Endpoint Protection

Hi,

We have issue with Mac systems. Some of the Mac systems are not updating with latest Defs.. All are managed clients

Example: we have around 1500 client in my office.  In this 1350 systems are updating with latest defs, remaining 150 are not updating.. Some systems are updated up to June 21, 22 and some are updated up to May30th or less. But all clients are in online daily users will login to the systems. Last time changed will be current.

When we ran the symsched -l command from terminal, LU policy is not showing..

Please let me know possible causes issues for above scenarios. and solution for this..

Nothing's going to show under just symsched -l for schedules provided from the SEPM. You have to do that command prefaced with sudo.

• Which version of SEP?
• Do the remaining 150 clients have something in common--same network segment, for example?
• What happens if you try to manually launch LiveUpdate on a client? Does it succeed, or fail with an error message?
• Are they trying to obtain updates from Symantec's servers, or from an LUA server?

LiveUpdate log should be here: /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

sandra

We have rn the command as you mention above.. I forget to mention teh sudo..

we are using 12.1 SEP version

All clients are in same group and segment..

If we launch the LU , update is success..

Obtain updates from Symantec Liveupdate servers.

I'll update the log in few mins

PFA log file.. please the file extension from txt to log

Attachment(s)

liveupdt.txt   11.25 MB 1 version

We didn't change anything from system side or from server side..apart from Defs corruption , is therea ny other chances fro this Issue..

we haev aroung 150 systems havig saem issue.. We will try to run the Intelligent Updater.. for testing..

Double check that their LiveUpdate policy in the SEPM (since you mentioned they're managed) has scheduling enabled and set--under the Mac section of the policy, obviously.

The last successful LiveUpdate run that actually invokes the mdefs processing script is on the 1st of June:

Jun 1, 2012 12:46:07 PM Unzipping completed
Jun 1, 2012 12:46:07 PM Making /private/tmp/liveupdate/1338569164995/1338569167297/mdefs.sh executable ...
Jun 1, 2012 12:46:07 PM Running /private/tmp/liveupdate/1338569164995/1338569167297/mdefs.sh ...
Jun 1, 2012 12:46:08 PM
Jun 1, 2012 12:46:08 PM The Java LiveUpdate session has completed successfully.
Jun 1, 2012 12:46:08 PM Return code = 0
Jun 1, 2012 12:46:08 PM

There are additional entries up until the 4th of June, but nothing after that. Did something change on this system (like an OS update) or the network (or both) around that time?

In case the definitions somehow got corrupted, you might want to try applying the Intelligent Updater to one or two machines and see if they start working again. You can get them here: http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=nmc

sandra

Don't forget to double check the LU policy in the SEPM, that applies to these Macs.

sandra

We have enbale the LU policy for Mac's like.. Use Default Symantec LiveUpdate server. Scheduled every 4hrs..

Please let me know If any thing need to change at LU policy for Mac's

Any update on this?

We are going to change the Mac LU schedule from 4 hrs to 2 hrs. Is there any impact for any thing?

As far as I know, Symantec only updates Mac virus definitions once a day, so changing the schedule won't have much impact if the client checks in with the Symantec LU server and nothing new is available.

If you're doing [sudo symsched -l] in Terminal and you are not seeing a SEPM-set schedule, changing the schedule won't make much of an impact. Is the client still communicating with SEPM to get policy updates?

Has removing and reinstalling one of the affected clients with a managed package made a difference?

I would strongly suggest opening a support case so that a tech can have a deeper detailed look.

sandra

Yes we have , reinstalled the client after that client get updating .. my question is then why we need to schedule LU for every 4 hrs.. as per your above post , client will check once a day..

For example I. As per the LU schedule client connec the symantec liveupdate server @ 8.00 AM , again the client will connect the symantec liveupdate server @ 12.00 PM  or not?

You don't have to schedule it for every four hours. That is the default schedule. Since there is no firm update time for the release of new Mac definitions (though it's usually in the morning, Pacific Time/US), scheduling it every four hours means a better chance you'll catch updates sooner rather than later. If you really want, you can schedule it once a day.

Your example is correct. If there is nothing new to download, nothing happens. The session ends.

sandra