Symantec Endpoint Protection (SEP) clients stopped updating the definitions

Article:TECH178886  |  Created: 2012-01-13  |  Updated: 2013-06-25  |  Article URL
Article Type
Technical Solution


After the migrating or installing to SEP  12.1 with the embedded database, clients eventually stop updating the definitions from the Manager.  However, SEPM correctly downloads the newest definitions.  Additionally the Symantec Endpoint Protection Manager (SEPM) may display incorrect definitions status on the clients even after the clients were manually updated via Intelligent Updater file or LiveUpdate.

After a restart of Symantec Endpoint Protection Manager service SEP clients are able to get the newest definitions and their status is updated in the manager.


1. SEP clients remains connected to the SEPM, they show green dots and show the server IP or Name in the SEP interface (Troubleshooting)

2. SEPM does not process the newly update definitions since the day of upgrade:

3. In PackagePublisherTask-0.log there are no more updates since the day of upgrade (entries are few days old - they should be from 2012-01-10):
2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>> clientMoniker:{535CB6A4-441F-4e8a-A897-804CD859100E},seq:120105021
2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>>assigned seq:120105021
2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>> add content info: clientMoniker:

4. Sylink.log from the client (taken on the same date as PackagePublisherTask-0.log from SEPM) shows that client cannot find the new updates - only those published by SEPM few days ago:
01/10 08:28:36.031 [6068] 8:28:36=>Send HTTP REQUEST
01/10 08:28:36.062 [6068] 8:28:36=>HTTP REQUEST sent
01/10 08:28:36.062 [6068] <GetIndexFileRequest:>SMS return=200
01/10 08:28:36.062 [6068] <ParseHTTPStatusCode:>200=>200 OK
<File Checksum="0F60A30387C3497A156B73AD24EC83ED" DeltaFlag="1" FullSize="164041049" LastModifiedTime="1325821779607"
Moniker="{535CB6A4-441F-4e8a-A897-804CD859100E}" Seq="120105021"/>

so it is not downloaded by client because it already has such definitions:
01/10 08:28:36.078 [6068] [Content]<mfn_LiveUpdate:>Current index2 content entry: Moniker: {535CB6A4-441F-4e8a-A897-804CD859100E} Sequence: 120105021
01/10 08:28:36.078 [6068] <PostEvent>going to post event=EVENT_LICENSE_REQUIRE_STATUS
01/10 08:28:36.078 [6068] <PostEvent>done post event=EVENT_LICENSE_REQUIRE_STATUS, return=0
01/10 08:28:36.078 [6068] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
01/10 08:28:36.109 [6068] <PostEvent>done post event=

5. Inetpub\Content on SEPM shows more revisions than configured. The numeric folders with the content updated after the day of upgrade contain only files

The restart of the SEPM service causes:
- the old content is deleted from the Inetpub\Content, so there are only as much revisions as configured in the SEPM
- the files are extracted in every revision folder
- SEPM starts to publish the newest updates
- clients can find them and update the definitions
- at the next download of the definitions by SEPM the problem reappears (SEPM doesn't process the new updates, doesn't publish them, exceeds the number of the revisions, doesn't extract in the newest content, SEP clients cannot get the updates)


  • Symantec Endpoint Protection Manager 12.1 with Embedded DB


  • The Sybase JDBC driver does not support query time out



This issue has been fixed in Symantec Endpoint Protection 12 Release Update 2 (RU2). For information on how to obtain the latest build of Symantec Endpoint Protection, read

TECH199676: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control

Supplemental Materials


Article URL

Terms of use for this information are found in Legal Notices