Offentliche Verwaltung Deutschland - Symantec Endpoint Protection Group

Welcome to the Liveupdate (LUE) vs. Liveupdate (WLU) discussion. In this article I will try to provide you with a closer look at the SEP Liveupdate used in SEP/SEPM 11.x based on the WLU - Windows Liveupdate and confront it with the new Liveupdate Engine (LUE) from SEP 12.1. We will look at the differences between the two as well as general charactieristics including the different versions of the LU, file locations, logs, types of downloads, monikers, etc. I will provide you as well some hopefully useful tips and reference links at the end. Please feel free to comment and discuss

Differences

► Windows LiveUpdate (WLU)
- component used by both SEP 11.x Clients and SEPM 11.x.
- in 12.1 Version only used by SEPM
- Liveupdate SEP Clients settings can be managed from Symantec Liveupdate applet in Control Panel
- Liveupdate component (WLU) can be removed or reinstalled from "Add/Remove Programs" in Control Panel - both on the SEP client as well as on the SEPM Server
- the main log file for the Liveupdate activities is same on both SEP Client and SEPM - Log.Liveupdate

Symantec Liveupdate settings in Control Panel (click to increase size)

► LiveUpdate Engine (LUE)
- Liveupdate component directly integrated into SEP 12.1 Clients - it replaces the traditional Windows Live Update (WLU) previously used on SEP 11.x Clients
- Liveupdate Engine is used only by SEP 12.1 Clients. SEPM Servers no matter the version are still using the WLU.
- Liveupdate SEP clients settings are being managed directly from the SEPM Manager - there is no Symantec Liveupdate applet in the Control Panel available
- Liveupdate Engine is integrated with SEP Client and thus cannot be removed or deinstalled
- Log.Liveupdate is as before still present on the SEPM Server; the SEP clients log the LU activities to the Lue.log - although some restrictions apply and for example downloads from GUP or SEPM are not logged here at all - the log concerns only downloads from Liveupdate Servers - either LUA or Symantec Internet Servers

 File locations

The given locations are default - if SEP/SEPM was installed to a custom path the below locations may be different.

1.  Installation paths (only for WLU) - applying for all Operating Systems

2. Configuration files (applying only for WLU)

3. Executables

4. Log files

5. Liveupdate Downloads

6. SEP client definition locations

Definitions folder on SEP 12.1 will contain several types of definition updates installed on the SEP Client - those are located in following subfolders:

• BASHDefs - Behavior And Security Heuristics
• ccSubSDK_SCD_Defs - Submission Control Data
• EfaVTDefs - Extended File Attributes and Signatures
• HIDefs - Host Integrity
• IPSDefs - IPS Signatures
• IronRevocationDefs - Iron Revocation List
• IronSettingsDefs - Iron Settings
• IronWhitelistDefs - Iron Whitelist
• SRTSPSettingsDefs - SRTSP Settings
• VirusDefs - Virus Definitions

NOTE: The number of different definition revisions stored on SEP Client is different for 11.x and 12.1 versions. SEP 11.x will store by default 3 latest revisions of each definition. SEP 12.1 will store only 1 latest revision.

7. SEPM Liveupdate definitions locations (WLU)

...folder will contain following definition subfolders:

• sepm121RU2ApPrtlLst - AP Portal List
• sesmIPSdef32 - IPS Signatures Win32
• sesmIPSdef64 - IPS Signatures Win64
• spcBASH - Behavior And Security Heuristics
• spcCIDSdef - CIDS Signatures
• spcEfaVT - Extended File Attributes and Signatures
• spcIronRl - Iron Revocation List
• spcIronS - Iron Settings
• spcIronWl - Iron Whitelist
• spcScd - Submission Control Data
• spcVirDef32 - Virus Definitions Win32
• spcVirDef64 - Virus Definitions Win64

Other Liveupdate elements and considerations

1. Content Definitions available on SEPM for client downloads

The definitions files are stored in following location (depending on the 32/64 bit architecture):

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content

The latest definition revisions stored here will be shown as well in the SEPM Java console in "Admin-> Servers-> Local Site-> Show LiveUpdate Downloads".

The content folder will include several (20-22) subfolders named according to the content definition monikers - this may differ from SEPM to SEPM. The translations of the monikers to content names applying to your SEPM can be found in the following file:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt
or
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt

Examples of monikers for both SEP 12.1 and 11.x:

Symantec Endpoint Protection 12.1
{535CB6A4-441F-4e8a-A897-804CD859100E}: SEPC Virus Definitions Win32 v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{07B590B3-9282-482f-BBAA-6D515D385869}: SEPC Virus Definitions Win64 (x64) v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{50B092DE-40D5-4724-971B-D3D90E9EE987}: SEPC SRTSP Settings - 12.1 RU2 - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{D6AEBC07-D833-485f-9723-6C908D37F806}: SEPC Behavior And Security Heuristics v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{55DE35DC-862A-44c9-8A2B-3EF451665D0A}: SEPC CIDS Signatures v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages
{B6DC6C8F-46FA-40c7-A806-B669BE1D2D19}: SEPC Submission Control Data - 12.1 - SymAllLanguages
{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}: SEPC Extended File Attributes and Signatures 12.1 RU2 - MicroDefsB.CurDefs - SymAllLanguages
{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}: SEPC Iron Whitelist v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{810D5A61-809F-49c2-BD75-177F0647D2BA}: SEPC Iron Revocation List v12.1 - MicroDefsB.CurDefs - SymAllLanguages
{263395A0-D3D8-4be4-80B5-202C94EF4AA0}: SEPC Iron Settings v12.1 - MicroDefsB.CurDefs - SymAllLanguages

Symantec Endpoint Protection 11.x:
{C60DC234-65F9-4674-94AE-62158EFCA433}: SESC Virus Definitions Win32 v11 - MicroDefsB.CurDefs - SymAllLanguages
{1CD85198-26C6-4bac-8C72-5D34B025DE35}: SESC Virus Definitions Win64 (x64) v11 - MicroDefsB.CurDefs - SymAllLanguages
{ECCC5006-EF61-4c99-829A-417B6C6AD963}: Decomposer - 1.0.0 - SymAllLanguages
{C13726A9-8DF7-4583-9B39-105B7EBD55E2}: SEP PTS Engine Win32 - 6.1.0 - SymAllLanguages
{DB206823-FFD2-440a-9B89-CCFD45F3F1CD}: SEP PTS Engine Win64 - 6.1.0 - SymAllLanguages
{EA960B33-2196-4d53-8AC4-D5043A5B6F9B}: SEP PTS Content - 6.1.0 - SymAllLanguages
{C25CEA47-63E5-447b-8D95-C79CAE13FF79}: Symantec Known Application System - 1.5.0 - SymAllLanguages
{812CD25E-1049-4086-9DDD-A4FAE649FBDF}: Symantec Security Content A1 - MicroDefsB.CurDefs - SymAllLanguages
{E1A6B4FF-6873-4200-B6F6-04C13BF38CF3}: Symantec Security Content A1-64 - MicroDefsB.CurDefs - SymAllLanguages
{E5A3EBEE-D580-421e-86DF-54C0B3739522}: Symantec Security Content B1 - MicroDefsB.CurDefs - SymAllLanguages
{CC40C428-1830-44ef-B8B2-920A0B761793}: Symantec Security Content B1-64 - MicroDefsB.CurDefs - SymAllLanguages
{D3769926-05B7-4ad1-9DCF-23051EEE78E3}: SESC IPS Signatures Win32 - 11.0 - SymAllLanguages
{42B17E5E-4E9D-4157-88CB-966FB4985928}: SESC IPS Signatures Win64 - 11.0 - SymAllLanguages
{4F889C4A-784D-40de-8539-6A29BAA43139}: SESC Submission Control Data - 11.0 - SymAllLanguages

NOTE: If your SEPM is managing both SEP 11.x and 12.1/12.1 RU2 clients it will download content for both these versions - the amount of the moniker subfolders in the ...\content folder will be greater and will contain monikers from both above lists.

2. LiveUpdate versions

When speaking about Liveupdate component versions we refer only to WLU. Here a specific SEP or SEPM version will have a specific LU version - those two are designed to work together - this becomes very important when we need to reinstall the LU on the machine. Taking LU version that does not correspond to our SEP or SEPM version can cause many unexpected problems. Below the list of all recent SEP 12.1 and 11.x releases with their correspoding Liveupdate versions:

NOTE: Be aware that when browsing online resources you may come across a newer Liveupdate version 3.5. This version is only for Norton Home & Home Office products and not intended for use with Symantec Enterprise products, such as Symantec Endpoint Protection or Symantec AntiVirus!

3. LU Session initiation from GUI on SEP Clients

No matter if we have to do with SEP 11.x or 12.1 Client starting the LU session from SEP GUI is exactly the same. We click on the "Liveupdate" button in the SEP Client GUI to execute the session. Depending on the settings from SEPM there are few things of consideration here:

• Liveupdate button may be greyed-out -> this means the settings for Liveupdate sessions are strictly managed from SEPM and SEP Client user is not allowed to start the session locally. Normally in this case the session will start according to schedule (if client is downloading updates from Liveupdate Server) or on the heartbeat from SEPM if any new definitions are available.
• Liveupdate button is available but no window pop-up when clicked -> this means that the user has been allowed to initiate the LU session and the LU Session will run in silent mode. Such scenario will happen when SEP client (11.x) has both the SEPM server and the LU Server set as possible update source. Initiating the manual start of the session will start the download from the Liveupdate Server only. The recommended way for the user to check if the session has started is to open the SEP System log and search for the entries indicating such fact.
• Liveupdate button is available and there is a pop-up windows when clicked- after execution user gets a pop-up windows showing the LU Express session -> user is allowed to initiate the LU Session. The source of the updates for clients is the Liveupdate Server. User will see the session progress in the pop-up window as well as will be informed about session completion or failure. Additionaly user may as well compare the corresponding logs about the session result

4. LU Session initiation from command prompt on SEP Clients

This method can be combined with execution through scripts or task manager if required - both WLU and LUE have a specific executables for starting the LU Session. Luall.exe for WLU and SepLiveUpdate.exe for LUE. Locations for those executables are shown under "File locations" in this article. Important to note is that executing of the luall.exe will give us either an express mode session or an interactive mode session - depending on the Symantec Liveupdate applet setting in the Control Panel. Executing the SepLiveUpdate.exe by default results in a silent mode session without any user interaction.

5. LU Session initiation on SEPM

For SEPM Server we can start the LU Session either directly from SEPM console (Admin -> Servers -> Local Site -> Download Liveupdate Content) or by executing the LUALL.exe in the same manner as on the SEP Client (described above).

6. LU reinstallation

As already indicated only WLU can be reinstalled as the LUE is integrated within the client itself. Recommended steps for reinstallation of the LU component on either SEP Client (11.x) or SEPM Server are:

1. Remove Live update from "Add/ Remove Programs"
2. Reboot the machine
3. In Windows Explorer, if they are present delete the following folders, without saving the existing content (respectively to the used version and OS):
- C:\ProgramData\Symantec\LiveUpdate
- C:\ProgramData\Application Data\Symantec\LiveUpdate
- C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
- C:\Program Files (x86)\Symantec\LiveUpdate (64bit)
4. Install LU using lusetup.exe (execute with local admin rights - build in administrator, take into consideration the appropriate LU version for your SEP/SEPM)
5. Re-register LU component with SEP Client or SEPM
* [SEPM] -> in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin:
- Type lucatalog -cleanup and press Enter.
- Type lucatalog -forcedupdate and press Enter (SEPM 12.1)
* [SEP Client] -> run repair on the SEP client from "Add/ Remove Programs"
6. In  C:\Program Files (x86)\Symantec\LiveUpdate start luall.exe (execute with local admin rights)
7. Let the Live update express session run till the end and check if any errors are occuring
8. [SEPM ONLY] If the session was successfull check the path: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" to see if there is any content downloaded under respective moniker folders

NOTE: Important thing to notice are the different commands during the re-registration of the LU compoment with SEPM depending on the SEPM version: * for SEPM 11.x commands are: "lucatalog -cleanup" and "lucatalog -update" * for SEPM 12.1 commands are: "lucatalog -cleanup" and "lucatalog -forcedupdate"

7. Liveupdate policy for SEP client

Policy used to specify the source of the definition updates for SEP clients as well as the schedule of updates. Possible update soucers are:

• Management Server (SEPM)
• Group Update Provider (GUP)
• Symantec Internet Liveupdate Server
• Internal Liveupdate Server (LUA)
• Third Party Management (TPM) - in most cases manual update through Intelligent Updater or .jdb file

NOTE: The schedule for LU downloads as seen in the LU policy (see screenhot) applies only to updates from either Symantec Internet Liveupdate Servers or Internal Liveupdate Server (LUA). Even if set the schedule is not honored for download updates from SEPM/GUP. For those type of downloads there is currently no possibility to set up a schedule as they are being initiated according to their heartbeat (pull mode) or as soon as the definitions are available (push mode).

Reference for configuration of Liveupdate policy for SEP clients:
Configure liveupdate to run on client computers - Part 1
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-client-updates-when-client-computers-are-idle

8. Liveupdate settings for SEPM Server

Settings used to configure the definitions download source for SEPM Server. Possibilities inlude either Symantec Internet Liveupdate Server or Internal Liveupdate Server (LUA). Liveupdate settings for SEPM can be configured in "Admin-> Servers -> Local Site-> Edit Properties-> Liveupdate".

NOTE: There is no direct possibility to configure the LU on SEPM to download updates from another SEPM. Such functionality is only possible outside of LU scope where two or more SEPM Servers are set up in a Failover or Replication configuration.

Reference for configuration of Liveupdate settings for SEPM Server:
Configure liveupdate to run on Symantec Endpoint Protection Manager (SEPM) - Part 2
https://www-secure.symantec.com/connect/articles/configure-liveupdate-run-symantec-endpoint-protection-manager-sepm-part-2

Further links and references

Windows LiveUpdate Client for Use with Symantec Endpoint Protection Manager 12.1
http://www.symantec.com/docs/TECH181305  
About LiveUpdate in Symantec Endpoint Protection version 12.1
https://www-secure.symantec.com/connect/articles/about-liveupdate-symantec-endpoint-protection-version-121-0
How to Uninstall and Reinstall LiveUpdate on SEPM 12.1 (Enterprise Edition or Small Business Edition)
http://www.symantec.com/docs/TECH171060
How to Uninstall and Reinstall LiveUpdate When a Symantec Endpoint Protection Manager or Symantec Endpoint Protection Client is Installed (SEP 11.x)
http://www.symantec.com/docs/TECH102609
The Log.LiveUpdate file is missing or out of date on a Symantec Endpoint Protection 12.1 client
http://www.symantec.com/docs/TECH168602
How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH102467