Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Proactive Threat Protection Waiting for updates...

Created: 06 Oct 2008 • Updated: 21 May 2010 | 26 comments
This issue has been solved. See solution.

Perhaps I am mistaken, but I thought I read that this was fixed in MR3. 

 

Background:  In a small % of Symantec (MR2) clients, Proactive Threat Protection randomly changes its state to "waiting for updates" and the green dot of goodness on the SEP Task manager shield is replaced by the a red slashed circle of unhappiness.  Normally after 2-3 hours the PTP will go back to the definition date and the Shield will be happy/green for a few hours again.  The application event log on the machine shows an Event 74 for Symantec - "TruScan has generated an error: code 14: description: CAL Failure".  Uninstall/reinstall helps for less than a day before it starts alternating between happy and not so happy again.

 

So we loaded up MR3 onto our acceptance env and loaded it on a few machine.  It was an upgrade on the SEP server but a clean install on the clients.  One of machine lasted only a few hours before experiencing the same PTP issues.  So no warm fuzzy feeling about a quick fix from upgrading...

 

Any insight or help would be appreciated.  Thanks.

Comments 26 CommentsJump to latest comment

tsqrd's picture

Still seeing this isse on multiple clients.  Freshly built machines with new installations of SEP11 are still hanging with the "Waiting for Updates" errors, and Tru-scan disabled.  Need a response on this ASAP...

Message Edited by tsqrd on 10-06-2008 10:42 AM

tramp21's picture

Hi,

I too have this issue every day on one XP client with a managed SEP MR3.

After booting I see the green tray icon, 1-2 hours after it is read and some hours later all is ok again.

I tried several complete new installations of this SEP client, new live updates, nothing helped.

 

Lynchman's picture

Experiencing the same issues as everyone else. Posted a thread about it and haven't had a response.

 

Thread Here

 

Ted G.'s picture

Folks, I wanted to remind you. PLEASE NOTE: this is a peer-to-peer discussion forum and not technical support. Usually customers come to the rescue. Other times, when they are available, a Symantec employee will volunteer his/her time to find and help solve issues just like any other member of the community.

 

If this is an urgent matter for you all, I would suggest calling in and talking to Technical Support and starting a support case rather than waiting for a reply in the forums. Unfortunately, we don't always have time to come in and research issues in the forum and provide answers. I'm posting this as a quick reminder on my break.

 

 

CommerceSNI's picture

I have the same issue on a few clients, on some a reboot will resolve the issue but on most I have had to uninstall and reinstall SEP11. These clients are 11.0.2010.25 on XPsp2, I have not had this issue reported on any MR3 clients yet, but we only have a few of those so far.

Message Edited by CommerceSNI on 10-07-2008 01:32 PM

Toast's picture

Yes Ted, we also created a support ticket with Symantec on this issue.  I have found it to be helpful to also get insight from peers on the infrequent times when Symantec support has been less than helpful.  :smileytongue: This was a preemptive strike to see if one (or many) of my peers had seen the same issue and possibly fixed it.

 

-toast

Toast's picture

CommerceSNI,

 

Are you doing anything special during the install/reinstall?  Deleting directories after the uninstall, using cleanwipe, etc?  I am willing to try anything on a few problem machines. 

 

Thanks in advance

Ted G.'s picture

Sorry Toast, that post was more directed at the few posters in this thread that were expecting a response ASAP. I should have clarified that. :)

CommerceSNI's picture

Nothing special during reinstall that I know of. We have been doing the following process in progression until the green dot comes back:

1. hit the fix button

2. reboot

3. re-install over the top of current install

4. uninstall then reinstall

 

So far one of these has fixed the problems that have been reported. I will have to check with the helpdesk to see if the issue returns or repeats.

Toast's picture

CommerceSNI:

 

Thanks and dang.  We are doing very similiar steps without the reinstall over the top.  My personal inclination is there is a shared component either in LiveUpdate or SEP which is unhappy or getting hosed.  I can hope and wish it is something that simple :smileywink:

 

Ted,

No worries.  I completely agree problems should be opened with Symantec by everyone already paying for support so the extent of the problem is known. 

 

 

CommerceSNI's picture

I was actually able to get my machine to briefly have this problem, listed in the logs as "TruScan has generated an error: code 14: description: CAL Failure" and upon doing some digging in this thread and looking at the linked whitelist failure document http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008013109171848 the two issues seem to be related or at least similar.

 

So on my computer, i had just re-installed SEP 11.0.3001.2224 and received the PTP waiting for updates message and while looking for things to try, it cleared itself, I presume it received the updates it was waiting for...

mnytx's picture

I have this on Win Xp SP3 computers - SEP 11 M3 & M2 installed - we have uninstalled - reinstalled then reinstalled again. results in "waiting for updates" on and off every 2 hours or so! We have the unmanaged client installed on the XP computers - with no manager installed - yet. I have not found a solution to this - and wasted mant hours trying! Has someone solved this issue - help appreciated - thanks

 

Charlco's picture

I called this issue in on Friday the October 10th.  Received an email today that they are aware that others have this issue and are working on a resolution.

MSDLTHelpdesk's picture

We have these issues, too.  I noticed, however, that it will go way without a reboot.  The machine I use does it after we receive the def file updates.  We have our machines setup with Group-Pull, and they communicate every 4 hours.  In other words, within 4 hours, the problem will go away when it downloads/installs the latest def files.  I don't really see it as an issue, but perhaps it is?

Dr. Watson's picture

I had faced a similar issue but was resolved after the steps followed below

 

A process called as coh32.exe is responsible for Proactive Threat Protection (PTP) feature to function.

 

I found in the event viewer logs under Application Logs and found that my firewall/ compliance software was blocking/restricting the coh32.exe to run.

 

I found this using the Tamper Protection feature which kept generating events in the event viewer indicating a tamper

 

The event logs were detailed enough to tell me the ACTOR PROCESS and the TARGET PROCESS which in return helped me understand that the ACTOR PROCESS in my case was my compliance software and TARGET PROCESS was coh32.exe for SEP PTP feature

 

 

Check if there is any similar issue happening with guys out there...:smileyhappy: Cheers !!

Toast's picture

Uggg.  People please read all the posts before responding.  The PTP def problem appears to cycle from happy to waiting for updates with the update check. I have also noticed that the times when the dot is green that the pc has not received an update from the previous green.  So it makes absolutely no sense to me why it would be waiting for updates for 2-4 hours in between.  For us, Fix button does not work.  Uninstall/reinstall does not work.  A reboot certainly does not work.  Problem is reoccurring and generating help desk calls for my company.  Support ticket with Symantec but no helpful response yet.  Will post more information when I receive it. 

 

Dr. - For me, there are no other errors on the machine in the event logs that relate to the events.  I would caution against having two firewall applications active on a machine.  This is, of course, if you installed all components of SEP on your machines.

 

Toast

Message Edited by Toast on 10-15-2008 04:37 AM
Toast's picture

Update:  With further investigation there is a CAL error in the event log similar to the one described in this post - https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=4200

 

For us, Proactive Threat Protection goes to "Waiting for Updates" at least once a day sometimes multiple times in a day.  This is happening on many of our machines.  We are on version 11.0.3001.2224 and 11.0.2010.25 (in progress of migrating to MR3).  Each version has their own SEP Server.  Problem occurs on both versions.  All machines are XP SP2 fully patched.

 

Symantec has been contacted and a ticket made.  Response so far was they are aware of the issue, it has not been reported by many clients(we were the third supposedly) and they have not been able to recreate the issue.  We have sent them images of problem machine(s) recently so hopefully that will help.

 

Just a reminder to everyone having the issue, please make a support ticket with Symantec.  In theory, they will throw more resources as it if it is shown to affect more customers. 

 

-Toast

Greg Huntzinger's picture

I had this same issue yesterday from my first fresh install of a MR2-MP2 client.  I cleanWiped and reinstalled with the same result.  I finally cleanWiped and tried MR2-MP1 and everything has been fine for almost 12 hours.

 

This is the only MR2-MP2 fresh client install that we have done here so I don't have anything to base it on.  BTW our MR2-MP2 _upgrades_ from MR2-MP1 or MR2 have all gone very well with no issues.

 

Greg

sean 1's picture

I am also experiencing this I have a clean install of endpoint protection manager MR3 on a brand new server I am the only client attached to this server at the moment and I am experiencing this issue has any one managed to resolve it? I have opened a case with support on this aswell

Toast's picture

Well for those of us that have the event 74 Cal error in application log when this happens...it appears this is at least on Symantec's radar

 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008100612252748

 

Check Periodically there to see if there is an official fix listed.  Will update more if I get additional information or a fix.

 

Toast

SOLUTION
Toast's picture

Looks like a new Eraser update(updates during a Liveupdate session) fixed the issue.  See the above link for more information. 

 

Toast

MSDLTHelpdesk's picture

I hadn't even realized it wasn't still doing it.  I checked a few of our clients, and they have the current Eraser version.  I guess I'll have to keep an eye on them and see if they are still giving the red dot.  If not, then I guess this did take care of it.  Thanks for the head's up update.

CommerceSNI's picture

We actually have been running with TruScan Scanning disabled for the past few months to stop the helpdesk calls.

shogo's picture

Any solution to this problem, i have tried to uninstall/reinstall, but nothing helps.

shogo's picture

I deleted all files in C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
And after a new update the Proactive Threat Protection started to work :)

Optimus Prime's picture

This forum is one of the longest forum I've read so far..I have thesame issue..and with all the troubleshooting mentioned above..hope mine will be solved...

;-)