Endpoint Protection

We use SEP 11.0.4202.75

I have 2 locations:
* default
* mobile devices, when a device is not able to contact the SEPM

"Remember the last location" is disabled

We have set up the liveupdate policy for location "mobile devices" to download updates once a day from the default symantec liveupdate server

For the location "default" the liveupdate policy is set up as follows:
->  Use the default management server
->  Use the Group Update Provider as the default LiveUpdate server
->  Bypass GUP after 1 day (after 1 day it should go to the SEPM for updates)


And still we see lots of clients accessing liveupdate.symantecliveupdate.com and downloading updates.
This happens with laptops, desktops and servers. The random group of systems I checked have no problems contacting the SEPM or the GUP.

Any idea why? Or what the best way is to troubleshoot this?


Thank you!

Do you have scheduled liveupdate?
If yes try by disabling this scheduling... 

if you have selected gup and bypass gup and go to sepm
there is no way the clients gonna go to internet.
pick any one client, check for that group if you have liveudpate server option checked to use internet.

https://www-secure.symantec.com/connect/forums/mr4-gup-carification-please

Also assure that you had done the settings correctly
Below doc can help you in this
How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console 

No scheduled liveupdate
No clients settings are allowed, everything is locked down

This is a liveupdate policy with a gup as I set it for all offices:

pick a client which is using internet
go to
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
on the right hand side check the values of
UseLiveUpdateServer --------------> is this value 0 or 1? use internet.
UseManagementServer- meaning use SEPM
UseMasterClient--- Meaning use GUP
 

Do you have a location specific settings?
Check in which location clients are present while it is going to Internet and check the liveupdate policy for that location. 

UseLiveUpdateServer: 0
UseManagementServer: 1
UseMasterClient: 1

and it downloaded 500k from the internet this morning

thanks for the info
on the same client
open sep client interface. 
click on help and support
click on troubleshooting
what is the location u see?
default or your mobile device?

I have 2 locations: default and mobile devices.

The client I just checked is in location default and should therefore get the update from the GUP. But instead goes to the internet.
See the settings in the screenshot in this thread.

Which log file(s) give me some info on what time a definition file is downloaded and from where? I checked the syslog.log but it doesn't show a time.

open the client interface
 view log ,
system log

Hi Rafeeq,
The location is default.

Thanks,

check Log.LiveUpdate which is present in C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate (this file can be opened with notepad)
Also check in the location mobile devices whether you are selected Internet live update server or not.
if yes client is may be present in that location and it is downloading the updates from the Internet can be the problem.

I know, I just can not access the consoles of all remote clients without disturbing the users all the time. I assume all that data should be in a log file as well.

Thank you, I will check out that file.
This specific client is not in location mobile devices. But yes indeed, when in mobile devices it should download from the internet.
I am thinking there may be a delay in updating the location. Hopefully the log files can tell me more.
It's just a slight chance though because also dekstops and servers show the same problem.

You can check this in SEPM Monitor--->Logs----> system--->client activity..

From this log find out the date and time of the client location change and the time virus definition loaded .... 

in that you can check if it has changed the location and used the mobile policy and went outside internet. 

1-5-2010 8:46	Manual location change	Smc	Location has been changed to Mobile Devices.
1-5-2010 8:46	Client engine enabled	Smc	Symantec Management Client has been activated.
1-5-2010 8:46	Client engine enabled	Smc	Symantec Management Client has been activated.
1-5-2010 8:46	Manual location change	Smc	Location has been changed to Mobile Devices.
1-5-2010 8:46	Service started	Smc	Symantec Management Client has been started.
1-5-2010 8:46	Service starting	Smc	Network Threat Protection -- Engine version: 11.0.51 Windows Version info: Operating System: Windows XP (5.1.2600 Service Pack 3) Network info: No.0 "Local Area Connection" 00-22-19-25-88-78 "Intel(R) 82567LM-3 Gigabit Network Connection" 10.7.**.**
1-5-2010 8:48	Server connected	Smc	Connected to Symantec Endpoint Protection Manager (10.2.**.**)
1-5-2010 8:48	Service started	Symantec AntiVirus	Symantec Endpoint Protection services startup was successful.
1-5-2010 8:56	System message from group update provider	GUP	Start using Group Update Provider (proxy server) @ ***:2967.
1-5-2010 8:56	Manual location change	Smc	Location has been changed to Default.
1-5-2010 8:56	Have latest policy	Smc	The Network Threat Protection already has the newest policy.
1-5-2010 8:56	Definition file loaded	Symantec AntiVirus	New virus definition file loaded. Version: 111231dl.
1-5-2010 8:57	Server connected	Smc	Connected to Symantec Endpoint Protection Manager (***)

Perhaps the virus definition download was already initiated before the location changed to default.
I have no idea why it was set to mobile device in the first place. This is a desktop with perfect connection to the SEPM and GUP.

its changing locations
thats the confusions are
did u ever movied clients between groups? where policies are enabled?
you need to check your location specific policies, might come to know which condition triggered the location change
 

Keep the default location as the default and try.. 
(Select the default location click on edit select select "this location as default location in case of conflict")

I'm seeing similar behavior on some of our clients. It started happening on 1/04/10. Could it somehow be related to the 2010 virus def issue?

We see this issue too - however, in our environment the clients are firewalled and prevented from contacting external liveupdate servers. I'm sure its a bug, I opened a case for it once, unfortunately it went no-where. The problem has been around for a long time - prior to 4202.75

Randomly clients will choose to ignore the update provider policies and default to the external liveupdate servers. I suspect when they've experienced some issue updating.

I have found a manual way to fix the issue. This is not sanctioned or approved by Symantec

In this folder C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate

1. find SETTINGS.LIVEUPDATE

2. modify its properties to remove read only

3. edit the file and search for the HOSTS entries and compare them with the same entries from a known good host in the same SEPM group, most likely you will find Symantec liveupdate servers configured here and the HOSTS entries different from a working client - i use copy/paste to copy the known good lines and paste them into the bad client.

4. save the changes and modify the properties of the file to ensure read only is set

try running luall

In our case, this "fixes" the client and it behaves again continuing to update normally.

EDIT: We run internal liveupdate servers

One more possibility is this
LiveUpdate tries to contact external LiveUpdate Servers despite policy setting
Fix ID: 1678207
Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers.
Solution: The Use a LiveUpdate Server setting is checked before attempting to download content.
Scheduled LiveUpdate still launches LuAll.exe although the "Use a LiveUpdate Server" option is unchecked
Fix ID: 1652473
Symptom: After migration, LiveUpdate still uses LuAll.exe to download content from an internal or external LU server, regardless of whether the Use a LiveUpdate Server option is checked.
Solution: Scheduled LiveUpdate settings are cleared and the Symantec Endpoint Protection client uses the LiveUpdate policy from the Symantec Endpoint Protection Manager.

ref:Release notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x 
It has been fixed in RU5
So try by upgrading to RU5 
Below doc can help you in this

Migrating to Symantec Endpoint Protection 11.0 RU5

I updated some clients to MR5 but the problem remains. Perhaps I need to update the servers as well, but this takes some more time because we have multiple SEPM's worldwide.

I looked at the SETTINGS.LIVEUPDATE files but they all seem the same, I can find no differences.

I have moved clients between groups. I created 1 install package for our region which puts the client in the group for that region and then I manually move them to the correct country group. But even in the region group it should download updates from the SEPM.

This problem has started before the problem with the defitinions so in this case it's not related.

If I ever find a fix I will let report it here.

Thank you all for your help.

I hae a situation where there are two sites A and B connected by a WAN. Site A is the data centre holding all servers with SEPM A. Site B is where the workstations/laptop users are with SEPM B. When off the company network the remote users connect via a VPN to site A. I want to cut down on WAN traffic caused by the remote users so I want to put a GUP in Site A for the SEPM B machines that are connected via VPN to site A.
Is it legitimate to designate  the SEP client on SEPM A as a GUP for the SEPM B machines that are connected via VPN.

TIA for your advice.