Endpoint Agent Trouble Shooting


This article provides some tips on how to troubleshoot the Endpoint agent.

Below is a list of items to customer should provide Symantec Technical Support team when troubleshooting the Endpoint Agent.

1. Windows event logs, both system and application
2. edap_ext0.log
3. ks.ead
4. sto.ead
5. If possible a procmon capture when the agent loads and locks up the machine
6. If possible a memdump capture of the edpa service.

2-4 will be in the agent directory
5-6 are both sysinternals tools and can be found, along with syntax here: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx



Problem Summary

Having issues with Endpoint Agent and you need to change log levels locally


Using Agent tools, you can set log levels, stop services, etc.

1. Copy the following tools to the Endpoint install directory:

- service_shutdown.exe
- vontu_sqlite3.exe

2. Run SQLite commands to change log levels to FINEST

cd C:\Program Files\Manufacturer\Endpoint Agent\
vontu_sqlite3.exe -db=cg.ead -p=<TOOLS_PASSWORD or default VontuStop>
To set Default Log Levelts to FINEST:
update configuration set value = 'FINEST' where setting = 'DefaultLevel';
To make the decrypt the EDPA logs:
update configuration set value = '0' where setting = 'Obfuscate';
To check your work:
select * from configuration where name like '%Log%';

3. Restart services for the change to take effect

service_shutdown.exe -p=<TOOLS_PASSWORD or default VontuStop>
sc start edpa && sc start wdp



Copy all troubleshooting tools to Endpoint Agent directory

The tools used in this write up are listed below:

Restarting Endpoint Services Locally

1. Stop services run:

cd C:\Program Files\Manufacturer\Endpoint Agent
service_shutdown.exe -p=TOOLS_PASSWORD

2. Start services run:

sc start edpa && sc start wdp

Basic SQLite

1. open SQLite run:

Command prompt in Administrator mode
vontu_sqlite3.exe -db=cg.ead -p=TOOLS_PASSWORD

2. Check Endpoint agent configurations in SQLite run:

.header on
.mode list
.separator |
.output NAME_OF_FILE.txt
select * from Configuration;

3. Set log levels to FINEST run:

update configuration set value = FINEST where setting = DefaultLevel;

DLP 15.1.0:
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";  

Pull EDPA decrypted logs locally

1. Located EDPA_EXT0.log in Endpoint install directory and run:

cd C:\Program Files\Manufacturer\Endpoint Agent
logdump.exe -log=edpa_ext0.log -p=TOOLS_PASSWORD > NAME_OF_FILE.txt


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.