Video Screencast Help

How to update Virus Definitions for Managed client in SEP 11

Created: 28 Sep 2010 | 21 comments

Hi,

We have a server with SEP 11 installed and about 30 clients are managed by that server.

Clients are Windows 7.

My problem is some of the clients are not getting updated with the latest definition files.

In SAV 10 we have the procedure to update out of update clients by copying GRC.DAT file to c:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 and then restarting the Symantec service.

 

Like the above is there any similar procedure to update the out of the update clients.

Can some one help me please?

 

Thanks,

Rajesh

Comments 21 CommentsJump to latest comment

AravindKM's picture

What is the exact problem you are facing only clients not receiving updates?In one of the client go to Help and support--->troubleshooting and see whether you are able to see the server Name/IP address and group ?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

P_K_'s picture

The clients that are not updating, are they commuincating with the SEPM?

Please check the commuincation first. If you find that the clients are not commuincating with the SEPM , then please replac the sylink.xml on the clients , this will restore the commuincation.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Fatih Teke's picture

Hello, this article from sandip sali;

 

 

Symantec Endpoint Protection: Troubleshooting Client/Server

You should check the policy serial number on the client to see if it matches the serial number that appears in the management console. If the client communicates
with the management server and receives regular policy updates, the serial numbers should match.
 
If the policy serial numbers do not match, you can try to manually update the policies on the client computer and check the troubleshooting logs.
 
To view the policy serial number in the management console
1. In the management console, click Clients.
2. Under "View Clients", select the relevant group, and then select the Details tab.
 
The policy serial number and the policy date appear at the bottom of the details list.
 
To view the policy serial number on the client
On the client computer, in the client user interface, click on the Help and Support button, select Troubleshooting.
In the Management section, look at the policy serial number.
 
 
The serial number should match the serial number of the policy that the management server pushes to the client.
 
 
About performing a manual policy update to check the policy serial number
You can perform a manual policy update to check whether or not the client receives the latest policy update. If the client does not receive the update, there might be
a problem with the client and server communication.
 
You can try a manual policy update by doing any of the following actions:
 
 
In the client click on the Help and Support button, click Troubleshooting.  Under Policy Profile, click Update. You can use this method if you
want to perform a manual update on a particular client.
 
For the clients that are configured for pull mode, the management server downloads policies to the client at regular intervals (heartbeat). You can change
the heartbeat interval so that policies are downloaded to the client group more quickly. After the heartbeat interval, you can check to see if the policy serial
numbers match. (For the clients that are configured for push mode, the clients receive any policy updates immediately.)
 
 
After you run a manual policy update, make sure that the policy serial number that appears in the client matches the serial number that appears in the
management console.
 
Using a browser to test the connectivity to the management server
You can use a Web browser to test the connectivity to the management server.
 
To use a browser to test the connectivity to the management server:
 
 
On the client computer open a Web browser, such as Internet Explorer.
In the browser command line, type a command that is similar to either of the following commands:
 
http://<management server IP address>:<port used by the SEPM website>/reporting/index.php
 
If the reporting log-on Web page appears, the client can communicate with the management server.
 
 
http://<management server name>:9090
 
If the Symantec Endpoint Protection Manager Console page appears, the client can communicate with the management server.
 
 
If a Web page does not appear, check for any network problems. Verify the DNS service for the client and check its routing path.
 
 
Using Telnet to test the connectivity to the management server
You can use Telnet to test the connectivity to the IIS server on the management server. If the client can Telnet to the management server's HTTP or HTTPS port,
the client and the server can communicate. The default HTTP port is 8014 (80 for the earlier builds of SEP); the default HTTPS port is 443.
 
Note: You might need to adjust your firewall rules so that the client computer can Telnet into the management server.
 
For more information about the firewall, see the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
 
To use Telnet to test the connectivity to the management server
On the client computer, make sure the Telnet service is enabled and started.
Open a command prompt and enter the Telnet command. For example:
 
telnet ip address 8014
 
where ip address is the IP address of the management server.
 
 
If the Telnet connection fails, verify the client's DNS service and check its routing path.
 
 
 
Verify the Windows Firewall is not enabled on the management server (SEPM) or the client.
 
Windows Server 2003:
Use the netsh command line to disable the firewall:
 
netsh firewall set opmode mode = disable
 
Windows Server 2008 
Server 2008 uses a profile based approach to the firewall settings.  Again, use the netsh command but you will need to specify profile you want to configure (or disable in this case):
 
netsh advfirewall set <profile> state off
 
Values for <profile> are as follows:
 
allprofiles - change the settings for all the profiles.
currentprofile  -  change the setting for just the current profile.
domainprofile - change the settings for the domain profile.
privateprofile - change the settings for the private profile.
publicprofile - change the settings for the public profile.
 
If SEPM and it's associated processes (Tomcat, IIS, etc..) are the only applications on this server, we recommend using the "allprofiles" profile for the command line; otherwise choose the appropriate profile.

http://service1.symantec.com/SUPPORT/ent-security....

 Everything works better when everything works together.

rmediga's picture

Hi ,

I am able to see the server name from the clients.

What exactly is only 3 clients are out of update with respect to virus definition files.

All other clients are updated fine.

Thanks,

Rajesh

AravindKM's picture

If these three clients are communicating the server (Showing IP and Group) still not updating(Assuming that all other clients in the same subnet/group is receiving updates), the virus defs may got corrupted

 

 

How to clear out corrupted definitions for a Symantec Endpoint Protection Client

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Mahesh Roja's picture

Making Windows Firewall off and tried to Update content, or delete the old definition file and tried to update once again

If this Info helps to resolve the issue please Mark as Solution

Thanks

rmediga's picture

I followed the procedure in the following link

How to clear out corrupted definitions for a Symantec Endpoint Protection Client

Now when SEP client is saying File system Auto protect is malfunctioning.

And when i checked from SEPM the client status is Auto protect is not running.

Thanks,

Rajesh

Rafeeq's picture

Go to services.msc

stop all the symantec services

open task manager

kill smc.exe 

smcgui.exe

restart all the services again

should fix the issue.

AravindKM's picture

Update the client using Intelligent updater once .You can download it from here .After downloading the first file in the link double click on it and wait for some time.In the confirmation window click on yes and wait for 2-3 min....

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

rmediga's picture

Hi Aravind,

After installing the Intelligent updater the Virus files are upto date but the remaining two Network Threat protection and proactive threat protection are not updated.

Can we use Intelligent updater directly instead of the procedure in this link

How to clear out corrupted definitions for a Symantec Endpoint Protection Client

 

Thanks,

Rajesh

Rafeeq's picture

yes you can;

intellilgent updater will only update AV/AS

once the corrupt defs is cleared by running intelligent updater;you can then update the policy , ntp and ptp will be updated.

rmediga's picture

Hi,

But this fixed the issue temporarily because yesterday when I did Inelligent Updater AV got updated to the 27th date and now again when i checked the client for AV definition files it is still showing 27 th date and all other clients are with definition files with 28th date.

 

Thanks,

Rajesh

AravindKM's picture

In the affected  client go to Help and support--->troubleshooting and see whether you are able to see the server Name/IP address and group ?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

rmediga's picture

yes i am able to see the server and the group to which the client belongs to.

 

Thanks,

Rajesh

AravindKM's picture

Repair the SEP from add/remove programs (In add/remove programs select symantec endpoint protection-->change-->next-->repair-->next--->install)

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

rmediga's picture

hi,

We are still facing the issue.

On the clients which are not get updated we reinstalled the SEP even then also the virus definition files are not getting updated.

Everytime we can't reinstall the SEP?

Please someone help in this regard.

 

Thanks,

Rajesh

rmediga's picture

Hi,

SEP 11 and clinets are having OS windows 7.

 

Thanks,

Rajesh

sandra.g's picture

What is the exact build of the SEPM and SEP clients?  Earlier builds had sporadic client communication issues, so let's eliminate that as a possible cause of the issue.  You should ideally be at least up to 11.0.6005 (RU6a), preferably 11.0.6100 (RU6 MP1).

There's also using the Support Tool on a client that's not updating for communication checks, etc.

Edited to add:  I'd also verify that the SEPM is up to date with the latest content (Admin > Servers > Local Site > Tasks, look for Show LiveUpdate Downloads, look at Revision dates for AV/AS definitions).  I have seen it happen before where some clients were updating only because they had a LiveUpdate schedule, and the fault really fell with the SEPM's failure to update.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

jrockman13's picture

We are having an identical issue. Only with 1 client though. Here's what I did:

I updated clients & manager to SEP 11.6 MR1 (or isit called MP1?). 

I issued the update command from the SEPM. It said it completed successfully, but definitions were not up-to-date.

I requested new definitions from the client. The system log reported "Network Threat Protection is up to date".

I verified the client could see the SEPM by using the http://servername:9090 and by going through help and support. 

I ran the support tool as well, and it reported no issues.

I tried deleting the virus definitions as outlined here: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce.

Finally, I ran the intelligent updater, which did update the AV/AS definitions to Oct 29. However, the Network Threat Prote ction is still Sept 10, and Proactive Threat Protection is Sept 15. They both have green check marks though so maybe that is the latest definitions?

Anyway, I can try updating the AV/AS definitions later to see if it helps, but this is the second time this machine has failed to update for over 30 days.

Any clues?

sandra.g's picture

The Intelligent Updater will only update AV/AS.

I'll be looking into this (sylink logging, etc) as this is continuing to occur on my own test system.

sabdra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help