Video Screencast Help

How Do I Stop LiveUpdate App from Updating Itself?

Created: 22 Mar 2013 | 19 comments

I have an issue where machines are attempting to connect directly to liveupdate.symantecliveupdate.com to receive the following file.

liveupdate_3.3.0.99_english_livetri.zip

How do I stop LiveUpdate from attempting to automatically grab application updates?

Checking my SEPM I see that all of my LiveUpdate Policies have the "Download Symantec Endpoint Protection product updates using LiveUpdate server" unchecked.  That's the only setting I can find that looks to be related to the experience I'm currently having. 

Does anyone know how to disable this?

Operating Systems:

Comments 19 CommentsJump to latest comment

W007's picture

hello

Use the default management server are selected or not ?

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

http://www.symantec.com/business/support/index?page=content&id=TECH178257

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ᗺrian's picture

If you check the System log on a client, where does it say the update is coming from?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Client will not updated Liveupdate component automatically. LU 3.3 is the compatibale version for most of the symantec versions.

 "Download Symantec Endpoint Protection product updates using LiveUpdate server" Option is for SEPM to download new product updates like RU1 or RU2 whenever they are available through internet. this setting is not for clients.

Under the liveupdate policy in the SEPM. Check the source. if you have just selected management server then its your SepM. if symantec is selected then it uses Internet.

You just need to disable internet options. Thats it.

SEP_FMI's picture

Rafeeq,

I wish it was that easy but its not.  I've already been down that path and came up empty.  I have all of my policies configured to ONLY use Default Management Server and the LiveUpdate application is STILL attempting to download directly from the Internet.  I think the question here is does the SEPM manage the actual LiveUpdate application?  I'm going to say no. Why?  Well think about it, if you didn't have Symantec Endpoint Protection but you were using another Symantec product that utilizes LiveUpdate then how would it know to update itself?  It must be something configured within the LiveUpdate application itself.

SEP_FMI's picture

Brian,

I checked the Symantec log and the Windows System log and found nothing related to the LiveUpdate request.  Although checking the Windows Application Log I do see an error due to me blocking the access of the LiveUpdate application request.  It looks like the following.

Source: SescLU

Event ID: 13

Level: Error

LiveUpdate returned a non-critical error. Available content updates may have failed to install.

So I do see this event.  But obviously this is coming up because I'm denying this machine access back to Symantec to download the liveupdate_3.3.0.99_english_livetri.zip it's requesting.

I'm wondering, could it be potentially something related to the LiveUpdate service?  Like a step in its process when you power up your machine and the LiveUpdate sevrice starts?

Rafeeq's picture

Liveupdate is common for all the Symantec products. If you dont have SEP but Symantec mail security it will install LU also. The difference is the catalog file which gets updated when diff products are installed.

Rafeeq's picture

Are these clients in a different location or same location? Location specific policies will have diff settings to use liveupdate

Can you check these registry settings just to confirm if use Symatnec liveupdate is enabled on the clients?

whats the value set here on the right hand side?

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

SEP_FMI's picture

Sorry there is a lot of Values under that Key.  Can you let me know which on in particular you are interested in.

SEP_FMI's picture

Something interesting to note.  If I run luall.exe manually with LiveUpdate configured in Interactive Mode I can see the list of products and components its planning on searching for updates on.  I have the following list.

Antivirus and antispyware definitions

Intrusion Prevention signatures

LiveUpdate

Submission Control signatures

Symantec Security Software

Symantec Security Software Updates

Symantec Shared Components

So considering all of those are in the list I'm wondering.  Is there a possibility that the problem I'm experiecing is related to either when it requests an update for LiveUpdate or Symantec Security Software Updates. 

My question is where is this list controlled?  I checked the LiveUpdate Configuration and I'm not seeing anything related to choosing what applications LiveUpdate looks for updates too.  Does anyone know where this is configured?

SEP_FMI's picture

So I brought up the README file for LiveUpdate and found something interesting.

product.inventory.liveupdate is the file which stores a list of all installed symantec products on the machine.  I figure if I can modify this file then it will not attempt to pull updates for LiveUpdate.  Although after looking at the file I've found that its written in machine code that does not appear to be modifiable with a text editor.  Has anyone ever worked with this file before?

Rafeeq's picture

it will be Liveupdate.catalog fie

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate 

click on liveupdate on the right hand side you will find few keys

what is the value of UseLiveupdate server value.

if you do luall.exe , It will always go to internet Or if you have Liveupdate administrator it will go there.

It will never go to SEPM for updates if you do Luall.exe

Chetan Savade's picture

Hi,

I don't think LU setup ever get updated itself. Only proudct get updated.

I checked on my test machine I can see similar entry

"Check for updates to:  Product: LiveUpdate, Version: 3.3.100.15, Language: English.  Mini-TRI file name: liveupdate_3.3.100.15_english_livetri.zip"

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SEP_FMI's picture

Chetan,

I think you're on to it.  This is the same experience my users are receiving.  The question is how do you disable this function?  I just need to stop this in the interim while I get all of my 19,000 machines on SEP 12.

Chetan Savade's picture

Hi,

Could you please specifiy why you want to disable it?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

Navigate to C:\Users\All Users\Symantec\LiveUpdate

open  the liveupdate.log file

it will tell you where its trying to connect.

If this is a fresh new install then once the installation is Done , client will always try to connect to internet first. You can disabe that setting under the msi command line option

Livetri.zip contains these files which are need to get updates from Internet

  • Liveupdt.sig
  • Liveupdt.tri
  • Liveupdt.grd

Ref:

  • http://www.symantec.com/business/support/index?page=content&id=TECH102059

the log file is little misleading its saying that the liveupdate product version , and its looking for updates. Not the product updates though

To disable liveupdate after Install check this document

https://www-secure.symantec.com/connect/forums/how-stop-initial-live-update-download

check thisdocument

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH92594

Chetan Savade's picture

Hi,

I am also agree with Rafeeq you should not be concern about it.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SEP_FMI's picture

Unfortunately I am concerned.  The reason is because of this.  When machines reach directly out to LiveUpdate and do not obey the LiveUpdate Policy in place that clearly states there should be no activity related to going straight out to the Internet for updates we see a large hit on bandwidth.  I pulled the utilization for the last 24 hrs and found that machines had totalled an amount of 16GB of data related to the liveupdate.symantecliveupdate.com website.  This is absolutely unacceptable when you are working with regions which have 4Mb Satelite connections and 4000 machines behind them.

If I was a developer of this product I would be ashamed of it at the moment.  The LiveUpdate policies within the SEPM are configured to have nothing request direct access to liveupdate.symantecliveupdate.com and as I mentioned previously checking through the LiveUpdate Application itself I find nothing related to an adjustable setting that would allow me to supress this access.

Chetan, the reason I don't just block access to liveupdate.symantecliveupdate.com on our Web Proxy is because when LiveUpdate reaches out to liveupdate.symantecliveupdate.com it passes the machine's crecdentials instead of the user credentials.  Per policy we block all access to the Internet per machine name.  We only allow it through per user name.  We also cache the credentials for an hour period.  So say someones machine attempts to run LiveUpdate first and caches the machine creds that user can not access the internet for the next hour or until someone brings it to our attention and we purge the cache so the user can cache his user id credentials instead.  Basically its a huge nightmare.

sandra.g's picture

Which version of SEP are you using--SEPM and SEP clients? Your initial post indicates 11.x. This document is a bit old, but early builds of SEP 11.x had this problem: SEP clients go to the LiveUpdate server on the Internet despite a LiveUpdate policy from the SEPM to prevent that.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!