NAC Agent cannot "see" virus defs (Symantec Endpoint version 12) (PIC included)

Similar Messages

• Single client cannot get updated virus defs after client install

  I have a single Windows XP workstation that cannot get it's new virus defs after the install of the FEP 2010 client. I have uninstalled and reinstalled with the same error.
  Have attempted to stop and restart FEP and Automatic updates with no luck.
  Event Log Errors
  #1 Windows update agent Event ID 20
  Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.99.1245.0).
  #2 Source Microsoft Antimalware Event ID 2001
  Microsoft Antimalware has encountered an error trying to update signatures.
  New Signature Version:
  Previous Signature Version: 0.0.0.0
  Update Source: Microsoft Update Server
  Update Stage: Install
  Source Path: http://www.microsoft.com
  Signature Type: AntiVirus
  Update Type: Full
  User: NT AUTHORITY\SYSTEM
  Current Engine Version:
  Previous Engine Version: 0.0.0.0
  Error code: 0x80070643
  Error description: Fatal error during installation.

  This is old post and there have been several changes in FEP, now the successor of FEP is System Center Endpoint Protection (SCEP) and several things been improved. Try reproduce your issue in SCEP and if problem persist, please post it as a new question.

• Adobe Exchange Panel has a virus...according to symantec endpoint.

  I was trying to down load adobe excange panel from the adobe application Manager and this is what I got in return: 1. A high risk notification from the symantec endpoint cloud scanner. and then the email below. I tried to notify your company directly but found nobody reachable. But thought you would like to Know your program seemed compromised or your platform is being used install a virus some how. Or norton is reporting an innocent act by you wrongly.
  what ever the case is:
  Here is a copy of the e-mail I got from symatec.
  From symantec:
  High-Risk Incident Detected
  Symantec.cloud Alerts [[email protected]] ([email protected])
  Add to contacts
  1:02 AM
  To: [email protected]
  From:
  Symantec.cloud Alerts [[email protected]] ([email protected])
  Sent:
  Sat 3/23/13 1:02 AM
  To:
  [email protected]
  Parts of this message have been blocked for your safety.
  Show content|I trust [email protected] Always show content.
  A high-risk incident was detected on system  on 3/23/2013 12:57:55 AM Central Standard Time.
  Threat Name
  Suspicious.Cloud.7.F
  Threat Type
  Heuristic Virus
  File Name
  c:\program files (x86)\common files\adobe\installers\adobetemp\{41a12ffc-89e9-4743-a51e-00975ca31f40}\_451_c7fde7339cd2 ec874e182b441a0d7786
  Action Required
  Resolved - No Action Required
  Contact method: Default Email Contact Method.
  Click here to change your contact method.
  Ref# 400039
  Copyright © 2013 Symantec Corporation. All Rights Reserved.
  This email has been scanned by the Symantec Email Security.cloud service.
  For more information please visit http://www.symanteccloud.com

  Hi,
  I am Chetan Savade from Symantec Technical Support team.
  If you think it's a false positive alert then pleae get in touch with application vendor to ge white list it.
  Software White-Listing Request can be submit here.
  submit.symantec.com/whitelist
  Check this Symante Blog as well: www-secure.symantec.com/.../software-white-listing-program
  Meanwhile if possible you can also add the centralized exception.
  www.symantec.com/.../TECH104326
  Go throught the follwoing helpful articles:
  Handling and preventing SONAR false positive detections
  www.symantec.com/.../index...
  Monitoring SONAR detection results to check for false positives
  www.symantec.com/.../index...
  Regards,
  Chetan Savade

• No apple tv devices after installing new Symantec endpoint anti virus

  I recently installed new version of Symantec Endpoint anti virus software.  MY 3 Apple TV's are not showing in my iTunes Devices unless I disable Symantec Endpoint Protection.  Does anyone know what setting need to change for Symantec of Firewall to stop blocking my Apple TV devices?

  The following ports need to be open:
  http://support.apple.com/kb/HT2463

• NAC Cisco Agent cannot connect to LAN (Requirement Mandatory SCCM 2012 agent installed - ccmexec services)

  hi Support, 
  we have a problem, our NAC Cisco Agent cannot detect SCCM Agent Service (ccmexec).  here the snapshot:
  the configuration as following:
  here the NAC Cisco Agent Logs, download here:
  https://drive.google.com/file/d/0B9ShGyy3UzoeejlvZ2MwVVo2V1U/edit?usp=sharing 
  Whether the NAC 4.8 support integration with SCCM 2012?
  Thanks
  Endrik

  Wow, no responses?
  Was I too long winded?

• NAC Agent 4.9 issue while remediation with in ISE

  We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x  in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
  "The Remediation you are attempting is reporting an access denied error.  This is usually due to a privileg issue.  Please contact your system
  administrator"
  It continuosly asking that prompt and giving that priviligae message.
  Are we need to have administrator rights for remediation ? and  this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
  Please find attached screen shots for the same

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• Norton Anti-virus-Unable to Live Update (Virus Def) Error/Java 1.4.2

  Hello all.
  I have Norton Anti-virus 10.1.1 running on my iMac, Live Update has always been set on "auto" scheduling.
  Until these few days, I have difficulties Live Updating the latest virus definition, I will get this error message window:
  Updating Error
  There was an error performing the update (OK button)
  I emailed Symantec and got a reply, saying the problem could be due to Java 1.4.2, they ask me to re-install Java 1.4.2
  However, a check at Apple's Download site reveals no single stand-alone Java 1.4.2 installer, only updates. Is Java 1.4.2 part of the current OS or was from previous OS?
  Anyway when I tried downloading the Java 1.4.2 Update, my iMac refuses, in the installer it says:
  You cannot install Java 1.4.2 Update 1 Package on this volume. This volume does not contain a version of Java that needs updating.
  So if Java is the problem like what Symantec Support points out, how can I re-install Java 1.4.2?
  Thanks and cheers

  1. You wrote: "Also, to the previos post, I trashed all the Java receipts and still unable to (re)install Java 1.3.1 and 1.4.2 Release 2, I think the console results say it all, I have Java ver. 1.5, right?"If you see the same output as I provided, then you should have the same version: that should be obvious.
  Don't touch anything in the Receipts directory unless you know what you're doing.
  2. You wrote: "Dr. Smoke, not exactly sure how to go from here where you point to the URL, about checking the console messages/logs for Live Update? Can you help provide some pointers."The instructions I provided earlier, as well as my FAQ, are self-evident. You should not need any additional pointers. Re-read my instructions then re-read my FAQ.
  Paraphrasnig what I wrote earlier: If you see the Live Update error again, check the ends of the logs cited in my "Checking Console for clues" FAQ for any messages related to LiveUpdate problems, e.g. messages citing LiveUpdate that were written to the ends of the logs I cite in my FAQ at the time the problem occurred. If you check immediately after the problem occurs, the messages — if any — would be at the end of the log.
  What could be clearer than that?
  3. I suspect the Java 1.4.2 info you were given earlier by Symantec was a red herring, i.e. a false lead. Console-related messages as noted in point 2 above would be helpful.
  4. You might want to perform a general checkup for some common troublemakers: run the Procedure specified in my "Resolving Disk, Permission, and Cache Corruption" FAQ. Perform the steps therein in the order specified.
  5. Likewise, following the Symantec advice to download the virus defs once and then trying again in a week or so isn't a bad idea.
  Good luck!
  Dr. Smoke
  Author: Troubleshooting Mac® OS X
  Note: The information provided in the link(s) above is freely available. However, because I own The X Lab™, a commercial Web site to which some of these links point, the Apple Discussions Terms of Use require I include the following disclosure statement with this post:
  I may receive some form of compensation, financial or otherwise, from my recommendation or link.

• BSOD on XP with Zenworks and Symantec Endpoint Protection

  After upgrading to Symantec Endpoint Protection (SEP) we are getting Blue Screen after imaging.
  We have SEP included in our image and after pushing the image to another computer, we instantly get a BSOD, when trying to boot up the newly imaged machine:
  *** STOP: 0x00000024 (0x00190203,0x8A4B0DE8,0xC0000102,0x00000000)
  Disable or uninstall any anti-virus, disk defragmentation or backup utilities. Check your hard drive configuration, and check for any updated drivers. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.
  For test purpose I have tried doing the imaging job with Ghost 2003. This works perfectly, so I guess it is the combination of SEP and ZfD that is causing the problem. If I exclude SEP from the image, imaging with ZfD works fine. Imaging with Symantec antivirus ver. 10 also works perfect.
  Anyone out there running ZfD and SEP 11?
  Environtment:
  Windows XP SP3
  ZfD 7.01 sp1 ir1 running on Netware 6.5
  Symantec Enpoint Protection 11.0.3001.2224 (getting the same error with 11.0.2010.25)

  There should an updated patch for ZDM7 available withing a few days. (ZDM7
  SP1 IR3A HP1.)
  I would strongly suggest testing with the updated files when they are
  released.
  The is a much newer Linux Kernal starting with IR3A which could effect your
  problem.
  If you are still seeing an issue, I would suggest opening a ticket with
  Novell.
  Unless somebody here happened to have a copy of SEP, helping here would be
  tough.
  But I have not heard of this issue myself, but anything is possible.
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Support Forums Volunteer Sysop
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.
  "martinusen" <[email protected]> wrote in message
  news:[email protected]...
  >
  > After upgrading to Symantec Endpoint Protection (SEP) we are getting
  > Blue Screen after imaging.
  >
  > We have SEP included in our image and after pushing the image to
  > another computer, we instantly get a BSOD, when trying to boot up the
  > newly imaged machine:
  >
  > *** STOP: 0x00000024 (0x00190203,0x8A4B0DE8,0xC0000102,0x00000000)
  >
  > Disable or uninstall any anti-virus, disk defragmentation or backup
  > utilities. Check your hard drive configuration, and check for any
  > updated drivers. Run CHKDSK /F to check for hard drive corruption, and
  > then restart your computer.
  >
  > For test purpose I have tried doing the imaging job with Ghost 2003.
  > This works perfectly, so I guess it is the combination of SEP and ZfD
  > that is causing the problem. If I exclude SEP from the image, imaging
  > with ZfD works fine. Imaging with Symantec antivirus ver. 10 also works
  > perfect.
  >
  > Anyone out there running ZfD and SEP 11?
  >
  > Environtment:
  > Windows XP SP3
  > ZfD 7.01 sp1 ir1 running on Netware 6.5
  > Symantec Enpoint Protection 11.0.3001.2224 (getting the same error with
  > 11.0.2010.25)
  >
  >
  > --
  > martinusen
  > ------------------------------------------------------------------------
  > martinusen's Profile: http://forums.novell.com/member.php?userid=26795
  > View this thread: http://forums.novell.com/showthread.php?t=345351
  >

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• NAC Agent does not pop up after psn fails.

  So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
  The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
  - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
  - Increased timeout timers also, no luck.
  - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
  - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
  I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
  Any thoughts on this?
  Thank you for all your kind help

  You have done a reset. What does that mean? Did you reset all settings?
  Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.

• Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

  Hi All,
  We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
  Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

  Closest enhancement I could check on this is
  CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
  Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
  This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Nac Agent do not execute remediation

  Hi to all,
  in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
  My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
  I have admin right on both pc.
  Why I can solve the problem?
  Thanks for help

  There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
  Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
  "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
  If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
  Hope that helps, rate if it does.
  Cheers,
  Tim

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• Symantec Endpoint Protection 12.1 and Peopletools 8.53

  Hello,
  We're currently enabling virus scan for PT 8.53 with Symantec Endpoint Protection (SEP) v12. However, we are unable to configure it correctly. Our set up looks like this:
  * PS webserver is insatalled on server 1, this is where we configure the virusscan.xml file
  * SEP 12 is installed on a separate server, server 2. client and SEP manager is installed on this server.
  * OS is Windows 2008 R2 64-bit for both servers.
  May I know if  anyone here have successfully used SEP for scanning attachments?
  Unfortunately, as per oracle, only symantec scan engine was verified to work with peoplesoft, other versions are still not tested to work.
  another question is, what should be the value for the virusscan.xml parameters below?
      <Provider>
       <name>SymantecManagementClient</name>
      <class>psft.pt8.virusscan.provider.GenericVirusScanProviderImpl</class>
      <icapversion>ICAP/1.0</icapversion>
      <service-name>/SmcService</service-name>
      <policycommand>?action=SCAN</policycommand>
      <address>server2</address>
      <port>8014</port>
      <disable>false</disable>
       </Provider>
  we've mixed and matched the available service names from server 2, but we are still getting the error below:
  Sep 10, 2013 11:14:19 PM psft.pt8.virusscan.ICAPClient connectAndCheckOptions
  INFO: Input OPTIONS Header = OPTIONS icap://server2:8014/SmcService ICAP/1.0
  Sep 10, 2013 11:14:19 PM psft.pt8.virusscan.ICAPClient connectAndCheckOptions
  INFO: OPTIONS recieve header= HTTP/1.1 200 OK
  Date: Tue, 10 Sep 2013 15:14:19 GMT
  Server: Apache
  Allow: GET,HEAD,POST,OPTIONS
  Content-Length: 0
  Connection: close
  Content-Type: text/plain
  ICAP header = ICAP/1.0 200
  Sep 10, 2013 11:14:19 PM psft.pt8.virusscan.ICAPClient scanStream
  SEVERE: Unable to connect to the Scan server SymantecManagementClient; Reason = CONNECTERROR
  Sep 10, 2013 11:14:19 PM psft.pt8.virusscan.VirusScanProviderManager scanStream
  INFO:  Scanning completed using provider = SymantecManagementClient Provider classname = psft.pt8.virusscan.provider.GenericVirusScanProviderImpl
  Sep 10, 2013 11:14:19 PM psft.pt8.virusscan.VirusScanProviderManager scanStream
  INFO: Finish Scanning Request.
  port 8014 is the client communications port for SEP and its the only port that gives us a response (INFO: OPTIONS recieve header= HTTP/1.1 200 OK..etc), when we try other ports we get a "SEVERE: Unable to connect to SymantecManagementClient" message on this line.
  Hoping for your responses, thank you in adance for your help.

  Hello,
  Just to give an update. We were able to make this work but we used Symantec Protection Engine for Cloud Services instead. Also, for anyone having problems with the parameters - we used the exact same parameters listed in Peoplebooks or on the delivered virusscan.xml file, just update the IP address. We also saved the xml file on both the Portal.war and PSIGW.war directories.