Post-install LiveUpdate and Reboot information for Symantec Endpoint Protection

Article:TECH91474  |  Created: 2008-01-18  |  Updated: 2008-01-18  |  Article URL http://www.symantec.com/docs/TECH91474
Article Type
Technical Solution


Environment

Issue



Why does the client ask to reboot after installation?


How does LiveUpdate run after install?


What initiates the LiveUpdate or Reboot after installation of the Symantec Endpoint Protection client?

Symptoms
LiveUpdate runs directly after install
  • Reboot prompt after install
  • Reboot required after install



Solution



Information

    The Symantec Endpoint Protection client will, by default, run a LiveUpdate session after installation completes. It is possible that it will also prompt for a system reboot after that LiveUpdate has completed. Reboots are required for a variety of reasons, such as replacing in-use system files or drivers.

    During an interactive install, if the user chooses a custom install, it is possible to disable the post-install LiveUpdate. For information on how to configure an interactive install click here.


    If a LiveUpdate session is configured to run, it will always complete before the reboot prompt is displayed.
    • It is possible that both the LiveUpdate and reboot will be completed silently (as opposed to interactively) if the installer is configured to do so.
      • During a silent LiveUpdate session, the user will see no indication of it running other than the LUALL.exe process listed in Task Manager.
      • A silent reboot amounts to what looks like a spontaneous reboot of the machine.
    • For information on how to configure a silent install click here.


    On both managed and unmanaged clients, the types of content that are allowed to be pulled down via LiveUpdate are controlled by policy. Because of this, we want to make sure that policy has been properly applied before launching LiveUpdate. To ensure this, the installer no longer launches the post-install LiveUpdate or reboot itself, as was the case in Symantec AntiVirus 10.x and earlier. Instead, the installer sets up signals, in the form of registry values, that are seen by Smc.exe during its service startup processing. When Smc detects those signals, it will launch the LiveUpdate session after it has applied the policy and triggers the reboot prompt if needed. Essentially, post-install LiveUpdate and reboot are a two part process: the first part owned by the installer, the second part owned by Smc.

    The registry values that the installer uses to signal Smc live under the HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Install key.

      Those values are:
        • RunLiveUpdateNow
        • InstallerRequestsReboot
        • ProductPatchAfterReboot
        • MajorPatchInProgress

      All of these (and the Install key itself) are volatile, which means they are automatically deleted on reboot.

      The following is the breakdown of each key:

      RunLiveUpdateNow
        0 or missing = do not run a post-install LiveUpdate
        1 = run an interactive post-install LiveUpdate
        2 = run a silent post-install LiveUpdate

      InstallerRequestsReboot
        0 or missing = do not show the post-install reboot prompt
        1 = show the post-install reboot prompt
        2 = reboot automatically

      ProductPatchAfterReboot
        0 or missing = allow product patches to be downloaded via LiveUpdate before reboot
        1 = do not allow product patches to be downloaded via LiveUpdate before reboot

        The reason for this value is that if an older version of the client is installed and then immediately finds a product patch during its post-install LiveUpdate and tries to install that patch, problems may occur. This value lets us disable product patches via LiveUpdate until a post-install reboot has occurred.

      ProductPatchAfterReboot
        0 or missing = the installation that just happened is not part of a Major Patch
        1 = the installation that just happened is part of a Major Patch

        Microsoft Installer supports two kinds of patches: major and minor. In a major patch, the product's installer is run first, followed automatically by the uninstaller. In a minor patch, the uninstaller is not run. Since our services (including Smc) are started after the installer is done, during a major patch we were starting Smc and displaying the reboot prompt even though we were only half-way through the process (the uninstaller portion still needed to be run). This value lets us trigger more complicated processing to make sure that the uninstaller portion of a major patch is complete before we trigger the post-patch reboot prompt.




Troubleshooting

    When you are seeing problems with post-install LiveUpdate and reboot, here are the things you should check:

    1. Check for the above registry values. Most will hang around until the first reboot. Make sure they match your expectations. If they do not, this suggests a problem in installer logic. An exception to this is the RunLiveUpdateNow value, which is deleted immediately after it is read by Smc. This is done to avoid running LiveUpdate every time the service is restarted when a post-install reboot was not required.

    2. If the registry values look correct, then it's time to check Smc's logic. This can only be done using the debug.log that Smc generates, but Smc will only generate it if it is configured to do so. You could proactively enable Smc debug logging for every install, or if you see a problem, you could reproduce it and having debug logging enabled. The value you need to set is

      HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\
      smc_debuglog_on=1


      You cannot set this value manually before starting install because the installer will replace your 1 with 0 as part of its normal processing. You will have to monitor the registry during installation, and as soon as you see the SMC registry values created (but before the Smc service is started), set the value to 1. This will create a debug.log in the product install directory.

    3. The %temp%\SEP_INST.log log can also be analyzed for information.





Legacy ID



2008121810204648


Article URL http://www.symantec.com/docs/TECH91474


Terms of use for this information are found in Legal Notices