Video Screencast Help

LiveUpdate returned a non-critical error. Available content updates may have failed to install.

Created: 06 Aug 2008 • Updated: 21 May 2010 | 29 comments
ADF's picture
This issue has been solved. See solution.

I have SEP Version 11.0.1000.1375 installed on all of my clients.  I recently noticed they all started constantly getting the following error in the event viewer:

Event ID 13: "LiveUpdate returned a non-critical error. Available content updates may have failed to install." 

This error starting occurring Monday evening (8/4/08) on all clients and is occurring every hour.  I found the error referenced on this thread.  I tried the first mentioned possible solution and Deselected the Decomposer Files and waited a day as Symantec Support Engineer Ted G suggested.  But the errors still persisted and Proactive Threat Defs still have not updated.  I just looked in the log.liveupdate file on a couple of pc's and found the following error started Monday night too:

 

Error: from TempHostEx download directory: C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\SMCLU\CONTENT.ZIP0000\sesmCohData.dis was missing!
8/4/2008, 23:29:16 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 1 updates available, of which 0 were installed and 1 failed to install.  The LiveUpdate session exited with a return code of 1905, LiveUpdate encountered unexpected errors while getting updates. Your Symantec programs were not updated.

 

I was not able to find information on this particalur return code.  Can somebody please help me with this?

 

Thanks,

Adrian

Comments 29 CommentsJump to latest comment

ADF's picture

Thanks for the response Rick.  I saw that article as well.  It's happening on all of 37 of my clients though.  I can't imagine Live Update getting corrupted and needing reinstalled on every one of them.  Hopefully there's another solution, but if other working solutions are not posted, I will maybe try that.  I am playing with the policy settings to have Live Update look to Symantec vs the Mgmt server as Arthur just suggested in this thread.  It doesn't seem to have worked for me initially, but I need to test further.

 

Adrian

RickJDS's picture

I saw that thread too, but I don't want all of my clients getting their updates from the internet.  We're maxing out our T1 as it is.  It appears to be happening on all of my clients (thought it was just a few).

 

Strange enough, I'm getting the same error as in that other thread:

 

8/6/2008, 20:06:32 GMT -> Error: from TempHostEx download directory: C:\PROGRAM FILES\SYMANTEC CLIENT SECURITY\SYMANTEC ANTIVIRUS\SMCLU\CONTENT.ZIP0001\sesmCohEng32.dis was missing!
8/6/2008, 20:06:32 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 1 updates available, of which 0 were installed and 1 failed to install.  The LiveUpdate session exited with a return code of 1905, LiveUpdate encountered unexpected errors while getting updates. Your Symantec programs were not updated.

You should try getting updates at a later time.

 

spyd3r0x's picture

I have been getting the same errors on all of my clients (about 35) for about a week now.

RickJDS's picture

Just got off the phone, case #311988420.  Went into Policies/Live Update/Live Update Content and edited the Live Update Content Policy.  Click on Security Definitions and deselect Decomposer Signatures.  The tech said this should resolve the problem.  Performed a Live Update on the SEPM server. 

 

I'm not sure what these definitions do (the tech said it was like decompressing the signatures), online help says:

 

These signatures support the Antivirus and Antispyware protection engine, and are used to decompose and read the data that is stored in various formats.

 

So I don't know if we've opened up a vunerability by doing so (I assume not).  Hope this helps.

Greg B's picture

same problem here. opened a case and unchecked decomposer (what does that open me up to?)  applied policy. 24 hours later new defs but same event log errors.  waiting to hear back from tech support.

RickJDS's picture

Crawsym, what kind of update are you looking for?  I posted a solution from Symantec's technical support.  It may not be the best, but it works for me, not for Greg though (20 hours now and no event log errors).

Message Edited by Rick Stark on 08-07-2008 08:57 AM

Crawsym's picture

Rick,

 

I attempted that solution and it did not work for me just like Greg, unfortunately.

RickJDS's picture

In that case, I would suggest you open a case with tech support to get your problem resolved.  The technician I worked with mentioned that with another customer, they had to uninstall/re-install SEPM from the server (I'm glad I didn't have to go to that extreme).

Jason1222's picture

The decomposer engine is supposed to be, when working as intended:

 

Decompress RAR'ed, Zip'ed, and most other common Archiving and Zipping extensions, so that if there is a virus hidden away somewhere in a ZIP that you, most likely, downloaded or were given, it can open it up and scan it for "virus like signatures".

Crawsym's picture

Jason I believe I would want that detection for sure.  I have had SEPM installed for many months and this error did not start until 8/4.  There was an update from Symantec right before the error.

 

Excerpt from log right before error message:

UNZIP_FILE_PROGRESS: Extracting file: "liveupdt.grd"
UNZIP_FILE_PROGRESS: Extracting file: "liveupdt.sig"

 

Seems like an update for Live Update.

dgp1421's picture

I also have SEP 11.0.1000.1375 installed.  In my case the "Decomposer Signatures" option was already off in the LiveUpdate Content policy--it has been for some time since suggested by a Symantec Technician.  The error began on all clients at the time of the auto update at 5:22am on 8-5.  Whatever caused the problem apparently came packaged in the updates released on the 4th.  Actually, I should specify that the error occurs on all clients except the servers and the one client without Proactive and Network Threat Protection installed.

Crawsym's picture

That is precisely when this began happening for me.  I have opened a case and am awaiting on an escalation process to upper level engineer.  It should be simply a matter of an update through Live Update hopefully.  It occurs on my servers also.

dgp1421's picture

Crawsym,

 

My theory is that the issue is with either Proactive Threat or Network Threat Protection, neither of which is installed on my servers.  Is either of these components installed on your servers?  If not, then there goes my theory...  : \

 

My understanding at the time of install was that Network Threat Protection and Proactive Threat Protection were not supported on server OSes.

Crawsym's picture

That may very well be for the servers.  It is installed on the servers.  However, I have hundreds of clients which are receiving the same exact error, which Proactive is installed, in which they are supported OSs.

fjorq's picture

This is the reply from Symantec's backend support on this issue:

 

The Event ID 13 error is due to a defective patch that went out via LU on August 4, 2008. It was pulled from LU on the 7th, but machines that already downloaded the patch will display these symptoms.

Besides cluttering logs, these errors are not detrimental to system performance or security.

When the new patch to replace the defective one goes out sometime next week, the errors will stop happening.

Jason1222's picture

Anyone get anymore feedback from SYM Support?  We are next week, and was wondering if they had an ETA for when they will push out the nes signatures and stop the messages from appearing in the Event Log... 

 

Thanks.

David-Z's picture

This issue should now be resolved.


Title: 'Event ID 13 with source SescLU in Windows Application Event Log hourly since August 4, 2008'
Document ID: 2008080813283148
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008080813283148?Open&seg=ent

 

Hope that helps!

David Z.

Senior Principal Technical Support Engineer, Symantec Corporation

Enterprise Security, Mobility and Management

SOLUTION
Jason1222's picture

Indeed it seems to have disappeared from all my end-points.  Thank you for that.

 

Now what about putting a nice big green checkmark next to the thread with resolved.

 

Thanks again.

ADF's picture

The solution posted by David Z appears to have worked.  Updated SEPM as the link directs and then reconfig'd my policy back to the original setting - to pull updates from the SEPM server vs Symantec.  Event Viewer and LiveUpdate log are clear so far and also verified that definitions are current on several clients.

 

Thanks,

Adrian

FredrikE's picture

Hi I have the same problem and the solution didn't work for me my clients still reports the id 13 error in the eventviewer.

 

I'm running the MR2 client and have tryed the MR2 MP2 whit the same result.

 

/Fredrik

Greg B's picture

I was away on vacation for a week and a half, but followed the solution and all is well again!!

Greg

DEA391's picture

Well,  I have the same problem.

Ended up un- installing Symanged Endpoint Protection (Not Manager mind you).  Then just reinstall.  It pulls down a new update thread and leaves behind the corrupt on you were connected too by Symantec in the background. 

I am doing this under the guidance of SEP Support.  This is not something that I'm doing on my own.  This is there fix.

Agus Bahtiar-ptuip's picture

I have same problem, the SEP client can't get the update definition from SEP manager console. beside that, SEP manager console has get the updat definition from LUA.

i have do the solution above, but still not solve the problem...

any one can help me, to find out the solution of my problem

thank's B4

icbl's picture

I also have same issue but as I see no solution. So much problem with end point. I have many software which they working under network environment but only the end point have many problems and can not find proper solutions.