Outdated Virus Definitions
Created: 17 Oct 2012 | Updated: 22 Oct 2012 | 20 comments
This issue has been solved. See solution.
Trying to trouble shoot an issue I am having with the client virus definitions not updating. SEP is running on a Windows 2008 Standard Server. The Windows Firewall is disabled and I can telnet into port 8014, but when I run the secars test (http://<SEPM_Server_IP_or_Machine_Name:Port>/secar...) I get this error:
You don't have permission to access /secars on this server
The clients do appear to be communicating and it appears the management consule is pulling updates.
What would be the next step in trying to find the issue?
Discussion Filed Under:
Comments 20 Comments • Jump to latest comment
Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions
http://www.symantec.com/business/support/index?page=content&id=TECH166923
In this case, check if the clients are connecting to the SEPM properly, check these Articles:
Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting
http://www.symantec.com/docs/TECH160964
Troubleshooting communication problems between the management server and the client
http://www.symantec.com/docs/HOWTO55017
Then, Troubleshoot the Liveupdate Issue, check this Article:
Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart
http://www.symantec.com/docs/TECH95790
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
What version of SEP? 11.x or 12.1?
Do the client have the green dot on the icon in the system tray?
Can the clients ping the server and vice versa?
See this:
Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity
https://www.symantec.com/business/support/index?pa...
SEP Knowledge Base
Endpoint SWAT
Please post sylink logs for one of client
Connection tests check out fine. I can ping both ways, can telnet to the server on port 8014, viewed the apache logs and saw the connections, and even redid the secars test and got the OK.
We are using 12.1
How do you generate a sylink log? I followed the instructions for changing the registry, but so far no report. Not sure if it will take some time or not.
Thanks for the replies!
it depends on what your heartbeat is set to.
You can force a check in by right clicking the SEP icon and "Update Policy"
SEP Knowledge Base
Endpoint SWAT
Sylink file attached. Thanks for the help.
Check the System log on your client.
Open the GUI >> View Logs >> Client Management >> View Logs >> System Log
Are there errors in here about content updates failing?
How many clients is this happening on?
SEP Knowledge Base
Endpoint SWAT
client is downloading full definition around 208 MB
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
There is. Doesn't say much, just: Downloaded new content update from Group Update Provider Failed.
There is also a remote file path listed that is not accessible.
Check your LiveUpdate policy to ensure its still correct. Make sure the GUP is valid and online. You're using a GUP, right?
SEP Knowledge Base
Endpoint SWAT
That is my understanding, but I am new to this product. Just took over about 2 months ago and I am not too familiar with the interface. I have been looking through SEP Manager to try and understand all of the settings.
To check your LU policy in SEPM go to,
Policies page
Select LiveUpdate
On the right side, select the applicable LU policy for whichever group these clients belong in.
Open it up and select Server Settings
On this tab, right in the middle is the Group Update Provider button, select it.
Your GUP settings are in here. Make sure it is still a valid GUP. You can also set the option to bypass the GUP after "x" amount of time and get updates directly from the SEPM.
You definitely need to validate these settings to make sure they are still relevant.
SEP Knowledge Base
Endpoint SWAT
Okay, we are not using a GUP. Our current LiveUpdate server settings are:
Use the default management server
Use a LiveUpdate Server > Use the default Symantec LiveUpdate server
To answer your previous question this is happening on about 34 clients and the rest are either up to date or offline. This is also happening on a second server at a different location with about 17 users.
As a test, would it be possible to move one of the out of date clients to a group that has the up to date clients in it?
I suspected corrupt definitions but 34 seems a bit high to me.
What happens if you try to update via LiveUpdate?
SEP Knowledge Base
Endpoint SWAT
looks to be same issue
https://www-secure.symantec.com/connect/forums/updating-endpoint-clients#comment-6960041
Try this:
http://www.symantec.com/business/support/index?page=content&id=TECH94322
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Technically they are all out of date, just some not past the out of date threshold. Which doesn't make much sense to me. They are all also part of the same group.
Running LiveUpdate from the client works just fine.
Currently the windows firewall is off, but I did put the rule in place just to make sure. Also tried restarting the services with no luck.
which service that you restarted ?
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Adding the GUP settings seems to have fixed the issue. Currently Houston is getting updates and now I will apply the same settings to Austin. Thanks for all the help!
Woot woot..!
thanks for the share rBieBer.
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
So Austin is still not working. I have mirrored the settings between the two locations. I did ask someone to manually update (right click > Update Policy) and see what happens. They are still out of date. When I try to do a Secars test I get a 403 error, page cannot be displayed. Running the SEP Support tool produces no errors.
Would you like to reply?
Login or Register to post your comment.