Troubleshooting LiveUpdate Issues with Symantec Endpoint protection

That flowchart is awesome. well  done.

I started updating a small company with 4 unmanaged PCs running SAV 10.1.5.5000.  The first PC I tried uninstalled SAV client successfully, then restarted to install SEP client 11.0.4, no errors, ran update but only updated Proactive to current date, not AV-AS or Network modules.  The Liveupdate thinks that all modules are up-to-date.  I don't know if I should reinstall the client or what?  I will see if this happens on all 4 PCs and report back. 

hjlubansky:  Did you reboot again after installing SEP?  Not all components can be updated until after a post-install reboot.

A very helpful flowchart. Many thanks.
But what about replacing "sylink.xml" when corrupted? I think this can fit somewhere in the chart.

I have remote sites so am trying to update the clients using GUP's locally, when I have the clients connecting to the SEPM they update virus DEFS ok, as soon as I turn on GUP's at site they do not get the latest definitions.

I have tried entering the GUP's using FQDN's and IP addresses with no results.

The remote GUP's are also my WSUS servers are there any known conflicts? The firewalls are all switched off and the wsus servers use a different port number to communicate.

Is there an error log I can check on the clients that will give me more detailed information other than the basic logs in SEP, view logs, client management, system log on the clients?

Please help
KR
Jamie

A few things to consider about GUPs:

1. The GUP computer should be in the same group as the machines it is supposed to Update
2. You make sure that the policy is configured correctly and the computers have received it.
3. At a client side, you can confirm that the new GUP configuration is published or not, by confirming the presense of the following registry keys:

UseMasterClient is set to 1
MasterClientPort: GUP port
MasterClientHost: IP address of GUP machine

Location:   HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
4. Make sure that the machine acting as a  GUP has latest definitions & has a folder by the name: SharedDefs in C:\program files\symantec\symantec endpoint protection\ folder.

Also, please refer to the document below for mor information on GUP:

Best practices for Group Update Provider (GUP)
http://service1.symantec.com/support/ent-security....

Symantec Endpoint Protection 11.0 Group Update Provider (GUP)
http://service1.symantec.com/support/ent-security....

How to configure GUP bandwidth throttling in Symantec Endpoint Protection 11.0 MR4?
http://service1.symantec.com/support/ent-security....

Hope this helps,

Cheers,
Aniket

Nice article, will definitely bookmark this. But sir, can you also post Error Codes list and explanation?

Brilliant work Aniket, keep it up.

Really Appreciated :-).

Thanks and keep posting such excellent documents.

Rgrds,
SAM

Very Nice Improvements, but i hope the Removing Clients Remotely from SEPM will add.

We have recently installed microsoft7.
We are running Norton Ghost 14.0
We get an error message which says:

End point protection is not compatible with this version of windows.

Any assistance would be greatly appreciated :)

You just need to give permission on C:\WINDOWS\WinSxS folder for administrator..
And you need to enable the Buil-in  administrator and login using that..I have successfully installed SEP on few Win7.It works fine..
Do not install PTP and NTP yet as it is officially not supported by Symantec..So you wont get support on it..

The only issues that I have come across with SEPM and WSUS is that when you install the SEPM and WSUS on the same server, make sure that you install into a seperate site. Issue with installing it to the same site is that depending on what product you install first, will be the one that will be broken.

We already had WSUS v3 installed on some of our servers. Installed SEPM and then wondered why we had WSUS errors. We found out that the content section for WSUS in IIS was actually directed to the path for SEP content updates.

So if you install SEPM, install to own website not default.

Other things you may also have to think about outside this is:

On a Windows 2008 server and using the Network Policy Server and you have SEPM installed, the NPS may not work correctly and you may also have issues with WSUS updates/BITTS. This is because we found SEPM hogging the port these use. Once we stopped and disabled the SEPM service WSUS and BITTS were ok after a reboot. This may have been caused because of installing to the default port of 8014 but not sure. Does anyone else have the same issue and whether this has now been resolved as part of SEP11 MR4 MP2 ?

Regards,

Jon Logan
Network Design Engineer
Unisys Australia

Really Appreaciated : )

Brand new computer-installed Endpoint

Tried to update in order to begin set up--Keeps freezing and does not complete the update.  Two "mistakes" reported--"Fix all" or Detail do not work either.

Error codes: 536805375

Downloaded Endpoint Support Tool (HTTP) but need to know how to run it--Where do I access it?

Victoria

Download the SEP Support Tool from here:

http://www.symantec.com/techsupp/home_homeoffice/p...

Run it, select appropriate scenario then run.

Good Article

this information its pretty cool!

very good article

The FlowChart is good give more tips on Error Codes that will be really good..

Have a site - 1000 users. Have to manually update within Console Manager to get the updates, does not happen on it's own. WSUS and SEPM on same server, different sites. Have run tool and found a few IIS issues, but nothing serious. Have updated SEPM to 11.0.4202.75. Clients updating over the next week. Clients now reflecting correct information in Console with the upgrade to Management Console. But still LU does not automatically update and clients do not update until you manually run LU on console. Clients are pulling from MC. Don't have a warm fuzzy on WSUS and SEPM on same system, but it looks to be set up correctly. Clients do get the updates and ran all the tests. They connect. Just doesn't seem to happen unless you manually update and also use Windows Scheduler. Any thoughts?

hi There
am having a problem to update my virus def version on my SEP v11 server

i have download a .jdb extension file from symantec version and uploaded it as it is explained

but none of my client are able to take update from the server

please let me know if u have had this problem and what has been the solution

best regards
nethy

I hope this would help in the troubleshooting...

The FlowChart is nice. It gives more tips on Error. 
And whole article is very good.

Nice job

I have two xp and one vista computers...I installed unmanaged endpoint 11 mr4 the Antivirus and Antispyware Protection, Proactive Threat Protection and Network Threat Protection...All three showing  green but th Network Threat Protection show greeen  but the Definitions displayin waiting for updates...
I reinstalled the software more than one, disable windows firewall...Still waitin for updates and this is all three and I'm running unmanaged......Thanks for your assistance

i don't use symantec endpoint  protection

It does give system admin good way to trace problem. Thanks a lot!

I have gone through the trouble shooting chart, which was great by the way, communiction test OK. Do I have to do the 'remove corrupt definitions' process of all 95 of my clients?

...Now if we could get ACERT to publish a (SIPR) LiveUpdate troublshooting guide that would be fantastic.

Hello Guys,

Thank you all for your responses. The flowchart above, has been published as a Knowledgebase article. It can be accessed using the link below:

http://service1.symantec.com/SUPPORT/ent-security....

Best,
Aniket

 Dear Aniket,

Good work..

Great

I wanted to add that I had a long issue where LiveUpdate was failing on my SEPM server. Turns out that my Windows 2003 server's Internet Explorer proxy settings were incorrect.

But it wasn't easy as that. It never is, is it?

The proxy settings were incorrect ONLY when Internet Explorer was being run as the SYSTEM account, so the only way I could fix this was to run IE as SYSTEM and change the proxy settings.

Just FYI :)

Great work.this will help me in many issues.

I plan use distribution centers for client updates which reside on our WAN network that will receive update data from LUA. When I distribute for the first time and check the activity monitor, there's about 400 MB data must be transfered to distribution centers. How to manage this issue, because the data size is too large for our WAN network. I only chose SESC Virus definition Win32B, Symantec Security Content A1 and B1, Symantec Known Appl, ans SESC IPS Signature Win32.

Inspite of having all the settings proper we are still not able to get latest definition updates. No errors are received. The server doesn't return any error. It simply says there are no updates.

Following is the  log-

October 2, 2009 9:04:24 AM GMT+05:30:  LiveUpdate retry succeeded.  [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:24 AM GMT+05:30:  LUALL.EXE finished running.  [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:24 AM GMT+05:30:  LUALL.EXE finished.  There were no new content updates. Return code = 1.  [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:07 AM GMT+05:30:  Symantec Endpoint Protection Win64 11.0.4202.75 (English) is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:04 AM GMT+05:30:  Symantec Endpoint Protection Win32 11.0.4202.75 (English) is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:00 AM GMT+05:30:  TruScan proactive threat scan engine Win32 11.0 is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:04:00 AM GMT+05:30:  TruScan proactive threat scan commercial application list Win32 11.0 is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:03:59 AM GMT+05:30:  TruScan proactive threat scan whitelist Win64 11.0 is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:03:59 AM GMT+05:30:  Intrusion Prevention signatures Win64 11.0 is up-to-date.    [Site: CT1]  [Server: antivirus]
October 2, 2009 9:03:58 AM GMT+05:30:  TruScan proactive threat scan engine Win64 11.0 is up-to-date.    [Site: CT1]  [Server: antivirus]

I have allowed  a specific client to fetch updates directly from Symantec liveupdate server. In that case the client is able to get the latest updates. But SEPM server doesn't.

Please suggest on this.

Hi-

This is a great article, however, it is geared to the Technician, or the Adminstrator. We have an infrastructure of over 8500 clients, mostly mobile. We ran SAV for 4 years with almost no issues with Live Update getting definitions on the clients.

We currently have a limited pilot program of SEP11 MR4MP2 of which  27 are on mobile devices and have experienced Live Update almost a dozen times. This is not a SEP issue, but an issue with the Shared Technology client Live Update, and how SEP utilizes LU.

A significant change was made in SEP from going from weekly (or daily for some customers) Live Updates, to multiple daily Live Updates. After a specific number of missed updates, the Live Update client in SEP changes from the mini def update to get the full definition download from Live Update. This is what is happening and is what is appearing as "corrupted definitions". The definitions are not corrupted, the catalog file is only checking for 4 updates instead of 14 or more, and reports that the definitions are current. This is an issue with the Live Update component.

We have seen this as a repeatable process and can repeat this on-demand. If a client is not connected to the Network for a period of time (shut off, etc,) and then brought up in a state that happens to use one of out NLA settings, and is known to be outside of our corporate LAN, the Live Update will fail.  We can bring the device in to the corporate LAN and all of the sudden the SEP client updates with no problem, even though we have 2 SEPM's in the DMZ specifically to give updates to our mobile clients.

This will not work for the average user. This is a defect that needs to ba addressed by Symantec. The consumer versions Norton 360 and NIS do not have this problem with Live Update.

We will not be rolling out SEP to any mobile devices until this issue is address and FIXED, and not with a work around. We will only roll this out to well connected clients.

Hi Aniket,

     Really it's wonderful flow chart.

                     i want to ask you your opinion for SEP unistallation and Reinstallation for updation Issue. How could be it's useful.

Most of the people doing Reinstallation SEP if not get update.

Hi,

Re-installation should only be an alternative of you have ruled out all other cause mentioned in the flowchart. Re-installation should be considered a last resport, instead of a useful troubleshooting step.

Best,
Aniket

Event

Date 10/19/2009          source: service control Manager

Time: 11:42:23 AM        Category: None

Type: Error                      Event ID: 7000

User: N/A           

Computer: WEP9853

Description:
______________________________________________________________________________
The Extend WG Protocol Driver Service failed to start due to the following error:
The system cannot find the File Specified.

For more information, See help and Support at http://go.microsoft.com/fwlink/events.asp 
______________________________________________________________________________
I went to this web site and all I found was a bunch of really upset and frustrated people who would like an answer to the reason for this error.

Please help as this site could not

Thanks

Jeff
I too would like to get the answer as It;s happening with a lot of my computers in the network