We have SEPM 12.1.6 (recently upgraded from 12.1.4) running on three 2012 R2 Standard boes with all clients running 12.1.4. From March through June we had been replacing McAfee on roughly 10k clients. (which has now been completed) It was tested on over a dozen machines - both workstations and servers- prior to replacing on the rest.
At the beginning of June we started getting reports from our server team that machines would randomly stop communicating to the network on thier production NICs. This happens sporadically and is not reproducable. Once the server is rebooted whatever is blocking the NIC from sending - as the NIC does report itself up - clears up. Running smc -stop does not resolve the issue and whereas running cleanwipe clears the issue this requires a reboot which clears the NIC anyway.
A ticket was opened with tech support, symhelp logs were gathered but showed nothing to indicate any issue. The client logs only show some tamper protection alerts that are only logged not blocked. We need to gather debug logs but with the issue being non-reproducible that is a bit of a challenge. At the moment we are looking at the IPS and the Firewall as potential issues. On some servers I withdrew the IPS policy to put it into passthrough. I have not heard any issues from these since. On the DCs we are looking at redeploying without the NTP component.
Was wondering if anyone has experienced anything similar? Or has any additional thoughts?