Endpoint Protection

OK here is the issue:

 

SEPM reports IPS failures on all workstations and only 1 server. All the other servers are updating just fine.  The AV definitions are working just fine. 

I have tried to update it manually and add the JDB file. I have also tried

"C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -cleanup

Ran "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -update

No change

Tried to Delete all files under C:\ProgramData\Symantec\Definitions\SymcData\spcCIDSdef

and Ran Syslink replace.

none of this fixed it.

It is odd that it was working and then just stopped last month. All the workstations are running XP professional and Windows 7 professional.

I have attached a screenshot of the computers. The failure ratio is 100%?

JDB will not update IPS, you need to run liveupdate from SEPM to get it downloaded.

The JDB only updates AV definitions so it won't work for IPS content.

What happens if you run LiveUpdate on an affected client to test, does it update this way?

check this

http://www.symantec.com/business/support/index?page=content&id=TECH164272

That is what I thought but I was trying everything I could find.

 

I also tried the date thing as well.

 

I am having to uninstall and reinstall the liveupdate on the test PC.  I had to change and update the policy to allow the users to use liveupdate.  Thanks for the help.  

Give me a few more minutes as I am rebooting the PC.

OK so I rebooted and did the live update.  See the pic of what it says.  I looked on the site and the current is 5-08-13

Are your clients getting updates from SEP or from liveupdate symantec servers? Your first post informs about  changes done on the SEPM level, while you last screenshot shows LUE session probably from client.

If the definitions are being provided by SEPM - has the server already those IPS defintiions ready for deployment? Admin -Servers- Local site - Show Liveupdate downloads?

You can manually update IPS Definition. 1) Create "incoming" folder on "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs" path. 2)copy latest IPS definition content from updated system on above mentioned path and paste into "incoming" folder which created on affected system. After the successfully copy this content, wait for 10 to 15 min.

As a test I on a few machines, I uninstalled LU and reinstalled with a older pkg.  It installed fine but when running liveupdate from the client or by using luall.exe it didn't do anything.

 So I took the folder SyKnAppS from a working computer and pasted it to the non-working one and overwrote anything there.

This worked on some machines and showed the correct date for the NTP, I was able to run liveupdate and it updated the IPS to the correct definitions.  However,  it only worked on some machines and now I am showing 14 out of 22 that are bad.

 

I hope this helps more.

Yes they are pulling from SEPM.  Yes the server has the latest updates.

 

Yea the last screen shot was of a client showing what running directly from live update shows.

 

I have tried both SEPM and Liveupdate servers but no go on both except the AV def.

I have added more information to my last post and hope that helps more. I am at a loss now.

Just an update to the above - and good news for admins and end users who find themselves in this situation!

SONAR and IPS Intelligent updater (IU) are now available on :

http://www.symantec.com/security_response/definitions.jsp

NOTE: These SONAR and IPS Intelligent updater are only for SEP 12.1 RU3.

For more information, please see Latest Symantec Endpoint Protection Released - SEP 12.1.RU3