideas as to what they might mean??
    [/p][/QUOTE]

    Those are HTTP POST requests. You’ll need to look at the POST data in order to duplicate the problem. It would probably be easiest to fire up an output buffer at the top of ReportStatus.php, throw a [b]var_dump($_POST);[/b] after it and then write the contents out to a file. Assuming you’re running PHP 5:

    [code][/code]

    Completely untested, but it looks about right.

    April 10, 2008 at 10:40 am #372162
    bentoms
    Participant

    Actually we’re on PHP 4.4.8.

    Will the commands be different?

    April 10, 2008 at 4:48 pm #372176
    khiltd
    Participant

    The file_put_contents function is not available in PHP 4. You’ll have to manually create the file, open the file, write the data to the file and close the file.

    April 17, 2008 at 3:35 pm #372309
    bentoms
    Participant

    khiltd thanks for your help, but I think the issues lie elsewhere.. here is what I have found & am posting incase someone else finds this useful.

    [b]Client – Server relationship[/b]

    [i]A command that you issue from the administration console passes through to the Apache HTTP Web server. The server stores information about the new command in the appropriate database tables and instructs the command server to issue the command to the UDP multicast address that was set when Symantec Administration Console for Macintosh was installed. The command broadcasts through one or more routers to individual clients and client groups registered with the UDP address. – taken from the admin manual[/i]

    The client runs as a process called SMac, (for Symantec Antivirus 10.1 this runs from a users Startup Items, from 10.2 this runs as a launchd process).

    After installing Symantec Antivirus install the SMacCleint.pkg found in /Library/Application Support/Symantec/SMac/ on the server running the Symantec Administration Client for Macintosh (SACM).

    To create the client login to SACM & click on Maintenance > Create Client Package.

    This client should have all the settings (IP Address, Multicast Address, Port etc..) for your server as well as the current Private & Public Keys.

    Once installed on a client Mac & themac has been restarted or logged out/in you should see the SMac process under activity monitor. If you do open Terminal & type in netstat then hit return.

    This will give you all the current tcp, udp & other open connections. You will need to look for something along the lines of;

    udp4 0 0 *.8192 *.* (or whatever multicast port you chose).

    &

    /tmp/.com.symantec.smacs.events.toserver

    If these are fine on both server & client then the Mac [i]should[/i] appear on the SACM in a day or to (maybe sooner).

    On successful communication with the server the client will be assigned a NodeID which will be written to /Library/Preferences/com.symantec.SMacClient.plist

    If you have added the client to an image & rebooted into the image BEFORE distributing it you will need to run the following;

    sudo defaults write /Library/Preferences/com.symantec.SMacClient NodeID 0

    So that after your image has been deployed it will re-register the client with the server.

    [b]So it works then?[/b]

    Err.. not for me.. not yet anyways,I have done the last step after removing some 30 unresponsive clients from SACM & 3 have come back. Time will tell & hopefully will Symantec if they ever get back to me!!

    [b]Client Errors[/b]

    On another note I found these after opening the client package installer in the Bootstrap.php file;

    define(‘kSMErr_InvalNodeID’, -1); # malformed kSMSK_NodeID/kSMEK_NodeID param
    define(‘kSMErr_UnknownNodeID’, -2); # kSMSK_NodeID/kSMEK_NodeID value not in database
    define(‘kSMErr_InvalTimeSent’, -3); # malformed kSMSK_TimeSent/kSMEK_TimeSent param
    define(‘kSMErr_InvalIPAddr’, -4); # malformed kSMSK_IPAddr param
    define(‘kSMErr_InvalCmdStat’, -5); # kSMSK_CommandsStat param not mult of 3 values
    define(‘kSMErr_InvalCmdID’, -6); # kSMSK_CommandsStat has malformed command ID
    define(‘kSMErr_UnknownCmdID’, -7); # kSMSK_CommandsStat has unknown command ID
    define(‘kSMErr_InvalCmdResult’, -8); # kSMSK_CommandsStat has malformed command result
    define(‘kSMErr_InvalCmdTime’, -9); # kSMSK_CommandsStat has malformed command time
    define(‘kSMErr_InvalSoftware’, -10); # kSMSK_SoftwareVers param not mult of 2 values
    define(‘kSMErr_InvalSoftName’, -11); # kSMSK_SoftwareVers/kSMEK_SoftwareName has malformed software name
    define(‘kSMErr_InvalSoftVers’, -12); # kSMSK_SoftwareVers/kSMEK_SoftwareVersion has malformed software vers
    define(‘kSMErr_InvalEvtTime’, -13); # kSMEK_EventTime has malformed event time
    define(‘kSMErr_InvalEvent’, -14); # kSMEK_Event has malformed event

    define(‘kSMErr_DBConnect’, -21); # unable to connect to database
    define(‘kSMErr_DBQuery’, -22); # misc error with database

    define(‘kSMErr_InvalKeyID’, -31); # malformed public key ID
    define(‘kSMErr_UnknownKeyID’, -32); # a public key was requested but ID unknown

    define(‘kSMErr_InvalBootstrap’, -41); # missing or bad info in bootstrap attempt

    define(‘kSMErr_InvalOsID’, -51); # missing or bad info for OsVersion in bootstrap attempt

    Not that they make any odds!!

    April 17, 2008 at 5:53 pm #372316
    khiltd
    Participant

    So you didn’t actually look at the POST data or the script sources to see what was going wrong, yet you’re sure the issues lie elsewhere because Symantec’s documented troubleshooting procedure [b]didn’t[/b] work? I don’t follow the logic there.

    Symantec’s chosen to deploy a web app in this case, and even if they’ve “compiled” their PHP sources to protect their amazing trade secrets (which does not appear to be the case), you still have plenty of opportunities to patch in. If you want it fixed within the next 5 years you should probably get a qualified PHP engineer out there to do your troubleshooting for you because finding the cause of the problem would likely be a trivial task for them. Symantec doesn’t sell enough Mac software to warrant supporting it.

    April 17, 2008 at 7:22 pm #372319
    bentoms
    Participant

    Cheers for that!

    As a company we pay for a certain level of support. Therefore we cannot justify the cost of a PHP engineer to troubleshoot an issue bought from & supported by Symantec.

    Anyways, the post requests on the server are correct. It is just that for some reason these macs SMacClients are checking for updates/new commands every 3 seconds instead of every 300 seconds.

    Also error -51 points to any error in that whilst it is presented in PHP is actually in reference to a Ruby file that runs the terminal command sys_ver & logs it. At this point I realised I was going into the guts of the application to resolve an issue that we have paid support for.

    As this is just for the reporting I wrote some UNIX scripts that we can send out via ARD. I will post these once I have verified that they are indeed working over on extended period.

    May 7, 2008 at 9:21 am #372607
    bentoms
    Participant

    Hi guys,

    Been of after a leg op but have hobbled back into work now!! 😆

    Anyways to check the Virus Definition date of the Symantec Antivirus Client for Mac via ARD run the following script as root & tick the box to display all output;

    [b]ls -l /Library/Application\ Support/Symantec/AntiVirus/Engine/WHATSNEW.TXT[/b]

    This text file is recreated when new Definitions are installed, so when you run the script the date returned will be the latest Virus Definitions installed on that Mac.

    Hope it helps someone else.

    Thanks to the rest of you for all your help!! 😀

  • Author
    Posts
Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.