Windows 7 64 Bit Clients
If you check the System log on the client, it will tell you which GUP it used
SEP Firewall "Did You Know...?" - How To Monitor Web Traffic
What would be the event ID sir?
Look in the System log in the Client management on the SEP client GUI - you should see there entries that the definitions have been downloaded from the GUP.
This is like looking for a needle in a hey stack, do you have the event id?
SEP log does not have really event ID's - look for entries starting with "Downloaded new content from..."
- another more detailled check is possible if you enable sylink debugging on the client - log will show you what GUP is asked for update and what file is being requested exactly:
How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows RegistryArticle:TECH104758 | Created: 2008-01-18 | Updated: 2012-08-20 | Article URL http://www.symantec.com/docs/TECH104758
Not sure there would be one in the SEP client.
You can view from the SEPM as well though
On the Monitors tab set the log type to System
Set log content to Client Activity
Click on Advanced settings and you can add the specific IP/hostname and click View log. It will show "Downloaded new content update from Group Update Provider..."
I get to the last part, where the computer filed is, there is a * and it won't let me change it.
Why not, lol?
Really? I just typed in a PC name, works fine...weird.
Had to restart the client, I have it narrowed down and the logs, but I still do not see the SOURCE of where the definitions are comming from.
They're there mi amigo. As long as it download from the GUP it will be noted in the System log. Otherwise it should say "downloaded new content update from the management server successfully" if it came from SEPM.
OK, I found it, but this is pointing to the main server for updates, not the GUP. It is in the right group to receive the updates. Not sure why it is bypassing the GUP and getting definitions from my SEPM server.
In your policy, check out the GUP settings, do you have the option "maximum time that clients try to download updates from a GUP before trying the default management server" set to "After" "x" minutes?
That is there, but greyed out and set to "Never"
Would seem to be a policy issue, does the client have the same policy serial number as whats showing in SEPM?
All of the clients in that group show the same Policy serial number, including the PC in question.
I copied over a new Sylink.xml hoping that will correct the issue.
I can't have clients "going rogue" and bypassing the local GUP server, it really kills bandwidth.
I'm sorry man, and I am begining to feel really dense, but where do I find the policy serial number on the client side?
Help >> Troubleshooting
Right smack in the middle is the "Policy Serial Number"
Sorry, my dopey behind was looking at an unmanaged client.
OK, I see the policy number on the client and SEPM side match.
You should enable sylink logging on the client and let it run abt an hour so we can checkout the logs.
Here is why
And that's where I'm lost because you had already said tamper protection was disabled...
I still have the GUP issue with my other site as well. I have even re installed the clients and still only ONE is communicating with the GUP. I am totally at a loss.
I believe the error on your screenshot here is a bit different than the one given when Tamper Protection blocks the access to these keys. Something OS related? - can you check the permissions on whole registry key for Symantec/sylink?
I'm sorry, I thought you were referring to the Windows event viewer in this post. Oops :-(
One other possibility would be the GUP distribution monitor tool:
...and another KB to the sylink check:
How to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers (GUPs)
Article:TECH97190 | Created: 2009-01-03 | Updated: 2011-08-16 | Article URL http://www.symantec.com/docs/TECH97190
Following fix note is in SEP 12.1 RU2 version check whether it's related to you.
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<
How and WHERE do you set this?
in the GUP policy, i think it was the setting I already mentioned in a post at the top..
Yes, it was something we talked about earlier. The setting is as it should be.
If not using SEP 12.1 RU2 version then need to upgrade and check.
I am using 12.1.2015.2015
Can you please run SymHelp (http://www.symantec.com/docs/TECH170752) on the client which should be using a GUP but is, instead, going to the SEPM for updates?
When you run the utility, put a checkmark in "Full data collection for support".
Once you save the report, attach it to a reply so I can review it. This will allow me to see the configured policies for the client and basic client info.
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
IPS Definitions and Download Protection Definitions DO update, but SONAR does not and Virus Definitions don't.
Do the System logs show that that content was downloaded from the GUP?
This is where I got stuck earlier, there are so many entries, I was not able to narrow down where to find this event.
- Open the SEP client
- Click View Logs
- Click View Logs next to Client Management (not Virus and Spyware Protection) and click System Log
- Click File and then Export
- Save the file, open it in your favorite text and search for the string Downloaded new content
Excellent, exactly what I needed.