Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
You are using Symantec AntiVirus Corporate Edition 8.x and Symantec System Center. The client/server communication is not working. You may see one of the following symptoms: - Clients disappear from the Symantec System Center - Clients cannot be configured from Symantec System Center - Clients do not receive automatic virus definition updates


Solution:

---

Before you begin: Before you follow the directions in this document, confirm basic network communication by using the ping, netstat, and telnet commands.
For directions, read Symantec AntiVirus quick communications check.

---

This document provide tools and techniques for troubleshooting common communication problems with Symantec AntiVirus. In some cases, following the steps in this document will solve the problem. If problems persist after completing the steps in this document, then contact Symantec Technical Support for additional troubleshooting. Symantec recommends making a note of each change or discovery that you make while using this document, because this information will be requested if you contact technical support.

Follow the procedures in each of the following sections in the order listed.



To verify that clients are frequently checking for updates
By default, Symantec AntiVirus 8.x will delete clients if it has been 30 days since their last check-in. (This setting is controlled by the ClientExpirationTimeout value in the server's registry, under HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion. The default value is 720 hours, which is 30 days.) Clients will disappear from Symantec System Center if the ClientExpirationTimeout value is shorter than the check-in frequency. This was a more common occurrence in Norton AntiVirus Corporate Edition 7, where default behavior was to remove clients after 3 days without a check-in.

The frequency of client updates is configured in Symantec System Center:

1. Right-click a server or server group, or client group in Symantec System Center console, click All Tasks, point to Symantec AntiVirus, and then click Virus Definition Manager.
2. Click "Update Virus Definitions From Parent Server," if it is unchecked.
3. Click Settings.
4. The frequency of the Symantec AntiVirus client keep-alive packets can be configured in the Update Settings window. The default setting is 60 minutes, though you may want to increase the frequency for troubleshooting.

After setting an appropriate keep-alive value, continue to the next section to confirm that Symantec AntiVirus is installed and running properly on both the client and server.


To confirm that Symantec AntiVirus is working correctly on the client and server

Symantec AntiVirus server for NT/2000/XP:

• Ensure that the Intel PDS service is started.
• Start Symantec AntiVirus, click the View menu, and then click Realtime Scan Statistics. This should display the start date and time of the Symantec AntiVirus Server service and the number of files scanned. If Files Scanned = 0 or the start date and time is not displayed, then the service may not be running.
• Stop and then restart the Symantec AntiVirus Server service. If you cannot stop or restart the service, try any or all of the following steps:
  1. Modify the IRPStackSize value based on Symantec's recommendations below:
     Windows NT 4: Increase the IRPStackSize to a decimal value of 11 or 12.
     Windows 2000/XP: Delete the IRPStackSize value or raise it to a decimal value 15. If the IRPStackSize value does not exist, no changes are necessary.
     For more information, see the article How to change the IRPStackSize for computers with Windows NT-based operating systems.
  2. Download and run the Intelligent updater to ensure that there is not a problem with damaged definitions. The Intelligent updater has the naming convention of yyyymmdd-version-x86, where yyyy represents the year, mm represents the month, dd represents the day and version represents the version. You may obtain it from the download virus definitions page.
  3. Restart the computer.
• As a last resort, if the Symantec AntiVirus Server service still isn't started after following the above steps, uninstall and then reinstall Symantec AntiVirus.

Symantec AntiVirus client for NT/2000/XP

• Start Symantec AntiVirus, click the View menu, and then click Realtime Scan Statistics. This should display the start date and time of the Symantec AntiVirus Client service and the number of files scanned. If Files Scanned = 0 or the start date and time is not displayed, then the service may not be running.
• Stop and then restart the Symantec AntiVirus Client service. If you cannot stop or restart the service, try any or all of the following steps:
  1. Modify the IRPStackSize value based on Symantec's recommendations below:
     Windows NT 4: Increase the IRPStackSize to a decimal value of 11 or 12.
     Windows 2000/XP: Delete the IRPStackSize value or raise it to a decimal value 15. If the IRPStackSize value does not exist, no changes are necessary.
     For more information, see the article How to change the IRPStackSize for computers with Windows NT-based operating systems.
  2. Download and run the Intelligent updater, to ensure that there is not a problem with damaged definitions. The Intelligent updater has the naming convention of yyyymmdd-version-x86, where yyyy represents the year, mm represents the month, dd represents the day and version represents the version. You may obtain it from the download virus definitions page.
  3. Restart the computer.
• As a last resort if the Symantec AntiVirus Client service still isn't started after following the above steps, uninstall and then reinstall Symantec AntiVirus.

Symantec AntiVirus for Windows 98/Me:

• Open Symantec AntiVirus, click the View menu, and then click Realtime Scan Statistics. This should display the start date and time of Rtvscn95.exe and the number of files scanned. If Files Scanned = 0 or the start date and time is not displayed, then Rtvscn95.exe may not be running.
• If Rtvscn95.exe is not running, then do the following steps:
  1. Download and run the Intelligent updater, to ensure that there is not a problem with damaged definitions. The Intelligent updater has the naming convention of yyyymmdd-version-x86, where yyyy represents the year, mm represents the month, dd represents the day and version represents the version. You may obtain it from the download virus definitions page.
  2. There may be a timing conflict. See the document How to troubleshoot problems that occur at startup.
     
     

     ---

     Note: The procedures contained in the document How to troubleshoot problems that occur at startup should be used for troubleshooting only. Symantec does not recommend permanently altering the load time of Symantec AntiVirus services.
     

     ---

     
     
• As a last resort, if the Symantec AntiVirus Client service still isn't started after following the above steps, uninstall and then reinstall Symantec AntiVirus.

After confirming that Symantec AntiVirus is working correctly on the clients and server, continue with the next section to confirm that keep-alive packets are being sent and received.


To confirm client-to-server communication

• Symantec AntiVirus on the parent server should not be older than the version on the clients
  Symantec recommends that the version of Symantec AntiVirus on the parent server is the same or newer than the version on the clients. For example, you may encounter communications problems between clients running Symantec AntiVirus 8.x and parent servers running Norton AntiVirus Corporate Edition 7.6.
• Copy the Grc.dat file from the parent server to the client. This will update the client's information about the parent server, which may be necessary. See the article A guide to the Grc.dat in Symantec AntiVirus Corporate Edition for instructions on copying this file.
• Open Symantec AntiVirus on the client computer, and confirm that the Parent Server field identifies the correct parent server.
• Import the attached Debugon.reg file on the client. If the Symantec AntiVirus Client service (Windows NT) or Rtvscn95.exe (Windows 98/Me) is running, then a DOS window will appear. Clients should display the phrase CheckInWithMommy each time a keep-alive packet is sent to the parent server. Since this only happens once an hour by default, you may want to temporarily increase the frequency of keep-alive packets for troubleshooting. See the To verify that clients are frequently checking for updates section of this document for instructions.
  
  CheckInWithMommy indicates that the client is sending keep-alive packets to the server.
  
  Import the Debugoff.reg file to close the DOS window.
  
• Download and import the Debugon.reg file on the NT parent server. If the Symantec AntiVirus Server service is running, then a DOS window will appear. The DOS window should display the phrase Alive -- <ComputerName> each time that a keep-alive packet is sent to the parent server. Alive -- <ComputerName> indicates that the server is receiving keep-alive packets from the client <ComputerName>.
  
  Download and import the Debugoff.reg file to close the DOS window.
  
• For instructions on enabling the debug window on a NetWare server, see the document How to enable debugging for Symantec AntiVirus Corporate Edition on NetWare 5 and 6.

If you have confirmed that Symantec AntiVirus is running and communicating properly on the clients and server, but you cannot see the clients in Symantec System Center, then continue on to the next section, "If you do not see clients in Symantec System Center."


If you do not see clients in Symantec System Center

Solution 1

1. Copy the Grc.dat file from the parent server to the clients not displayed in Symantec System Center. See the document A guide to the Grc.dat in Symantec AntiVirus Corporate Edition for detailed instructions.
2. Restart the missing client computer after copying the Grc.dat file.
3. Open the Symantec System Center, and unlock the server group.
4. Click the parent server, and in the right pane the client or clients should appear.
   

Solution 2

1. Open the registry of the parent server (if the parent is a NetWare server, then load Vpregedt.nlm). Browse to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Clients
   
   If the server has received a keep-alive packet from the client in the past three days, then the client should be listed here.
2. If you see clients in the registry that do not appear in the Symantec System Center, use the following steps to refresh the System Center data:
   1. In Symantec System Center, click the Tools menu, and click Discovery Service.
   2. Ensure that the Discovery Type is set to Local Discovery or Intense Discovery.
   3. Click Clear Cache Now. Clearing the cache will automatically run a discovery.

   ---

   Note: If you previously used the Importer tool, clearing the cache will delete all of the imported server information. To avoid having to re-import this information, click Run Discovery Now instead of Clear Cache Now.
   

   ---

Solution 3

1. Close the Symantec System Center.
2. Stop and start the Symantec System Center Discovery Service.
3. Open the Symantec System Center.
4. Clear the Symantec System Center cache.

If you see clients in Symantec System Center, but you cannot communicate with them

1. Open the registry of the parent server (if the parent is a NetWare server, then load Vpregedt.nlm). Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Clients
   
   If the server has received a keep-alive packet from the client in the past 30 days, then the client should be listed here.
2. Delete each client that cannot be communicated with.
3. Copy a Grc.dat file to each deleted client computer. See the document A guide to the Grc.dat in Symantec AntiVirus Corporate Edition for detailed instructions. Restart the client.
4. Upon reboot, the clients should contact their parent server with a keep-alive packet. The server will add each client to the registry when it receives a keep-alive packet from that client.
   

If communication problems continue, then contact Symantec Technical Support for additional troubleshooting. Be sure to provide technical support with the notes of any changes and discoveries you made while using this document.

References:
See the following documents for related troubleshooting and configuration information:

• Ports used for communication in Symantec AntiVirus Corporate Edition 8.x and 9.x
  This document is useful if you suspect that Symantec System Center or client-server communication is being blocked by a firewall or proxy.
• Symantec AntiVirus Corporate Edition 8.0 Scaling and Performance Guidelines
• For servers that are not receiving keep-alive packets and have multiple NIC cards, read Communication problems with a parent server with more than one Network Interface Card.
• For 3Com, 3c509b NIC cards, see the document Clients using 3Com 3c509b network interface cards do not check in to the parent server.
• In mixed TCP/IP and IPX environments, try setting the preferred protocol.
  See the document Setting the preferred protocol used by Symantec AntiVirus Corporate Edition for detailed instructions.
• If you recently upgraded the NetWare Support Pack, see the document You cannot configure NetWare servers from the Symantec System Center 5.0 or 6.0 after upgrading the NetWare Support Pack.
• A client appears to be checking in with another client instead of its server
• Cannot see clients in the Symantec System Center, but Symantec AntiVirus Corporate Edition clients continue to receive virus definition updates

 

Document ID: 2002082110083748
Last Modified: 11/20/2006
Date Created: 08/21/2002
Product(s): Symantec AntiVirus Corporate Edition 8.0
Release(s): SAV 8.0

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements