Proactive Threat Protection (PTP) definitions fail to update on some managed clients.

Article:TECH134047  |  Created: 2010-01-21  |  Updated: 2010-12-14  |  Article URL http://www.symantec.com/docs/TECH134047
Article Type
Technical Solution


Environment

Issue



Why do some of my Symantec Endpoint Protection Clients fail to update Proactive Threat Protection definitions?

Symptoms
Some Symantec Endpoint Protection (SEP) clients fail to download and update Proactive Threat Protection (PTP) definitions from their Symantec Endpoint Protection Manager (SEPM) or Group Update Provider (GUP)

  • Sylink debugging logs show errors similiar to:

    02/16 16:17:10 [2724] EVENT_LU_REQUIRE_STATUS returned
    ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker:
    {812CD25E-1049-4086-9DDD-A4FAE649FBDF} Seq:100216032

    and

    02/16 16:17:10 [2724] EVENT_LU_REQUIRE_STATUS returned
    ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker:
    {E5A3EBEE-D580-421e-86DF-54C0B3739522} Seq:100216032
  • Stopping and starting the Symantec Management Client (SMC) Service may resolve the issue for one or two update cycles
  • Affected clients can usually download PTP definitions via LiveUpdate without issue
  • Other SEP clients connecting to the same SEPM or GUP are able to download and update PTP definitions without issue


 


Solution



This issue is resolved in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1). For download instructions see Obtaining the latest version of Endpoint Protection or Network Access Control 11.

To work around this issue:
This procedure needs to be followed on all affected SEP clients

  • Modify the value of the following DWORD registry entry to 1:
    HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\LiveUpdate\SyknappsContentListReady
    Note: If this registry entry does not exist on the client, create the entry and set it to the value above

  • Reboot the SEP client

     

Some possible workarounds that have been found to work in some customer environents are:

  • (HKLM\Software\Symantec\Symantec Endpoint Protection\LiveUpdate\SyknappsContentListReady) to 1
  • Uninstall and reinstall affected SEP clients
  • Configure affected SEP clients to update their definitions via an internal LiveUpdate server or the Public LiveUpdate servers.

Supplemental Materials

SourceETrack
Value1974386

Legacy ID



2010062108361148


Article URL http://www.symantec.com/docs/TECH134047


Terms of use for this information are found in Legal Notices