Video Screencast Help

From the Client Side, how can you see which GUP it is using?

Created: 14 Feb 2013 • Updated: 14 Feb 2013 | 38 comments
This issue has been solved. See solution.

Windows 7 64 Bit Clients

Comments 38 CommentsJump to latest comment

.Brian's picture

If you check the System log on the client, it will tell you which GUP it used

https://www-secure.symantec.com/connect/forums/how...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

Look in the System log in the Client management on the SEP client GUI - you should see there entries that the definitions have been downloaded from the GUP.

The Conquistador's picture

This is like looking for a needle in a hey stack, do you have the event id?

SebastianZ's picture

SEP log does not have really event ID's - look for entries starting with "Downloaded new content from..."

 

- another more detailled check is possible if you enable sylink debugging on the client - log will show you what GUP is asked for update and what file is being requested exactly:

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows RegistryArticle:TECH104758   |  Created: 2008-01-18   |  Updated: 2012-08-20   |  Article URL http://www.symantec.com/docs/TECH104758  
 

.Brian's picture

Not sure there would be one in the SEP client.

You can view from the SEPM as well though

On the Monitors tab set the log type to System

Set log content to Client Activity

Click on Advanced settings and you can add the specific IP/hostname and click View log. It will show "Downloaded new content update from Group Update Provider..."

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

I get to the last part, where the computer filed is, there is a * and it won't let me change it.

.Brian's picture

Why not, lol?

Really? I just typed in a PC name, works fine...weird.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

Had to restart the client, I have it narrowed down and the logs, but I still do not see the SOURCE of where the definitions are comming from.

.Brian's picture

They're there mi amigo. As long as it download from the GUP it will be noted in the System log. Otherwise it should say "downloaded new content update from the management server successfully" if it came from SEPM.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

OK, I found it, but this is pointing to the main server for updates, not the GUP. It is in the right group to receive the updates. Not sure why it is bypassing the GUP and getting definitions from my SEPM server.

.Brian's picture

In your policy, check out the GUP settings, do you have the option "maximum time that clients try to download updates from a GUP before trying the default management server" set to "After" "x" minutes?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Would seem to be a policy issue, does the client have the same policy serial number as whats showing in SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

All of the clients in that group show the same Policy serial number, including the PC in question.

I copied over a new Sylink.xml hoping that will correct the issue.

I can't have clients "going rogue" and bypassing the local GUP server, it really kills bandwidth.

The Conquistador's picture

I'm sorry man, and I am begining to feel really dense, but where do I find the policy serial number on the client side?

.Brian's picture

Help >> Troubleshooting

Right smack in the middle is the "Policy Serial Number"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

Sorry, my dopey behind was looking at an unmanaged client.

OK, I see the policy number on the client and SEPM side match.

.Brian's picture

You should enable sylink logging on the client and let it run abt an hour so we can checkout the logs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

And that's where I'm lost because you had already said tamper protection was disabled...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

I still have the GUP issue with my other site as well. I have even re installed the clients and still only ONE is communicating with the GUP. I am totally at a loss.

SebastianZ's picture

I believe the error on your screenshot here is a bit different than the one given when Tamper Protection blocks the access to these keys. Something OS related? - can you check the permissions on whole registry key for Symantec/sylink?

The Conquistador's picture

I'm sorry, I thought you were referring to the Windows event viewer in this post. Oops :-(

SebastianZ's picture

One other possibility would be the GUP distribution monitor tool:

https://www-secure.symantec.com/connect/videos/sep...

 

...and another KB to the sylink check:

How to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers (GUPs)
Article:TECH97190      |      Created: 2009-01-03      |      Updated: 2011-08-16      |      Article URL http://www.symantec.com/docs/TECH97190

Chetan Savade's picture

Hi,

Following fix note is in SEP 12.1 RU2 version check whether it's related to you.

Client bypasses the newly promoted Group Update Provider despite policy that states it should never bypass the Group Update Provider
Fix ID: 2757957
Symptom: Clients bypass newly promoted Group Update Provider and contact Symantec Endpoint Protection Manager directly for content, even though policy states it should never bypass the Group Update Provider.
Solution: Client does not bypass the Group Update Provider if policy is set to "never bypass," even if the new Group Update Provider's guplist.xml is still empty
 
Reference: http://www.symantec.com/business/support/index?page=content&id=TECH199676
 
 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

.Brian's picture

in the GUP policy, i think it was the setting I already mentioned in a post at the top..

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

Yes, it was something we talked about earlier. The setting is as it should be.

Chetan Savade's picture

Hi Bryan,

If not using SEP 12.1 RU2 version then need to upgrade and check.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

James-x's picture

Hello Brian,

Can you please run SymHelp (http://www.symantec.com/docs/TECH170752) on the client which should be using a GUP but is, instead, going to the SEPM for updates?

When you run the utility, put a checkmark in "Full data collection for support".

Once you save the report, attach it to a reply so I can review it. This will allow me to see the configured policies for the client and basic client info.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

The Conquistador's picture

IPS Definitions and Download Protection Definitions DO update, but SONAR does not and Virus Definitions don't.

Any ideas?

James-x's picture

Do the System logs show that that content was downloaded from the GUP?

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

The Conquistador's picture

This is where I got stuck earlier, there are so many entries, I was not able to narrow down where to find this event.

James-x's picture

Hello,

Try this:

- Open the SEP client

- Click View Logs

- Click View Logs next to Client Management (not Virus and Spyware Protection) and click System Log

-  Click File and then Export

- Save the file, open it in your favorite text and search for the string Downloaded new content

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

SOLUTION