Summary
This article provides some tips on how to troubleshoot the Endpoint agent.
======================================================
Below is a list of items to customer should provide Symantec Technical Support team when troubleshooting the Endpoint Agent.
1. Identify 1-3 workstation(s)/agent(s) to troubleshoot on.
2. RDP to it and check to see if the workstation/agent is able to talk to the Endpoint server
netstat -ano | find "10443"
3. Check if the below files have been recently updated. If so then the workstation/agent is able to talk to the Endpoint server
in: C:\Program Files\Manufacturer\Endpoint Agent
cg.ead <---configuration db. Contains the Agent Configuration.
ps.ead <---policy db. Stores policy information.
is.ead <---incidents db. Stores incidents before sending to Endpoint server, when the Agent is "offline". If larger than 9 KB then there are incidents which have not yet been sent to the Endpoint server.
ks.ead <---keystore (communication certs) db
dcs.ead <---discover checkpoint db. Stores Discover checkpoint information.
ttds.ead <---two-tier db. Stores messages to be processed by the Endpoint server for two-tier detection.
3. Windows event logs, both system and application
4. edpa_ext0.log
5. ks.ead
6. sto.ead
7. If possible a procmon capture when the agent loads and locks up the machine
8. If possible a memdump capture of the edpa service.
4-6 will be in the agent directory (C:\Program Files\Manufacturer\Endpoint Agent)
7-8 are both sysinternals tools and can be found, along with syntax, here: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
======================================================
Problem Summary
Having issues with Endpoint Agent and you need to change log levels locally
Solution
Using Agent tools, you can set log levels, stop services, etc.
1. Copy the following tools to the Endpoint install directory:
- service_shutdown.exe
- vontu_sqlite3.exe
2. Run SQLite commands to change log levels to FINEST
cd C:\Program Files\Manufacturer\Endpoint Agent\
vontu_sqlite3.exe -db=cg.ead -p=<TOOLS_PASSWORD or default VontuStop>
To set Default Log Levels to FINEST:
update configuration set value = 'FINEST' where setting = 'DefaultLevel';
To make the decrypt the EDPA logs:
update configuration set value = '0' where setting = 'Obfuscate';
To check your work:
select * from configuration where name like '%Log%';
3. Restart services for the change to take effect
service_shutdown.exe -p=<TOOLS_PASSWORD or default VontuStop>
sc start edpa && sc start wdp
==================================================
Copy all troubleshooting tools to Endpoint Agent directory
The tools used in this write up are listed below:
logdump.exe
service_shutdown.exe
vontu_sqlite3.exe
Restarting Endpoint Services Locally
1. Stop services run:
cd C:\Program Files\Manufacturer\Endpoint Agent
service_shutdown.exe -p=TOOLS_PASSWORD
2. Start services run:
sc start edpa && sc start wdp
Basic SQLite
1. open SQLite run:
Command prompt in Administrator mode
vontu_sqlite3.exe -db=cg.ead -p=TOOLS_PASSWORD
2. Check Endpoint agent configurations in SQLite run:
.header on
.mode list
.separator |
.output NAME_OF_FILE.txt
select * from Configuration;
3. Set log levels to FINEST run:
update configuration set value = FINEST where setting = DefaultLevel;
DLP 15.1.0:
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
Pull EDPA decrypted logs locally
1. Located EDPA_EXT0.log in Endpoint install directory and run:
cd C:\Program Files\Manufacturer\Endpoint Agent
logdump.exe -log=edpa_ext0.log -p=<TOOLS_PASSWORD> > NAME_OF_FILE.txt
0 Comments