Endpoint Protection

Issue: Select number of AV clients on a secondary server is not receiving the definitions.


Running SAV Corporate Edition Version 10.1.8.8000

Parent/Secondary Servers is configured to use the VDTM environment.
Parent is configured to perform a liveupdate daily (scheduled).

Under "how clients retrieve virus defintion updates".
Update virus definitions from parent server is Checked.
check for updates is set at every 60 minutes.
Liveupdate button enabled.


With this configuration all clients should have been able to recieve the current defintions. Unfortunately, there is
a large number of clients on one of the secondary servers is not receiving definition updates.

here is what i've done.
- Block select clients in SSC and execute the "update virus definitions now" button.

When I did this, our network folks have informed that the clients all went to the internet and did a liveupdate.
Some got updated, while others failed. Could not figure out why, so I had our network guy sniff traffic on one client.

When I click the "update definitions..." button, it communicated/connected to the primary parent server and then
performed a DNS query to the internet.

Any ideas why this happened? Wouldn't that client be pulling defs directly from the parent server?

However, I'm still left with a large number of clients that is still not updating.

Have verified on these clients for:
GRC
PKi Certs
Telnet test from client/parent and parent/client for port 2967
VPDEBUG on client/parent and parent/client shows communication is working.

I have a copy of the VPDEBUG log file if needed.

Any ideas how I can fix?

Hey Ailyn,

this issue can be a lot of different Stuff. First of all try if the communication is working ? To verify this simple you can just right click on a client and let show a Log (Risk or whatever). When you will get an error than than the communication is not working.

When you run the command Update Definitions Now, its normal that this Clients running over to the symantec Server, it is just like Run a LiveUpdate.

As well it can be that those clients has corrupted virus definitions or stuff like that.

How many Clients are connected to this secondary Server ?

Let me know when you need more Help.

Daniel

Please check the winbdows firewall it shuld be off

just copy GRC.DAT of secondary server to client maching under c:\documnet setting\...........\7.5 and restart the computer

All...thanks for your replies.  but I've gone through most of what  you folks have said.

From the SSC, I can view logs of the clients that did not get the def update.
Telnet port betwen the client and the secondary server on port 2967 works.
I've copied the GRC file from the server to client SAV folder; restarted symantec services.

Neither of those clients are pulling definitions.


for Speedy1205...
 On the secondary server there 3000+ clients.  How can I configure that "update definitions now" will pull directly from the parent server? 

Any ideas that I haven't don't yet?

I've also tried these.

*moved clients over to another secondary server (#3); within an hour the clients were receiving current defintitions.

*moved them back to the original secondary server(#2); the definitions rolled back.

The settings on both servers are the same with exception of the client check-in.   But on #2 secondary server i changed it to 10 minutes (originally set to 60 minutes).  This should not have impact on the client defs rolling  back? would it?

I'm stumped.

Anybody has ideas how I can fix this?

When live update fails, it is most likely due one of the following reasons:

· No license file (*.slf) is installed
· The installed license file (*.slf) has expired
· The trial period has expired
· The installed license file (*.slf) has been deleted, or become damaged or corrupted
· The software is not able to able to communicate with the Symantec servers

Actually, the license are covered by DOD.  So it is not a license issue.

Even it is, it does not explain why some clients are clearly getting the definitions while others are note.

Did those computers that were not updating, getting updates before?

Added note: Please also check if your configurations allow clients to modify live update schedules...
It is also a reason why some do get updates while some do not... Clients altering schedules..

You can force clients to update virus and security risk definitions files immediately
using LiveUpdate.

This feature is available for clients that normally receive updates
using LiveUpdate or the Virus Definition Transport Method.
This feature provides a good way to update definitions files when one or more
clients on which LiveUpdate is installed are using outdated files for some reason,
for example, when an update operation that was performed at the server group
level succeeded on all but several clients.

But large number of updating clients may result in slow performance.

Before you can update virus and security risk definitions files, you must specify
the number of clients to update. When the number of selected clients exceeds this
number, a confirmation dialog box appears to verify that you want to exceed the
administrator-specified number.
To specify the number of clients to update immediately
1 In the Symantec System Center console, on the Tools menu, click SSC Console
Options.
2 In the SSC Console Options Properties window, on the Client Display tab,
select the number of clients that you want to update before you see a
confirmation dialog box.
3 Click OK.
To update one or more clients immediately with LiveUpdate
1 In the Symantec System Center console, right-click one or more clients in
the right pane, and then click All Tasks > Symantec AntiVirus > Update
Virus Defs Now.
2 If you selected more than the administrator-specified number of clients, in
the confirmation dialog box, select one of the following:
■ Yes
■ Cancel
If a client is configured to update using the Virus Definition Transport Method,
Symantec AntiVirus prompts you to allow LiveUpdate to run.
3 Click OK in the status dialog box.

Thanks...

Did those computers that were not updating, getting updates before?

* Yes they have.  We had an incident when all clients on our network were showing definitions of 5 days old. 
* In an effort to get all clients uptodate, I manually download the SAV XDB package for servers and installed it on the primary server.  It managed to push the updates to the other secondary servers.  Two out of three of secondary servers and it's clients managed to get updates within the hour or two.

However, most of clients that are on the secondary servers  were not pulling the definitions.  When I did an "update definitions now" on those clients, they managed to get updated for that current day.  However, the following day it did not pull the signatures for that day.  This was done through the SAV SSC console.

Have tested on those clients to ensure the communication between the parent and client are working;
* Telnet port 2967 from client to parent and parent to client works fine.  they are communicating.
* VPDEBUG shows the client are receiving policies from the secondary server.

In the previous thread i mentioned about 3000+ clients were managed under the secondary server.  Only a 25% of those clients are current with the definitions.  It is the 75% of those clients that I'm trying to resolve.

In SSC, I changed the check-in time from 60 minutes to 10 minutes.  These clients are not pulling in.  I've also enabled the liveupdate button in SSC and I see all the clients received the new changes (through SAV logs).

So I ruled out that the clients are receiving policy updates from SSC but not signature push.

All of the secondary servers have the same settings so I can't understand why some clients under this one server are not getting updated.

Move ur client to difrent group and again move to the there respective group will start cannecting parent server.........