Endpoint Agent Trouble Shooting


This article provides some tips on how to troubleshoot the Endpoint agent.

Below is a list of items to customer should provide Symantec Technical Support team when troubleshooting the Endpoint Agent.


1. Identify 1-3 workstation(s)/agent(s) to troubleshoot on.

2. RDP to it and check to see if the workstation/agent is able to talk to the Endpoint server
netstat -ano | find "10443"

3. Check if the below files have been recently updated.  If so then the workstation/agent is able to talk to the Endpoint server

in: C:\Program Files\Manufacturer\Endpoint Agent

<---configuration db. Contains the Agent Configuration.
ps.ead <---policy db. Stores policy information.
is.ead <---incidents db. Stores incidents before sending to Endpoint server, when the Agent is "offline". If larger than 9 KB then there are incidents which have not yet been sent to the Endpoint server.
ks.ead <---keystore (communication certs) db
dcs.ead <---discover checkpoint db. Stores Discover checkpoint information.
ttds.ead <---two-tier db. Stores messages to be processed by the Endpoint server for two-tier detection.


3. Windows event logs, both system and application
4. edpa_ext0.log
5. ks.ead
6. sto.ead
7. If possible a procmon capture when the agent loads and locks up the machine
8. If possible a memdump capture of the edpa service.

4-6 will be in the agent directory (C:\Program Files\Manufacturer\Endpoint Agent)
7-8 are both sysinternals tools and can be found, along with syntax, here: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx



Problem Summary

Having issues with Endpoint Agent and you need to change log levels locally


Using Agent tools, you can set log levels, stop services, etc.

1. Copy the following tools to the Endpoint install directory:

- service_shutdown.exe
- vontu_sqlite3.exe

2. Run SQLite commands to change log levels to FINEST

cd C:\Program Files\Manufacturer\Endpoint Agent\
vontu_sqlite3.exe -db=cg.ead -p=<TOOLS_PASSWORD or default VontuStop>
To set Default Log Levels to FINEST:
update configuration set value = 'FINEST' where setting = 'DefaultLevel';
To make the decrypt the EDPA logs:
update configuration set value = '0' where setting = 'Obfuscate';
To check your work:
select * from configuration where name like '%Log%';

3. Restart services for the change to take effect

service_shutdown.exe -p=<TOOLS_PASSWORD or default VontuStop>
sc start edpa && sc start wdp



Copy all troubleshooting tools to Endpoint Agent directory

The tools used in this write up are listed below:

Restarting Endpoint Services Locally

1. Stop services run:

cd C:\Program Files\Manufacturer\Endpoint Agent
service_shutdown.exe -p=TOOLS_PASSWORD

2. Start services run:

sc start edpa && sc start wdp

Basic SQLite

1. open SQLite run:

Command prompt in Administrator mode
vontu_sqlite3.exe -db=cg.ead -p=TOOLS_PASSWORD

2. Check Endpoint agent configurations in SQLite run:

.header on
.mode list
.separator |
.output NAME_OF_FILE.txt
select * from Configuration;

3. Set log levels to FINEST run:

update configuration set value = FINEST where setting = DefaultLevel;

DLP 15.1.0:
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";  

Pull EDPA decrypted logs locally

1. Located EDPA_EXT0.log in Endpoint install directory and run:

cd C:\Program Files\Manufacturer\Endpoint Agent
logdump.exe -log=edpa_ext0.log -p=<TOOLS_PASSWORD> > NAME_OF_FILE.txt


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.