Endpoint Protection

One of my clients' SEPM server (11.0.4000 MR4) is set to get update once per day.  The LiveUpdate service starts every 15 minutes or so then stops a few seconds later.  Why is it doing this?  This is not occuring at another client.

HI,

Login to SEPM>Admin>Servers>Select Local Site>Edit Server properties> go to Liveupdate TAB

In download schedule check for the check box..

It has to be every 4 hours and not continous.

Check Out...... :-)

Rgrds,
SAM

Yes corrent answer by SAM.. 

This will solve your issue.

I went to SEPM>Admin>Servers>Select Local Site>Edit Site properties> go to Liveupdate TAB

It was already set to every 4 hours, but I also unchecked the Retry interval ... now I will wait and see if that fixes things.

Have you tried manually launching LU from the SEPM console from Admin>Servers>Select Local Site?

I was unsure about how that would address my issue, but I tried it anyway.  It did not work.  The LiveUpdate service still starts and stops every 15 minutes.

I was trying to see if LU worked manually versus not working via scheduling.  One thing to try is uninstalling LU and reinstalling.  You may have to re-register LU with SEPM:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100907303548

Is there a SEP client on the server too?

If so, is it configured to run LU?

Shouldn't it be?  I installed SEPM on the server first, then installed the SEP client as a managed client.  Isn't that what should be done?

How can we check, whether the SEP clients are getting updates for internal SEPM or getting update from Symantec's LU server on internet?

Tejas

Tejas,
Are you asking me a question?  I do not know how to find out where the SEP clients are getting updates.

Paul,
Shouldn't the SEP client be on the SEPM server?

Thanks,
Drew

I have not had a chance to uninstall and reinstall LU.

Hi

1. Make sure that proxy settings are correct, in the SEPM.
2. In the Proxy server, add a rule to allow traffic from the computer that hosts the SEPM server.
3. In the proxy Server, add a rule to allow traffic from liveupdate.symantecliveupdate.com
4. Also, allow traffic from the computer hosting the Proxy server itself.
5.Configure proper DCOM settings:
-> On the Windows taskbar, click Start > Run.
--> In the Open box, type the following text:
dcomcnfg.exe
--> Click OK.
Expand Component Services, and then expand Computers. Right-click My Computer, and then click Properties. On the Default COM Security tab, under Access Permissions, Edit Default.
---> The Access Permission pane is normally blank. If the window is not blank, make sure that the Administrators, Interactive, and System accounts are set to Allow Access. .

This will solve u r problem

SAMEER

...the DCOM stuff then try reinstalling LU on Monday.  I won't have an opportunity until then.

However, I just put a few things together!  I really needed to get SEP on this server before April 1st to combat Conficker.  Ever since it has been installed, the server has been doing some strange things.  I have to get to work so I will detail them later.  I am wondering if removing SEP and SEPM will solve all my problems....

The server is running Microsoft Windows Server 2003 R2, Standard x64 Edition, Service Pack 2. It is a Domain Controller and has all the FSMO roles. It is running Exchange Server 2007, Standard Edition, Version 8.1 (Build 240.6). It is also running Symantec Endpoint Protection Manager (ver. 11.0.4000.2295) and the Symantec Endpoint Protection client; the virus definitions are up-to-date and a full scan runs every night.

1. Beginning April 1st, the server began rebooting itself at around 4:25 AM every day (not exactly 4:25) for no apparent reason. It is not a crash as Event ID 6008 is NOT coming up ("The previous system shutdown was unexpected.")
2. Beginning April 4th, the Exchange services did not restart after the unwanted daily reboot. To protect the Exchange databases from corruption, I created a scheduled task to stop all the Exchange services at 4:00 AM and another scheduled task to start all the Exchange services at 5:00 AM.
3. The LiveUpdate service runs every 15 minutes or so even though it is apparently configured to do so once per day.
4. For at least a couple of weeks, Automatic Updates and http://update.microsoft.com have offered to install "Microsoft SQL Server 2005 Express Edition Service Pack 3 (KB955706)" as a "High-priority update". The update appears to install, but the update continues to be offered.
   I have tried to uninstall "Windows Search 4.0" and it seems to uninstall. However, after each unwanted daily reboot, it comes up as being installed.
5. The "Windows Time" service (W32time) appears to work and not work throughout the day even though I have configured it to run once per day (SpecialPollInterval = 86400).
6. I am getting a number of errors in the Application log:

• Error / Userenv / None / 1030
• Error / Userenv / None / 1058
• Warning / MSExchangeTransport / TransportService / 12024
• Error / MSExchangeTransport / TransportService / 12014

I started to suspect SEPM and SEP on this machine since I had installed it on March 31st (just before some of the problems started).  So I uninstalled SEPM and SEP last night.  Alas, it still rebooted this morning at 4:25 AM and all the problems are still occurring (except the LU one, of course).  I was kind of hoping that I could blame Symantec and just be done with them.

Now I have to put it back on.  Any suggestions?  I wish I could mess with the new SEPSBE 12 as this customer has 4 servers with about 25 users across 3 sites.

If the server is rebooting every day at roughly that time, is there anything of use in the event logs prior to that?

You say you have automatic updates running - I think the default is to install at 3am every day, thats a bit close to your times... particularly when you say it keeps on offering the two programs for installation, is it possible its constantly installing the updates, then rebooting?

Have you checked out eventid.net for you other issues?  It seems like there may be some Group Policy corruption from reading the details of Event ID 1058.

When you say you wish you could mess... do you mean the customer wont let you, or you can't install SEPSBE?

I have a call back from Microsoft on Monday about the issues I outlined.  I have checked with EventID.net (I even have a subscription).  I'm going to wait to see what MS has to say before doing anything.

We are a small systems integrator and all our clients have less than 100 computers.  I'm new and before I came on, our salesperson sold our customers 12-month support on "Symantec Multi-Tier Protection 11.0" ... apparently not Small Business Edition.  I don't think that our customers will want to pay more for SEPSBE 12 when it comes out since they just paid for the full "Symantec Multi-Tier Protection 11.0".  Is there a way to convert them to SEPSBE 11 or SEPSBE 12 for free?

Check out the polices for updates

Yes, you should be able to cross grade, let me find out.

I'm not sure why they were sold Multi-Tier, I could understand them getting Small Business Edition v11 (thats the Multitier offering for SB for v11, SEP and Mail Security for Exchange with Premium AntiSpam, that will be replaced shortly by another product, making things more simple)

Did they just buy it?  We may be able to refund and move them to the more appropriate product line.

.

1..Solution

Check Liveupdate Scedule.

2.Solution

.DCOM Services

3..Solution

Verify New patches & Event viwer 


4.Solution:

Use Add or Remove Programs in the Control Panel to uninstall LiveUpdate. Run the LiveUpdate installer to install LiveUpdate again.


To uninstall and reinstall LiveUpdate:

In Windows Explorer make a back-up copy of the following file:
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
WARNING: It is important to follow this step in order to avoid having to register SEPM or SEP with LiveUpdate.


Click Start > Settings > Control Panel.
Click Add or Remove Programs.
Click LiveUpdate.
Click Change/Remove.
Follow the on-screen instructions to uninstall LiveUpdate.
In Windows Explorer, delete the following folders if they are present:
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
C:\Program Files\Symantec\LiveUpdate


Install LiveUpdate using LUSETUP.EXE located in the SEP installation files, in the following folder:
...\SEPM\LUSETUP.EXE
Browse to:
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate

and replace the newly created Product.Inventory.LiveUpdate file with the file you backed-up in step 1.


Note: If you did not back-up the Product.Inventory.LiveUpdate file before deleting the LiveUpdate folder you must register SEPM or SEP with LiveUpdate for it to update correctly.


To register SEPM with LiveUpdate:
Click Start, then Run.
Type cmd, then click OK. This will bring up a command prompt.
At the command prompt type cd and the path to lucatalog.exe. By default the command would be:

cd C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin


Type lucatalog.exe -update



To register the SEP Client with LiveUpdate:
Click Start > Settings > Control Panel.
Click Add or Remove Programs.
Click Symantec Endpoint Protection.
Click Change.
Click Next, select Repair, and click Next again.
Click Install.
Click Finish.

This is what our customer has licensed: "SYMC MULTI-TIER PROTECTION 11.0 I/O ESSENTIAL 12 MONTHS"

When I go on FileConnect, I get the following files offered:
Symantec_Mail_Security_for_SMTP_501_Linux_English.tgz                                5.0.1
Symantec_Mail_Security_for_SMTP_501_Solaris_English.tgz                             5.0.1
Symantec_Mail_Security_for_SMTP_501_Windows_English.zip                         5.0.1
Symantec_AntiVirus_10.2.1_MAC_CD.English.dmg                                               10.2.1
Symantec_Endpoint_Protection_11.0.4000_MR4_AllWin_EN_CD1.zip              11.0.4000 MR4
Symantec_Endpoint_Protection_11.0.4000_MR4_AllWin_EN_CD2.zip              11.0.4000 MR4
Symantec_Mail_Security_Domino_7.5.6.35_Win32_IN.exe                                   7.5.6
Information_Foundation_Mail_Security_For_MSE_6.0.8.262_AllWin_EN.exe    6.0.8
Symantec_Endpoint_Protection_11.0.4014_MR4_MP1_AllWin_EN_CD1.zip   11.0.4014 MR4 MP1
Symantec_Endpoint_Protection_11.0.4014_MR4_MP1_AllWin_EN_CD2.zip   11.0.4014 MR4 MP1

I am new to Symantec licensing so that why I detailed what they have.  My understanding is that they were upgraded from Symantec Antivirus Corporate Edition 10.  If someone buys Symantec Endpoint Protection Small Business Edition 11 and connected to FileConnect, would they see different files from the above?  I ask because I don't want to recommend them changing their license if they would just get the same thing.

Also, can they cross grade to SEPSBE 11 or better yet 12?

 

Is there any alerts when the LiveUpdate stops? And you also said that it starts every 15 minutes. So I'm assuming that the settings is that the PC updates every startup and tries every 15 minutes if it fails.

By default, the server gets the updates from Symantec and the clients get the updates from the PC. Check the netstat on the server to see all the active connections during the time the client attempts to download the updates.

Check your policy/update schedule. Make sure that each client has ample time to download the update. This could mean scheduling them at 1 - 2 times per day and dividing them into groups that get updates at different times of the day.

I had experience where the company gets and deploys updates at an hourly interval. Some clients haven't received updates for over 3 months and some get corrupted updates. I haven't got  a clue as to the cause of this. I wish there is a way to prioritize the updates selecting clients with the oldest definitions first. I also want to know how the clients queues work when they wait for the updates (or is this another topic?)

Hi

I think it is related to the speed of internet. Try to increase the Internet Connection Time Out in Settings.liveupdate in Liveupdate>>C:\Programfiles