Endpoint Protection

Hi all,

I've updated my SEPM from 11RU7 to 11RU7 MP1 on Saturday 15. Since Sunday 16 at 10h26, SEPM can't download updates anymore :

18 octobre 2011 19:15:19 CEST:  Le cachet de date de la nouvelle tentative dépasse la fenêtre de nouvelle tentative maximale. Passage à la planification régulière.  [Site : Site SrvAV01]  [Serveur : SrvAV01]
18 octobre 2011 19:03:20 CEST:  Echec de la nouvelle tentative d'exécution de LiveUpdate.  Une autre tentative sera effectuée.  [Site : Site SrvAV01]  [Serveur : SrvAV01]
18 octobre 2011 19:03:20 CEST:  Fin de l'exécution de LUALL.EXE.  [Site : Site SrvAV01]  [Serveur : SrvAV01]
18 octobre 2011 19:03:20 CEST:  LiveUpdate a renvoyé une ou plusieurs erreurs. Code de retour = 4.  [Site : Site SrvAV01]  [Serveur : SrvAV01]
18 octobre 2011 19:03:19 CEST:  LUALL.EXE a été lancé.  [Site : Site SrvAV01]  [Serveur : SrvAV01]

I decide to reboot the server. Then I ran Luall.exe from program files directory and it ran well, downloading the latest updates. Then I start SEPM and go to "admin tab", "Servers" and clic "download content", and got the same error than above.

Then I reboot the server, ran luall.exe which ran fine (telling me there's nothing new to download), close luall.exe, wait 10 seconds, ran luall.exe again and see an LU1814 error message !

What happen ? Are someones having the same issue with 11RU7 MP1 ?

Thanks for your suggestions.

We support a number of accounts that run SEP 11 and for some reason a lot of them are experiencing the same type of issue within the last couple of days. Looking at the log.liveupdate file, it appears to be looking to authenticate to a proxy server. For one particular account, a proxy is not being used.

Hi DCourtel,

Check the following articles

http://www.symantec.com/business/support/index?page=content&id=TECH101808&locale=en_US

Hi DCourtel,

If the trouble persists, please examine the log.liveupdate and attach the most recent failed entry to this thread.  Experienced admins may be able to tell straight away from its entries where the problem lies.

Thanks and best regards,

Mick

Hi Hidayet ALTUN, I've try your link, but nothing new. The strange think is that it work fine after rebooting the server.

This is the liveupdate's log when fail :

////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// Start LuComServer
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
19/10/2011, 12:02:46 GMT -> LuComServer version: 3.3.0.107
19/10/2011, 12:02:46 GMT -> LiveUpdate Language: French
19/10/2011, 12:02:46 GMT -> LuComServer Sequence Number: 20110526
19/10/2011, 12:02:46 GMT -> OS: Windows 2003 Standard, Service Pack: 2, Major: 5, Minor: 2, Build: 3790 (32-bit)
19/10/2011, 12:02:46 GMT -> System Language:[0x040C], User Language:[0x040C]
19/10/2011, 12:02:46 GMT -> IE8 support.
19/10/2011, 12:02:46 GMT -> ComCtl32 version: 6.0
19/10/2011, 12:02:46 GMT -> IP Addresses: 10.75.65.9
19/10/2011, 12:02:46 GMT -> Loading C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
19/10/2011, 12:02:46 GMT -> Opened the product inventory at "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
19/10/2011, 12:02:46 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
19/10/2011, 12:02:46 GMT -> LiveUpdate flag value for this run is 0
19/10/2011, 12:02:46 GMT -> ProductRegCom/luGroup(PID=3512/TID=1076): Successfully created an instance of an luGroup object!
19/10/2011, 12:02:46 GMT -> ProductRegCom/luGroup(PID=3512/TID=1076): Path for calling process executable is C:\Program Files\Symantec\LiveUpdate\LUALL.EXE.
19/10/2011, 12:02:46 GMT -> ProductRegCom/luGroup(PID=3512/TID=1076): Destroyed luGroup object.
19/10/2011, 12:02:46 GMT -> Scanning the following file for potentially malicious host entries: C:\WINDOWS\system32\Drivers\etc\hosts
19/10/2011, 12:02:46 GMT -> Scanning the following file for potentially malicious host entries: C:\WINDOWS\system32\Drivers\etc\lmhosts.sam
19/10/2011, 12:02:46 GMT -> LiveUpdate did not find any malicious host entries in any hosts files.
19/10/2011, 12:02:46 GMT -> **** Starting an Interactive Mode LiveUpdate Session ****
19/10/2011, 12:02:46 GMT -> User Type: Administrator.
19/10/2011, 12:02:48 GMT -> ***********************        Start of New LU Session        ***********************
19/10/2011, 12:02:48 GMT -> EVENT - SESSION START EVENT - The LiveUpdate session is running in Interactive Mode.
19/10/2011, 12:02:48 GMT -> Check for updates to:  Product: LiveUpdate, Version: 3.3.0.107, Language: French.  Mini-TRI file name: liveupdate_3.3.0.107_french_livetri.zip
19/10/2011, 12:02:48 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027
19/10/2011, 12:02:48 GMT -> LiveUpdate did not find any new updates for the given products.
19/10/2011, 12:02:48 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Interactive Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1814, LiveUpdate n'a pas pu récupérer le fichier catalogue des différentes mises à jour de produits et de composants Symantec.
19/10/2011, 12:02:49 GMT -> IE8 support.
19/10/2011, 12:02:50 GMT -> ***********************           End of LU Session           ***********************
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// End LuComServer
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
 

Any ideas ?

Try this

http://www.symantec.com/business/support/index?page=content&id=TECH103112

For the below mentioned logs follow this document

http://www.symantec.com/docs/TECH105924

Hello Vikram, I run lucatalog.exe -update as they say in the article but nothing new.

The strange think is that luall.exe work the first time after the reboot of the server and not after !

19/10/2011, 12:02:48 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027

I know this seems odd that it works the first time but not afterwards, but is there a proxy in the environment?

Any other Symantec products on the server, like Mail Security for Exchange, that might also be trying to use or launch LiveUpdate?

sandra

HI sandra.g, there is not other Symantec Application on this server.

We can go out to Internet by a proxy if we want, but on server we don't use proxy. In 'Internet options', connexion tab, the proxy if not indicated. And when I start Internet Explorer there is no identification asking.

Does this server retrieve its definitions from the internet LU servers or from an internal source? 

Sandra is right that the "host selection error" is the root cause - this server cannot reach the palce where it needs to go to get its updates.

HI Scotthen, Have you solve your problem ? Any new suggestions ?

Hi ,

Try the steps mentioned below for this issue.

1.Launch Internet Explorer. Step 2: Select Tools. Step 3: Select “Compatibility View Settings -add localhost to it.

2.disable IE ESC(enhanced security configuration) if enabled.

3.ping the live update sites

http://liveupdate.symantecliveupdate.com

http://liveupdate.symantec.com

ftp://update.symantec.com/opt/content/onramp 

 and check result.Also open the url in IE and check.

4.Ensure there is no block on port 80 and 443.

5.Also i see the log file showing Frenchlivetri.zip .Please check your IE setting if you have been using only english language so far.If not avoid it.

Hi,

 a very similar issue (same error "HOST_SELECTION_ERROR: Error: 0x802A0027" in same position inside Log.LiveUpdate)  has been solved uninstalling and reinstalling LiveUpdate  (same version provided in RU7-MP1)  following article:

- How to Uninstall and Reinstall LiveUpdate When a Symantec Endpoint Protection Manager or Symantec Endpoint Protection Client is Installed

http://www.symantec.com/business/support/index?page=content&id=TECH102609&locale=en_US

If you don't have other Symantec products installed and registered with LiveUpdate than SEPM and SEP client, you might give it a try.

Try to use JDB file to provide updates. Please see reference for the instruction : How to update definitions for Symantec Endpoint Protection Manager using a JDB file - http://www.symantec.com/business/support/index?page=content&id=TECH102607&locale=en_US

I finaly open a case on Symantec support. They ask me to uninstall/reinstall LiveUpdate and it work now.

Thanks all.