Friday, July 3, 2009

Symantec Endpoint Protection 11 Didn't Start Today

Today I turned on the computer with Symantec Endpoint Protection Manager on it and came back half an hour later to login and use the computer (Windows XPsp3). Cursor moved OK, but it didn't give me the login prompt. Oh no, not today! I have way too many other things to do. So I rebooted and was able to login.

The first thing I notice is the little Endpoint Protection shield didn't have the green dot, it had the red circle with a slash. So I tried to use the Endpoint client. It said Proactive Threat Protection was down and needed to be fixed, but more ominously was the virus definitions were yesterday's and not today's...After awhile it hung up and I had to manually kill it. Bad news...

So next I tried logging into Symantec Endpoint Protection Manager Console. The login window appeared fine, but when I tried to login, I got a message "Failed to connect to the server". So off to Google. I found a page in Symantec's very detailed support knowledgebase that told me how to turn on"FINE" level debugging. I then opened Control Panel Service Manager and found that the Endpoint Protection Service Manager service was not running. When I attempted to restart the service, it kept stopping, so I looked in the "catalina.out" file to see what was happening. This file is the tomcat web server log file and it shows the interactions between java and the server. I could see at least one place where the server port 8443 had a bind failure. To a sockets level programmer, this tells me that the server was not starting properly because it could not start listening on a port. The fascinating (and frustrating) thing about this was that NetScanTools Pro connection endpoint list was NOT showing anything else using port 8443 tcp or udp.

So next I tried modifying tomcat\conf\server.xml to a different port 8445. That didn't work. The service would exit after a few seconds. So back to Google. I found another knowledgebase article that said the tomcat uses ports 8005 and 9090 as well. Then I remembered that I saw the HP Toolbox icon on the taskbar near the Endpoint Protection shield. I wonder...

I had installed the HP Toolbox as part of a printer install a couple of years ago, long BEFORE I put this AV product on there. And I had noticed that the Toolbox had vanished and I forgot about it. So off to Windows Explorer and I searched the Program Files/Hewlett Packard and found Toolbox and Toolbox 2.0. Both had an Apache Tomcat 4.0 subdirectory. OK -- this must be it!!!

I started NetScanTools Pro and looked again at the connection endpoint list and saw that java.exe was using port 8005. So I started msconfig and found HP's Toolbox startup entry and disabled it. Then I rebooted...

The shield was back with the GREEN DOT!

The two programs interfered with each other. I don't know why the HP Toolbox was loaded first after not being loaded first for a whole year. Nothing changed yesterday---that I know of.

I wasted 2.5 hours, hopefully you won't after reading this. It really applies to any two programs that are both using tomcat.

No comments: