Error: "Symantec AntiVirus was unable to start a definition file download on the following clients..."

Article:TECH101504  |  Created: 2005-01-06  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH101504
Article Type
Technical Solution

Product(s)

Environment

Issue



In Symantec System Center, you try to update the virus definitions on managed clients. You see the error message "Symantec AntiVirus was unable to start a definition file download on the following clients..." The affected clients are turned on and connected to the network.

 


Solution



This problem has more than one cause, so more than one solution is provided. To fix the problem, try each of the following solutions in the order that they appear.

Confirm network communication
Make sure that the clients and the parent server can communicate.

To confirm network communication

  1. On the parent server, open a command prompt and ping the client by computer name.
    For example, type ping <client1>
    where <client1> is the computer name of the client.
    The command should return the client's correct IP address.
  2. On the parent server, open a command prompt and use the ping -a command with the client's IP address.
    For example, type ping -a 192.168.0.1
    where 192.168.0.1 is the client's IP address.
    The command should return the client's correct fully qualified domain name.
  3. On the client, open a command prompt and ping the parent server by computer name.
    For example, type ping <server1>
    where <server1> is the computer name of the parent server.
    The command should return the parent server's correct IP address.
  4. On the client , open a command prompt and use the ping -a command with the parent server's IP address.
    For example, type ping -a 192.168.0.2
    where 192.168.0.2 is the parent server's IP address.
    The command should return the parent server's correct fully qualified domain name.


If network communication fails, fix any problems on your network that are related to DNS or name resolution before you try the other solutions in this document.


Confirm the presence of the server group root certificate
Communication fails if the server group root certificate is not present on Symantec AntiVirus 10.x servers, managed clients, and the computer that runs Symantec System Center. Legacy clients and servers do not need a copy of the root certificate.

To confirm the presence of the certificate on parent servers and computers that run Symantec System Center

  1. Start Windows Explorer.
  2. Open the Symantec AntiVirus program folder.
    The default location on a Symantec AntiVirus Corporate Edition server is the following:
    <OS drive>:\Program Files\SAV
    The default location on a Symantec Client Security server is the following:
    <OS drive>:\Program Files\SAV\Symantec AntiVirus
  3. Open the pki\roots folder and find the xxx.x.servergroupca.cer file.
  4. If the xxx.x.servergroupca.cer file is not present, do one of the following:


To confirm the presence of the certificate on managed clients

  1. Start Windows Explorer.
  2. Go to the Symantec AntiVirus program folder.
    The default location is the following:
    <OS drive>\Program Files\Symantec Client Security\Symantec AntiVirus.
  3. Open the pki\roots folder and find the xxx.x.servergroupca.cer file.
  4. Make sure that the file matches the xxx.x.servergroupca.cer file on the client's parent server.
  5. If the xxx.x.servergroupca.cer file is not present, copy the file from the pki\roots folder on the parent server.



Confirm that Symantec AntiVirus works correctly on the clients
Confirm that the Symantec AntiVirus service is started on the clients. Start Symantec AntiVirus, and make sure that the correct parent server name appears under General Information.

If the correct parent server name does not appear, copy the Grc.dat file from the parent server to the client.
For directions, read A guide to the Grc.dat file in Symantec AntiVirus Corporate Edition version 10.x.


Confirm that Symantec AntiVirus works correctly on the parent server
On the parent server, confirm that the Symantec AntiVirus service is started and that the correct ports are open.

To confirm that the correct ports are open on the parent server

  1. At a command prompt, type netstat -a
  2. Do one of the following:
    • On a Symantec AntiVirus 10.x server, confirm that TCP port 2967 appears and that the port's status is LISTENING
    • On a Symantec AntiVirus 10.x server that manages legacy clients, confirm that UDP port 2967 appears and that the port's status is LISTENING
    • On a Symantec AntiVirus 9.x or earlier server, confirm that UDP port 2967 appears and that the port's status is LISTENING
  3. If the correct ports are not open, restart the Symantec AntiVirus service.


If the problem persists, try the solutions in the "Configure or disable the Windows Firewall" section or the "Confirm that the correct ports are open on firewalls and routers" section of this document:


Configure or disable the Windows Firewall
On Windows 2003/XP computers, confirm that the Windows Firewall is not configured to block communication. Do one of the following:



Confirm that the correct ports are open on firewalls and routers
Make sure that any firewalls and routers allow broadcast and directed UDP communication and that the needed ports are open.
For details, read the document for your version of Symantec AntiVirus:





 



Legacy ID



2005090610104148


Article URL http://www.symantec.com/docs/TECH101504


Terms of use for this information are found in Legal Notices