EW SEM EPC questions
Nat
Newbie
Hi,
We all know now sma 1000 series run url scheme to call sonicwall connect agent then run SEM on chrome, firefox.
Can we know the flow on how SEM EPC checking runs?
Is it all end-point checking runs on client locally, then pass the result back to SMA to determine zone?
In some case, EW EPC checking fails, client drop to some deny zone.
Then, client restart the browser and retry EPC. This time they are matched to correct zone.
How can we diagnostic these kinds of EPC fail?
SMA connect agent log:
2020-07-17 17:24:52.138 Successfully loaded EPInterrogator.
2020-07-17 17:24:52.138 Client version is newer than required version, proceeding with interrogation...
2020-07-17 17:24:52.138 {"semVersion":"12.4.0.494","epcState":"epc_started"}
2020-07-17 17:25:10.005 Interrogation completed with result [0].
2020-07-17 17:25:10.005 {"semVersion":"12.4.0.494","epcState":"epc_completed"}
If the result is [0], we can assume EPC checking process run successfully?
Best Answer
-
CORRECT ANSWER
Simon
Moderator
@Nat The problem with Chrome is the Secure Endpoint Manager (SEM) agent. For Chrome to participate in the client side of the EPC evaluation it has to run the SEM agent.
When the client logs in they have to agree to the SEM being downloaded. They have to install it the one time. When the agent needs to be activated to for the EPC evaluation Chrome prompts asking for permission. Chrome is designed to not trust that the agent is desired even though you have agreed to run it every time.
Firefox is easier because it will remember that the user trusts the SEM. So in subsequent sessions, it does not prompt for a new permission.
IE is an old style browser that still accepts Netscape Plugin Application Programming Interface (NPAPI) plugins. As a result, at login time the SMA can push the agent plugin to the IE browser serving as the client side EPC agent.
What I did not explain clearly last time is this. There are two components of the EPC evaluation. The agent on the client side queries the local system for the things it has or the software it is running. The agent reports the answers to the SMA where the determination is made whether they match a device profile. If they match the device profile the user is put in the appropriate Zone. If there is no match the user gets the default Zone or the Quarantine Zone.
The evaluation cannot happen without the client side agent. Browsers that do not support the NPAPI Java or ActiveX agents, must accept the SEM agent to support the client side of the evaluation. Having no agent is an automatic EPC evaluation failure.
6
Answers
Anyone can share some knowledge?
Adding @Vijay_Kumar_KV and @Simon for more visibility.
Shipra Sahu
Technical Support Advisor, Premier Services
"Interrogation completed with result [0]." means the EPC ran successfully on the client side. This does not mean the client matched the EPC device profile on the SMA.
The client reports the elements to the SMA EPC process where they are evaluated. The SMA logs will show the flow of the evaluation.
@Simon
So EPC process is done locally then result report back to SMA?
In case of evaluation fail, any local evaluation process logs we can find in client PC locally?
@Nat No. The SMA determines whether the user system met the requirements.
Here is how it goes.
At login the SMA passes to the client side EPC agent the values to be evaluated, not the desired values. The client EPC agent captures the elements and forwards them to the SMA to be evaluated.
On the client side you will only be able to tell if you passed the EPC and what Zone the client was assigned.
On the SMA you can identify what aspect of EPC failed or passed.
The determination of the result of the evaluation is purely done on the SMA itself, as evidenced by the Zone assigned to the client.
@Simon
So what could be the possible reason for a client actually installed like Symantec SEP but SMA API with false result on checking Symantec SEP ?
@Nat There are a couple of questions to narrow that.
First, is your EPC database current? 20.04.08.71 is the current version. The EPC database is downloaded from Mysonciwall downloads page and is independent of the firmware version.
Second, what is the exact version of your Symantec SEP? Is that specific value in the EPC versions list under Symantec SEP?
EPC specifically matches some discrete values, but this is a race the anti-malware company is always going to win. It is not possible for the EPC database to always be completely current. So select >= rather than =. If your SEP version is newer than 14.2, this approach should make it pass. If that is not successful you might pick the 'Any product from this vendor' approach.
I would not do more than 3 or 4 'Any product' company selections in one device profile. Windows has a limit in the time it will allow for such evaluations.
@Simon
Here is the situation:
Profile allow SEP = 14.2, signature update <=7 days , etc...
1st login via Chrome failed, user assign to default zone
2st login via IE, no problem, correct zone assigned.
Or we can say, sometimes chrome can identify SEP, sometimes it cannot...As you said the evaluation is done by SMA appliance, why these behavior happens? SEM should pass same values to SMA on every attempts
@Simon Thanks for clarification. One more thing, can sonicwall share how local SEM get the system values?
Via Windows Management Instrumentation? Registry checking? window sc query?
Cause we pretty sure client had SEM installed and click accept on Chrome when SEM prompts but it still fails and get into default Zone.
@Nat For a detailed analysis for why a specific situation failed EPC please open a case with support.