Endpoint Protection

Hi Members!!!!

I am using SEP 11.0.4014 i.e. MR4MP1 in a network of 1500 users connected all across the globe. The GUP has been configured accordingly. Now the problem is that The SEPM has the latest version 20090611-rev.025 which is same as Symantec version, but the clients are showing 20090610- rev.025. When i try to update contents its says policies has been applied, but the result remains same.
Now when i look into C:\Program Files\Common Files\Symantec Shared\Liveupdate\VirusDefs  the 20090611 folder is missing. There is lot of  free space in  my hard drive sections.
When i manually download the updates from SEPM it says it is alreasy there.
Looked into the KB articles, consulted with Techies, Logged into Symantec Partnet  but no resolution.
My windows are patched up.
The problem occure on 12th June 2009 IST.

I have attached two screen shots for the better understanding of the problem.
 

I am NOT interested in upgrading to MP2.

Request all u champs here to comment upon the post.

Hi,

we need more details:
1) What are the settings for the LiveUpdate within the Manager? Every X hours? Daily?
2) What are the communication settings between clients e manager? Pull or push mode? Heartbeat?
3) Did you check the definition version directly on the clients? I saw cases when they were updated but the the Manager was not aware of this due to some delays in the elaboration of the logs.

Regards,

1) What are the settings for the LiveUpdate within the Manager? Every X hours? Daily?
----- Evry X Hrs

2) What are the communication settings between clients e manager? Pull or push mode? Heartbeat?
-----Pull Method
3) Did you check the definition version directly on the clients? I saw cases when they were updated but the the Manager was not aware of this due to some delays in the elaboration of the logs
-----Yes,  i have manually checked them


Any solution??????

Revert back for further info.

Hi

I think the definitions might have go corrupt. Try to manually update using .jdb file

I have tried both the solution On SEPM and client as well but no use.
Something else????

1) What is the value of X?
2) What is the value of the heartbeat?

Well if the definitions are actually corrupt you would need to clear out the old corrupt definitions. Here is the kb article to do that for the client. http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007123111551948 . You can try this out, but I am not convinced that is actually the cause of your problem. Still would like to hear the answers to Giuseppe.Axia's questions. What is your setting (how many x hrs) for the Liveupdate within the manager? Also what is your heart beat interval for pulling out definitions?

Cheers
Grant

X is 4 hrs

I tried with Rex4defs.

@Grant_Hall: I had read the files on the link...and its great...
it says we have to delete certain virus definition folders...

I had read Ajitjha initial problem and he says that the C:\Program Files\Common Files\Symantec Shared\Liveupdate\VirusDefs the 20090611 folder is missing...

If it is corrupt and we have to delete the virus definitions, how would we do it if it is not there?
In addition, he also says that it is the only thing missing...

hope a resolution with Ajitjha issue would be found soon..
I am reading and learning more...

thanks...

We need more details about what the SEPM downloads:
go to admin > server > local site > show liveupdate downloads, post the table of the actual contents. Are 32 and 64 bit AV defs the same?

To analyse your issue, you need to analyse some logs.
The relevant logs are:
1) log.liveupdate in the server (what and when are the definition downloaded?)
2) log.liveupdate on the clients ((what and when are the definition downloaded?)
3) sylink.log (to log the communication between SEP and SEPM)

Some documents are available to analyse them.

I am missing another details: are the definitions blocked at 10/11-06-2009 in SEP and SEPM or they are going forward but always with the gap of 1 day?
I am still missing some details already asked.

I will post the logs very soon

Try this steps

Steps to clean Virus Definitions folders and republish Live Update Product Inventory on Symantec Endpoint Protection Manager:

Delete the content of folder "c:\documents and settings\All users\Application Data\Symantec\LiveUpdate\Downloads\"
Note: Application Data is a hidden folder. Do not delete the folder but only the contents.
Update the LiveUpdate catalog by opening the following link in Internet Explorer:
http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=PublishLuInventory
After few seconds you will get a confirmation message "Responsecode="0".
Stop the services "Symantec Endpoint Protection Manager" and "Symantec Endpoint Protection"
To stop the services:
Go to Start > Run.
Type the following: Services.msc
Select and stop the above mentioned services.
Delete the numbered or TMP folders inside the paths:
%programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{1CD85...
%programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{C60DC...
%programfiles%\common files\Symantec Shared\SymcData\sesmvirdef32
%programfiles%\common files\Symantec Shared\SymcData\sesmvirdef64
%programfiles%\common files\Symantec Shared\VirusDefs
Launch the process LUALL.EXE from %programfiles%\Symantec\LiveUpdate (May be requested to click on "START")
(LiveUpdate should run for some minutes (5-10 min), if some error messages are displayed, exit and launch again LUALL.exe)
Restart both Symantec Endpoint Protection services when LiveUpdate is complete.
Verify the numbered folders of virus definitions are created in the following paths:
(There might be just 2-3 folders in the beginning, but the default number is 10 folders)
%programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{1CD85...
%programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{C60DC...

Log on to Symantec Endpoint Protection Manager Console and launch a LiveUpdate from Admin > Server > Local Site > Download LiveUpdate content.

Your right the folder would be there if there was a corrupt definition being pushed/pulled out. That is why I thought this was not the cause of his problem. I posted that last response in regards to a previous poster that said "this may be due to corrupt definitions". I am curious to the solution of this issue as well and am waiting for the post with the logs. These really will be the fastest way to get to the root of the problem. Thanks.

Grant-

Dear Kavish

I am very much used to all these troubleshooting. It didn't worked. i have tried this before posting.

thanks for the info...........

very nice!!!!!!

maybe re image the sep ,, thanks for the all information,

I am a SAV user ...
is the live update for SEPM same as that of SAV?
thanks..

Technology is same and the only diference is the SEPM live update can be configured as "Continuously Run" but in SAV this featurewas unavailable

Ghe21
Please elaborate about the re-imaging SEP

Hi She_esteban

Thanks for what????

What is the latest on this issue? How are we coming along with getting those logs?

Cheers
Grant