Troubleshooting content update problems

Article:TECH92269  |  Created: 2009-01-09  |  Updated: 2011-01-21  |  Article URL http://www.symantec.com/docs/TECH92269
Article Type
Technical Solution


Issue



You want to troubleshoot client content update problems.

 


Solution



About troubleshooting content update problems on clients
LiveUpdate is the name of the technology that checks for and distributes definitions and content updates to Symantec Endpoint Protection client computers. The client can receive content in one of two ways: from the management server, or directly from Symantec LiveUpdate. If you suspect that a client does not receive content updates, you can perform several troubleshooting actions.

 

Action Where to find the information
Determine how the client is configured to receive content. See “About determining how a client is configured to receive content” in this document.
Check the client's connection status See “About checking the client's connection status” in this document.
Make sure the client can ping its content provider or that the client is connected to the Internet See “Making sure that the client can communicate with its content provider” in this document.
Determine whether a client is receiving updates from the management server. See “Running a manual LiveUpdate session from the management console” in this document.
Check the LiveUpdate settings that are configured on the server. See “Checking the LiveUpdate settings on the
management server” in this document.
Run a manual LiveUpdate session from the management console to see if the client receives updated content. See “Running a manual LiveUpdate session
from the management console” in this document.
If you still have problems, check the LiveUpdate logs on the client and the management server. You can also use a debugging tool. See “What to do if you still have problems after verifying connectivity and LiveUpdate settings” in this document.



About types of content for Symantec Endpoint Protection for Small Business
Symantec Endpoint Protection for Small business uses several types of protection. The following table describes each type of content:

 

Content Type Description
Virus definitions These definitions protect against virus and spyware attacks.
Decomposer signatures These signatures support the Virus and Spyware Protection
engine, and are used to decompose and read the data that
is stored in various formats.
TruScan proactive threat scan heuristic signatures These signatures protect against zero-day attack threats.
TruScan proactive threat scan commercial application list These application lists are the legitimate commercial applications that have generated false positives in the past.
Intrusion Prevention signatures These signatures protect against network threats and support the intrusion prevention and detection engines.
Submission Control signatures. These signatures control the flow of submissions to
Symantec Security Response.


Note: Whether the client receives updates from the management server or directly from Symantec LiveUpdate, all available content types are downloaded. It is not possible to choose which types of content are downloaded.

About determining how a client is configured to receive content
Clients can receive content through two different methods. You can determine how a client is configured to receive content in the following
ways:

    • View the server settings in the client's LiveUpdate policy in the management console.
    • Examine the LiveUpdate registry keys on the client.
       

Note: For more information about how you can view the server settings in the client's LiveUpdate policy, see the Implementation Guide for Symantec Endpoint Protection for Small Business.

To check the registry keys

    1. On the client, look in the registry under HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\LiveUpdate.
    2. Check the settings for the following keys:
      • UseLiveUpdateServer
        If this key is set to 1, the client uses Symantec LiveUpdate directly.
      • UseManagementServer
        If this key is set to 1, the client uses the management server.
         


About network connectivity and clients
If a client does not receive content updates, you should first check if there is a connectivity problem that prevents content updates.

 

How the client receives content What to check
From the Symantec Protection Center Check the connectivity between the client and the management server.
Directly from Symantec LiveUpdate Check the following items:
  • Make sure the client can connect to the Internet
  • Check the LiveUpdate schedule in the client's LiveUpdate policy



About checking the client's connection status
To receive updates, the client must be able to connect to its content provider. If the client receives updates from the management server, you should check that the client can connect to the management server. If the client receives content updates directly from Symantec LiveUpdate, you should check that the client can connect to the Internet.

On the management console, on the Computers page, select the group to which the client belongs.

Both of the following statements should be true:

    • The client appears in the list.
    • On the row where the client appears, in the Health State column, the client is indicated as being online.
       

For more information, see the section “About checking the communication between the management server and the client” in this document.

On the client computer you can also verify connectivity and the current content definitions dates. You can check the following items on the client computer:

    • In the notification area on the client computer, there should be a yellow shield icon with a green dot.
    • In the client main window, the current content definition dates are listed.


In addition to connectivity problems, there are other situations that might prevent the client from receiving updates. These include the following situations:

    • The Windows firewall settings interfere with communication.
    • The client firewall settings interfere with communication.
       

For more information about the firewall settings, see the Implementation Guide for Symantec Endpoint Protection Small Business Edition.

Making sure that the client can communicate with its content provider
You should make sure that the client can communicate with its content provider. If the client gets content from the management server, make sure the client can communicate with the management server. If the client gets content directly from Symantec LiveUpdate, make sure that the client can access the Internet.

If the client cannot ping the management server, check for any network problems and verify network services for the client. For more information, see the section “About checking the communication between the management server and the client” in this document.

To use the ping command to test the connectivity to the management server

    1. On the client, open a command prompt.
    2. Type the ping command. For example:

      ping <name>

      where <name> is the computer name of the management server. You can use the server IP address in place of the computer name. In either case, the command should return the server's correct IP address.
       

If the ping command does not return the correct address, verify network connections, and that the network services are running on the client computer.

About determining whether a client is receiving content updates from the management server
You can check to see which computers might not currently receive updates from the management server. You can perform the following checks:

    • View Endpoint Status information. You can view detailed information about each client's connection status and content versions. Clients cannot receive content if they lose connectivity to the management server (unless they are configured to receive updates directly from Symantec LiveUpdate).
    • View the Computer Status log, which contains the client computer's IP address and the time of the last check-in. It also shows the last definitions date.
       

The most thorough way to check if clients receive updates is to check the content version on the management server. You should then compare it to the version on the client. For more information, see the section “About comparing the content on the client to the content on the management server” in this document.

About comparing the content on the client to the content on the management server
You can compare the version of content on the client to the version on the management server in the following ways:

    • Check the content cache on the client computer and compare it to the content cache on the management server. You can use this method if you want to check the content on a few clients. For more information see the section “Comparing the content cache” in this document.
    • On the console, view Endpoint Status information. You can view detailed information about each client's connection status and content versions. Clients cannot receive content if they lose connectivity to the management server (unless they are configured to receive updates directly from Symantec LiveUpdate). For more information, see the section “Using the management console to compare content versions” in this document.
       

If the content on the client does not match the content on the management server, you should check the client's connectivity to the network. You should also check the client's communication with the management server.

Comparing the content cache
You can check the content cache on the client computer and compare it to the content on the management server. If the client receives content updates from the management server, subfolders are created on the client in the product folder. The subfolders are named with date codes such as 70827034. The subfolder names should be the same on the client and the server if the client receives updates from the management server.

Note: If the client receives content directly from LiveUpdate, the content is not cached in the product folder location.

To compare the content cache

    1. On the client computer, go to the following folder:

      \Program Files\Symantec\Symantec Endpoint Protection\ContentCache
    2. On the management server, go to the content folder. You can typically find the folder in the following location:

      \Program Files\Symantec\Symantec Protection Center\Inetpub\content
    3. Compare the folders in the client content cache to the folders on the management server. Then compare the subfolders. The folders should correspond if the client has received content from the management server.


Using the management console to compare content versions
You can view information about the latest content on each client by looking on the console Home page, in the Endpoint Status pane. You can choose to see detailed information about the versions of the virus definitions and other content on the clients. You can also view content versions on each client by running a Client Inventory report. For more information about reports, see the Implementation Guide for Symantec Endpoint Protection Small Business Edition.

In the management console, you can see the latest content by checking the latest LiveUpdate downloads. You can compare the revision that is listed in the Show LiveUpdate Downloads dialog box to the content versions that appear in the report. For more information, see the section “Viewing the latest LiveUpdate downloads to the management server” in this document.

To use the management console to compare content versions

    1. In the console, click Home. System Protection is shown in the Endpoint Status pane.
    2. In the Endpoint Status pane, click View Details to view more information.
    3. Compare the virus definitions version on each client with the virus definitions version on the management server. If the client is receiving updates, the versions should match.


Viewing the latest LiveUpdate downloads to the management server
Clients might not receive LiveUpdate content if the management server does not receive updates. The management server receives updates directly from Symantec LiveUpdate.
In the management console, you can view the most recent LiveUpdate downloads to the management server.

The server receives updates from Symantec LiveUpdate at certain intervals. The default interval is every four hours. You can configure the download schedule by using the Server Properties dialog on the Admin page in the management console. If the content that appears in the list on the server is older than you expect, check the LiveUpdate log. For more information, see the section “Viewing the LiveUpdate log” in this document.

You should also check the connection to Symantec LiveUpdate. After you view the latest LiveUpdate downloads, you can compare the content to the content on the clients. For more information, see “Using the management console to compare content versions” in this document.

To view the latest LiveUpdate downloads to the management server

    1. In the console, click Admin.
    2. On the Admin page, click System.
    3. On the Admin page, click Show the LiveUpdate Status.


Running a manual LiveUpdate session from the management console
You can run a manual LiveUpdate session from the management server. For more information about how to run a manual LiveUpdate session, see the Implementation Guide for Symantec Endpoint Protection Small Business Edition. When you run a manual LiveUpdate session, the client receives content from Symantec LiveUpdate; it does not receive content from the management server.

Note: After you run a manual LiveUpdate session, you should wait for up to two minutes. The Symantec Endpoint Protection client performs content validation checks. After two minutes, you can check to see if the command successfully updated the client. Note that the management console automatically refreshes.

You can also run a manual LiveUpdate session directly from the client if the LiveUpdate policy permits the client to run a manual session. For more information, see the Client Guide for Symantec Endpoint Protection Small Business Edition.

To run a manual LiveUpdate session from the management console

    1. In the management console, on the Computers page, in the left column, select the group the client belongs to.
    2. In the right pane, on the Computers tab, right-click on the client and select Run Command on Computers > Update Content
    3. In the Update Content message box, click Yes.
    4. In the message box, click OK.


What to do if you still have problems after verifying connectivity and LiveUpdate settings
You should look at the LiveUpdate log on the management server and the client. You can also create a log of the sylink communications between the client and the management server. You can use a text application, such as Notepad, to open the log files. You can also use a shareware tool, such as DebugView, to look at the debug output messages.

Viewing the LiveUpdate log
You can view the LiveUpdate log on the client and the management server.

To view the LiveUpdate log

    1. On the client computer or the management server, locate the log in the LiveUpdate directory. For example, go to the following location:

       \Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
       
    2. Look for the following message in the log:

      Progress Update: DOWNLOAD_FILE_START: URL: <url>/zip

      The URL should match the expected address of the LiveUpdate server.

If the client or the management server failed to connect to the LiveUpdate server, you see an error similar to the following:

Progress Update: HOST_SELECTION_ERROR:

Messages also appear about possible reasons for the failure.

Viewing the debug logs on the client
Two debug logs are available on the client that you can view.

To view the debug log

    1. On the console, click Help > Troubleshooting.
    2. In the left column, select Debug Logs.
    3. Do one of the following:
      • To see the Symantec Endpoint Protection debug log, in the Debug Logs pane, under Symantec Endpoint Protection, click View Log.
      • To see the Client Management debug log, in the Debug Logs pane, under Client Management, click View Log.


For more information about the debug logs, see the Knowledge Base document, How to debug the Symantec Endpoint Protection 11.x client.

Creating a sylink log
The client and the management server use Sylink.xml to communicate. You can dump all sylink communication messages to a log file on the client computer.

To create a sylink log

    1. On the client computer, in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink, create the following string value:

      DumpSylink=filepath

      where filepath is the wanted location for the dump file (such as c:\sylink.log).
    2. Restart the SMC service. You can then view the Sylink.log file on the client computer.
       

For more information about the sylink log, see the Knowledge Base document, How to debug the Symantec Endpoint Protection 11.x client.

About using the DebugView tool
DebugView is a shareware tool that you can use to view the strings that are written to a debug output stream on the client. The binary LiveUpdate file, SescLU.exe, handles the content updates but does not write its own log file. You can view debug output messages by using the DebugView tool.

When you run the tool, look for the following messages:

    • QueryContentSeqData
    • ApplyContent
       

If these messages appear in the output, the client receives content from a management server, a group update provider, or a third-party management tool.

You can download the tool from the following URL: http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx



References
How to debug the Symantec Endpoint Protection 11.x client. http://service1.symantec.com/support/ent-security.nsf/docid/2007090611252048



 



Legacy ID



2009020909412948


Article URL http://www.symantec.com/docs/TECH92269


Terms of use for this information are found in Legal Notices