Endpoint Protection

Is there a log or something that will show what server a machine recently got updates from?

I have LUA 2.3 installed at a location, it's downloading the updates without issue, the correct LUA policy is applied, the location is set correctly (location set via gateway address) yet for some reason we still have a couple machines that will randomly pull updates from somewhere other than the LUA.

Pic attached shows two machines pulling down way too much over the internet circuit.

Any ideas why they're doing this? The two machines in the pic are done but it will happen randomly at this location.

Hello,

In your case, are these client machines, managed clients OR unmanaged?

If Managed, are the Liveupdate Policies applied to them?

All liveupdate servers are using akamaitechnology..for definition and patch updates..

When you run Liveupdate it goes to

liveupdate.symantecliveupdate.com

or liveupdate.symantec.com

and if these are unreachable, then these site search which is the closest Akamai server in your location and then from those akamai server your definitions get downloaded.

Symantec definitions are hosted on Akamai servers.So that for liveupdate around the world everybody doesn't have to go to US Liveupdate servers.

All virus definition servers of Symantec are akamized so if clients are connecting to akamai means they are connecting to internet to download virus definitions..

Double check you Liveupdate Policy and check under "Use Liveupdate Server" what is specified.

Check this Thread: https://www-secure.symantec.com/connect/forums/akamai-killing-my-bandwidth

Hope that helps!!!

They are managed clients and the LiveUpdate policies are applied. Run LU from the client shows it contacting the LUA that it should be pulling from.

They should not be contacting any server outside of the one listed in the LiveUpdate policy that's being applied but that is not the case.

Hello,

Could you please pull the Log.lue from the SEP client and upload it to us?

Also, check this Article:

Symantec Endpoint Protection 12.1 client is unable to download content from a LiveUpdate Administrator distribution point which uses self-signed SSL certificate.

http://www.symantec.com/docs/TECH183115

Hello,

Could you also please attach screenshots from LU Policies for on-site and off-site locations ?

Regards,

Oykun

3 screen shots from the LU policy and the log from one of the machines in question.

Attachment(s)

Log_11.txt   1.23 MB 1 version

Hello,

Thank you for screens and logs. 

I checked them however both on logs and policies nothing wrong. In the log,client everytime access your LUA server not to internet.

In my opinion, your other location LU policies may point to internet and client doesn't recognize correct location and go to internet for updates.

For detailed analyses i suggest you to create a technical case.

Regards,

Oykun

Hi,

Log the case in symantec & take help from of them

Are there fixed machines which display this behavior ? As, when the liveupdate settings file on the client is corrupted, it would revert to the default setting of connecting to the internet for updates...