The things you learn

| 3 Comments
We had cause to learn this one the hard way this past week. We didn't know that Windows Server 2008 (64-bit) and Symantec Endpoint Protection just don't mix well. It affected SMBv1 clients, SMBv2 clients (Vista, Win7) were unaffected.

The presentation of it at the packet-level was pretty specific, though. XP clients (and Samba clients) would get to the second step of the connection setup process for mapping a drive and time out.

  1. -> Syn
  2. <- Syn/Ack
  3. -> NBSS, Session Request, to $Server<20> from $Client<00>
  4. <- NBSS, Positive Session Response
  5. -> SMB, Negotiate Protocol Request
  6. <- Ack
  7. [70+ seconds pass]
  8. -> FIN
  9. <- FIN/Ack
Repeat two more times, and 160+ seconds later the client times out. The timeouts between the retries are not consistent so the time it takes varies. Also sometimes the server issues the correct "Protocol Request Reply" packet and the connection continues just fine. There was no sign in any of the SEP logs that it was dropping these connections, and the Windows Firewall was quiet as well.

In the end it took a call to Microsoft. Once we got to the right network person, they knew immediately what the problem was.

ForeFront is now going on those servers. It really should have been on a month ago, but because these cluster nodes were supposed to go live for fall quarter they were fully staged up in August, before we even had the ForeFront clients. We never remembered to replaced SEP with ForeFront.

3 Comments

What did the problem end up being, specifically? I've not moved from 2003 yet, but I will in the future, and I currently have EPP, so I'm interested :-)

just cleaned up a VA college student's laptop with an updated version of endpointwhat a crockmalwarebytes cleaned it all up

I believe the "fix" for SMBv1 clients is to disable oplocks both at the client and the server. At least, that's the only "fix" that Symantec has been able to come up with over the last 2.5 years and 5 maintenance releases. This problem goes all the way back to the original SEP beta release. I guess that's what happens when new product development is off-shored to India.Also, regarding ForeFront vs SEP, yes, ForeFront seems to do a *much* better job blocking malware/etc. It's sad when even the free MS Security Essentials can block & clean things better than a paid-for product like SEP.