This article provides some tips on how to troubleshoot the Endpoint agent.
Below is a list of items to customer should provide Symantec Technical Support team when troubleshooting the Endpoint Agent.
1. Identify 1-3 workstation(s)/agent(s) to troubleshoot on.
2. RDP to it and check to see if the workstation/agent is able to talk to the Endpoint server
netstat -ano | find "10443"
3. Check if the below files have been recently updated. If so then the workstation/agent is able to talk to the Endpoint server
in: C:\Program Files\Manufacturer\Endpoint Agent
cg.ead <---configuration db. Contains the Agent Configuration.
ps.ead <---policy db. Stores policy information.
is.ead <---incidents db. Stores incidents before sending to Endpoint server, when the Agent is "offline". If larger than 9 KB then there are incidents which have not yet been sent to the Endpoint server.
ks.ead <---keystore (communication certs) db
dcs.ead <---discover checkpoint db. Stores Discover checkpoint information.
ttds.ead <---two-tier db. Stores messages to be processed by the Endpoint server for two-tier detection.
3. Windows event logs, both system and application
7. If possible a procmon capture when the agent loads and locks up the machine
8. If possible a memdump capture of the edpa service.
4-6 will be in the agent directory (C:\Program Files\Manufacturer\Endpoint Agent)
7-8 are both sysinternals tools and can be found, along with syntax, here: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Having issues with Endpoint Agent and you need to change log levels locally
Using Agent tools, you can set log levels, stop services, etc.
1. Copy the following tools to the Endpoint install directory:
- service_shutdown.exe - vontu_sqlite3.exe
2. Run SQLite commands to change log levels to FINEST
cd C:\Program Files\Manufacturer\Endpoint Agent\ vontu_sqlite3.exe -db=cg.ead -p=<TOOLS_PASSWORD or default VontuStop>
To set Default Log Levels to FINEST: update configuration set value = 'FINEST' where setting = 'DefaultLevel';
To make the decrypt the EDPA logs: update configuration set value = '0' where setting = 'Obfuscate';
To check your work: select * from configuration where name like '%Log%';
3. Restart services for the change to take effect
service_shutdown.exe -p=<TOOLS_PASSWORD or default VontuStop> sc start edpa && sc start wdp
Copy all troubleshooting tools to Endpoint Agent directory
The tools used in this write up are listed below: logdump.exe service_shutdown.exe vontu_sqlite3.exe
Restarting Endpoint Services Locally
1. Stop services run:
cd C:\Program Files\Manufacturer\Endpoint Agent service_shutdown.exe -p=TOOLS_PASSWORD
2. Start services run:
sc start edpa && sc start wdp
1. open SQLite run:
Command prompt in Administrator mode vontu_sqlite3.exe -db=cg.ead -p=TOOLS_PASSWORD
2. Check Endpoint agent configurations in SQLite run:
.header on .mode list .separator | .output NAME_OF_FILE.txt select * from Configuration;
3. Set log levels to FINEST run:
update configuration set value = FINEST where setting = DefaultLevel;
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
Pull EDPA decrypted logs locally
1. Located EDPA_EXT0.log in Endpoint install directory and run:
cd C:\Program Files\Manufacturer\Endpoint Agent logdump.exe -log=edpa_ext0.log -p=<TOOLS_PASSWORD> > NAME_OF_FILE.txt