Endpoint Protection

Numerous Mac clients haven't been getting latest definitions from LiveUpdate because liveupdate.conf didn't have proxy information.

Now, we use Apple Remote Desktop to push out liveupdate.conf with proxy information to these computers. However, after few days, these computers STILL don't update.

But, I've noticed if we push Intelligent Updater AFTER pushing liveupdate.conf, then after few days, these computers show the latest definitions.

I am puzzled as to why pushing liveupdate.conf is simply not enough. I know that SEP client would have attempted to pull definitioins from LiveUpdate but failed because it is behind proxy.

Any ideas?

Hi RSASKA,

Are you using an internal LiveUpdate Administrator 2.x server for those SEP for Mac clients, or are they all going out through a proxy to the Internet?

Here is an article that may help:

Proxies and compatibility with Java LiveUpdate and Symantec Endpoint Protection/Symantec AntiVirus for Macintosh
Article: TECH103527 | Created: 2007-01-02 | Updated: 2011-06-16 |
Article URL http://www.symantec.com/docs/TECH103527  

(Several good articles are linked to that one)

It would be helpfult o see the liveupdt.log from an affected SEP fro Mac client to further troubleshoot the issue.  If the advice in the articles above does not solve the download problem, can one be attached to this thread?

Thanks and best regards,

Mick

We added the proxy information to etc/liveupdate.conf using vi editor. Then, we push deploy this file to our Mac clients.

Will get the liveupdate.log of one of these computers.

But, I've noticed if we push Intelligent Updater AFTER pushing liveupdate.conf, then after few days, these computers show the latest definitions.

This puzzles me greatly. There isn't really anything about the Intelligent Updater that should have anything to do with liveupdate.conf, let alone allowing success a few days later. The only thing I can think of is that the Intelligent Updater is repairing definition corruption which allows LiveUpdate to then succeed on the next check or at a later time.

I'm with Mick--we would need to see a liveupdt.log from an affected client to know exactly what's happening.

sandra

So far I'm pushing the config file and when I can actually access the computer, it shows up to date definitions. I'm still looking into this. It may be possible that SEPM isn't reporting the clients as being up-to-date.

Will continue troubleshooting, and will post the necessary logs.

What version of SEP for Mac are you using? Older builds had some issues with reporting. I would try to ensure at least 11.0.6300.

sandra

I definitely agree with Sandra - the only versions of SEP for Mac that I recommend running are those that came with RU6 MP3 or later.  Important changes, improvements and enhancements to the client make these recent versions a "must have."

I pushed liveupdate.conf on a SEP 11 client, and when I remoted in, it shows the definitions are STILL outdated. And, I was prompted to run Live Update (one would think that the clients grabs the new definitions automatically).

I attached the liveupdt.log file, please explain what's happening.

Attachment(s)

liveupdt_1.txt   164 KB 1 version

Here's another log from a computer which I pushed liveupdate.conf, and definitions are two days old

Attachment(s)

liveupdt_2.txt   2.25 MB 1 version

Here's my initial impressions....

>Nov 3, 2011 1:31:37 PM   Symantec Endpoint Protection Client Macintosh, 11.0.6000, English, MacUpdate, 0
>Nov 3, 2011 1:31:37 PM   Symantec Endpoint Protection Client Macintosh, 11.0.6000, English, Update, 0

That client is the very first release of SEP for Mac.  It has many known issues that are fixed in later releases.  The very first thing I would do is upgrade to RU7.

>Nov 3, 2011 1:31:37 PM Connecting to update.symantec.com via FTP ...

How many SEP for Mac clients are in the organization?  If it is more than a handful, it may be best to set up an internal LUA 2.x server to provide defs for them.  Otherwise you are downloading the same exact files over and over again and wasting bandwidth.

Upgrade those clients and I expect they'll update fine.

Hope this helps! &: )

I'm spot checking other Macs and have noticed that when definitions are more than a week old

1. Symantec prompts me to run LiveUpdate

2. When I run LiveUpdate, no progress bar appears.

And I verified that the Mac computer has the updated configuration file with the proxy information.

Mick,

Thanks for the quick response!

We have 10,000+ (and counting) Macs in our environment. It will be a long long time before we upgrade.

it may be best to set up an internal LUA 2.x server to provide defs for them.  Otherwise you are downloading the same exact files over and over againit may be best to set up an internal LUA 2.x server to provide defs for them.  Otherwise you are downloading the same exact files over and over again

How are the definitions from internal LUA 2.x different from the definitions from Symantec's website? Please clarify.

> We have 10,000+ (and counting) Macs in our environment. It will be a long long time before we upgrade.

That's a lot of Macs!  &: )

I definitely recommend using LUA 2.x, then.  Here's a couple of articles:

Using the LiveUpdate Administrator on a PC to download updates for Symantec Endpoint Protection/Symantec AntiVirus 10 for Macintosh clients
Article: TECH103198 | Created: 2007-01-30 | Updated: 2011-05-13 |
Article URL http://www.symantec.com/docs/TECH103198

Symantec Endpoint Protection for Macintosh Fails to Update from LUA 2.x Server after Upgrade to RU6 MP2
Article: TECH147469 | Created: 2011-01-05 | Updated: 2011-03-01 |
Article URL http://www.symantec.com/docs/TECH147469

 > How are the definitions from internal LUA 2.x different from the definitions from Symantec's website? 

The files received and processed are identical- it's a matter of how the files get to each Mac.  Instead of each SEP for Mac client downloading the latest AV definition file from the Interent, the LUA 2.x server downloads it once and then makes it available on a location within your network.  The SEP for Mac clients are directed/configured by their SEPM to retrieve the updates from this internal location rather than the Internet, saving a lot of bandwidth.

Here's a good article that illustrates setting up LUA, in case you have not yet seen it: https://www-secure.symantec.com/connect/articles/installation-and-configuration-lua

Back to this update issue... are all of your 10,000 Macs protected by that 11.0.6000 release, or is it a mix?  Is there any chance you can try to update a few sample machines that are having trouble, just to know if using the SEP 11 RU7  or SEP 12.1 version will resolve the issue?  (There are a couple forum threads here in Connect and also several other companies for which I know it did.....)

All the best,

Mick

If no one is logged into the Mac, LiveUpdate does not run. See:

Symantec AntiVirus Software on Macintosh cannot run LiveUpdate while no user is logged in
http://www.symantec.com/docs/TECH155154

(Don't let the title fool you; this applies to SEP as well.)

Could it be that this is what's occurring?

sandra

Hello,

All the Macs are 11.0.6000.

I'll do my best to get some Macs to test out - they're all in a production environment.

@sandra.g:

I am currently working with Symantec Engineer on this.

It seems that this issue may be due to the fact that user isn't logged on.

How to resolve this? We have 10,000+ macs that are powered on, but outdated because no one is logged on.

Symantec AntiVirus Software on Macintosh cannot run LiveUpdate while no user is logged in
Article: TECH155154 | Created: 2011-03-09 | Updated: 2011-10-18 |
Article URL http://www.symantec.com/docs/TECH155154  
 

> I am currently working with Symantec Engineer on this.

Fell free to PM me the case number and I will have a look at the case / work with the assigned technicail to see if there is anythign that can currently be done.

Hello Mick,

I just sent you a message.