I received the same message if I tried viewing any log.

Symantec has a knowledgebase article on the problem at Error: "Symantec AntiVirus could not collect all the log data from the selected computer(s) . . ." when viewing client logs in Symantec System Center . I followed the steps listed in that article.

I could ping the IP address of the system and ping -a 192.168.0.7 showed the hostname associated with the address. I could also ping the server from the client system using ping and ping -a, which confirmed network connectivity and the ability to do reverse lookups on the IP addresses to get host names.

I checked for the presence of any .cer server group root certificate on the server and the client. I didn't see any .cer file on either system, but nor did I see a certificate on a client for which I could successfully check log files from the antivirus server, so I didn't think that was the source of the problem.

I could successfully start the Symantec AntiVirus Client program on the client system. It showed the correct server name. Though nothing was listed for "group", nothing was listed for "group" on a system I could successfully query from the server, either.

And from the server, I could query the client and see that the Symantec rtvscan.exe program was running.

C:\>tasklist /s 192.168.0.7 /fi "imagename eq rtvscan.exe"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
Rtvscan.exe                   1760                            0     46,604 K

When I checked the Windows XP firewall settings on a system I could successfully query from the antivirus server, I saw a firewall rule listed for User Datagram Protocol (UDP) port 2967, which the Symantec RTVScan program uses. I checked the firewall rules on the system I couldn't successfully query with the command netsh firewall show portopening. I did not see a rule for RTVScan, so I created one from the command line using the command netsh firewall set portopening protocol = UDP port = 2967 name = "Symantec AntiVirus Client Management" mode = ENABLE scope = CUSTOM 192.168.0.33 (IP address 192.168.0.33 corresponds to the IP address of the antivirus server).

When I tried checking the antivirus log files from the server again, I still could not do so. Looking at the firewall rules on the client with netsh firewall show portopening verbose = enable (you have to specify the verbose option to see the scope of rules), I saw that I had mistyped the IP address of the server when I created the RTVScan rule with the netsh command. So I re-entered the netsh firewall set portopening protocol = UDP port = 2967 name = "Symantec AntiVirus Client Management" mode = ENABLE scope = CUSTOM 192.168.0.33 command exactly as before with the exception that this time I specified the IP address correctly.

I was then able to check the virus history and other logs on the client from the Symantec System Center.

References:

1. Error: "Symantec AntiVirus could not collect all the log data from the selected computer(s) . . ." when viewing client logs in Symantec System Center
   Document ID: 2003032010404748
   Last Modified: 11/15/2006
   Date Created: 03/20/2003
   Operating System(s): Windows 2000, Windows Server 2003 32-bit Edition, Windows 98, Windows Me, Windows NT 4.0 SP6a, Windows 2000 Professional, Windows XP Professional
   Product(s): Symantec AntiVirus Corporate Edition 10.0, Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0, Symantec Client Security 3.0, Symantec AntiVirus 10.1, Symantec Client Security 3.1
   Release(s): SAV 10.0 [All Releases], SAV 8.0 [All Releases], SAV 9.0 [All Releases], Symantec Client Security 3.x [All versions], Symantec AntiVirus 10.1, Symantec Client Security 3.1
   Symantec Corporation
2. Allow Rtvscan Access Through Windows XP Firewall
   April 9, 2007
   MoonPoint Support
3. Configuring Windows XP Firewall for Symantec Antivirus Client
   April 9, 2007
   MoonPoint Support

[/security/antivirus/symantec] permanent link