Endpoint Protection

Hi, we have 2 clients not updating under Symantec Antivirus Corporate Edition. They're part of a different domain from where I am connected so I cannot access them. We have tried reinstallation and restarting the clients. They only update during restart, and they don't do the normal scheduled update. The network and hardware usage seems ok. We can't afford to have them restart daily as they are application servers. We have also tried copying the necessary files from the SAV server to these clients based from the solutions provided in the Symantec website. What information should I look at to troubleshoot this? Thanks.

Which version of SAV are u using??

rgrds,
SAM

The one currently installed on the non-updating clients is 10.1.5.5010

Hi,

Try copying the GRC.dat file as well as Root Certificate from server to client machine.

Make sure yuo stop the services/start services while doing the above activity.

Rgrds,
SAM

Hi,

Please see whether your clients are communicating to server or not,

Telnet both side using port 2967.

Thanks,

We've already tried the GRC.DAT procedure. There is no firewalls setup in the network (firewalls on all PCs are off). I'll check the certificates and the port if open. Thanks, and I'll let you know what happens.

Please also update your installation to 10.1.7 or higher

SYM08-022 Symantec SPBBCDRV.SYS Device Driver Local Denial of Service

I think the best way would be to update the product version to 10.1.8, or open a symantec support case. :)

Please try this it will work

1. the clients is unable to communicate with the server to get the update using port 2967.
To check the communication please follow the steps.
* On the server machine.
- open command prompt
- type telnet <client name> 2967 and press enter.
- it should open a blank command prompt window.
- if it is not working you need to open the port 2967 on the server or firewall or client
* On the client machine.
- open command prompt
- type telnet <server name> 2967 and press enter.
- it should open a blank command prompt window.
- if it is not working you need to open the port 2967 on the server or firewall or client.
- click on start and run.
- compare the root certificate on the server(\\<server>\vphome\pki\roots) and the cline(c:\program files\Symantec Antivirus\pki\roots.

2. The old virus definition is corrupted.
- stop symantec antivirus services.
- stop symantec antivirus Definition watcher.
- delete old virus defs(yyyymmdd.xxx) from "C:\Program Files\Common Files\Symantec Shared\VirusDefs"
- empty "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads" folder
- delete all <number>.product.inventory and <number>.setting files from "C:\Documents and Settings\All
Users\Application Data\Symantec\LiveUpdate" folder.
- empty "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate
Edition\7.5\I2_LDVP.VDB" folder.
- go to "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\ delete *.vdb or *.xdb files not folders.
- start the symantec service.
- start the symantec antivirus definition watcher.
- run a liveupdate..

SAMEER

Other question, what is the client OS , 32bit or 64bit ?

The OS are Windows 2000 for the AV server and Windows 2000 Advanced Server for the clients.

are you able to communicate between the server and the non updating clients??

Please uninstall the client using Cleanwipe or nonav utility, restart the machine and then reinstall the client from SAV directory by accessing the AV server.

Hi mon, please update to latest version of SAV 10.1.8

Below is the link for the release notes, many bugs/fixes with regards to network.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006050314483048?Open&seg=ent

Please also check application and system logs during the update or when restarting a symantec service.

By the way, why don't you upgrade to SEP 11.0? It has lot more functionalities than 10.

Communitaions aren't the problem. They're able to ping the machines. And no firewalls were in use inside the network where the machines are.
binayak, we did try reinstalling them, we tried restarting after reinstallation, we also did manual updates. Upgrading will come later as it requires premissions from the higher-ups and would probably take a while. They have a schedule to follow. We do have plans to upgrade to 11.

But the issue is why only these 2 PCs while the others are updating without a problem. BTW. There are other PCs with the same funcionalities and installed softwares as these having no problems updating.

Hi Mon,

A few people are wondering if you were able to resolve this issue.  Please update us with the status.

Best,

Eric

Hi mon, do you know the current service packs installed and current windows updates applied?

Please also try to download and run the lastest sevinst.exe file (System event)

Delete any *.tmp files associated with symantec or temp files that were created during the installation

Hi all, currently, we've escalated this with Symantec and they're doing a WebEx session to check one of the PCs. I'll keep you all posted on this.

I forgot what service pack was installed, but I'm sure it's the latest. But not the security updates from MS. Is there an MS update that we need to have just to be able to update?

Oooops, you posted the Server name... How about the lastest sevinst.exe file (System event)? Have you tried this?

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1998092408260848

This is the latest update I have at the moment. I've edited out some confidential info:

"I was on the phone with Symantec yesterday during the WebEx session and I showed him the current SAV console settings and showed him the current status of the non-updating servers. Basically we were doing the same as the instructions you gave me before to troubleshoot the problem such as doing manual and live update, checking the communication between the SAV server and the clients, and finally restarting all the Symantec services. As before, after the Symantec antivirus service was restarted the attempt was not successful which resulted to the “stopping” status. With the approval of [boss], the two servers were restarted yesterday afternoon and they now have the updated virus definitions and the services started."

"Today, I was on the phone again with Symantec for another WebEx session. [...] viewed the settings of the SAV console and the server group settings. We verified that the certificate exist on both the SAV server and the client. We ran the live update and copied the GRC.dat file to where it should be, we browsed on the settings of the Virus Definition Manager and then lastly restarted the Symantec Antivirus service as instructed which still resulted to the a “stopping” status. With the approval of [boss], the two servers were restarted this afternoon and the Symantec antivirus service is now running."


"According to [Symantec], [...] is seeing a communication problem between the SAV server and the SAV clients (...). They will be calling me again tomorrow to further troubleshoot the problem and to check if issue has been resolved."

Note: The SAV servers and these 2 non-updating servers are on the same network and doesn't have any firewall enabled.

Pauli, what I'm wondering is that why only these 2 servers are the ones not getting any updates as there are similar servers like these 2. If there are others also not getting updates then I'd probably get a better idea. But as it is, I'm very much out of options.

Thanks for the headsup on the computer names. I hope no black hats saw that.

From email:
"I was on the phone again this morning with [Symantec] for another WebEx session. We uninstalled the Symantec software on both servers by running their uninstall and cleanup tools before we re-installed the Symantec software. According to [Symantec], the Symantec software was already corrupted and have to be removed to resolve the problem. He said that the problem should already be resolved by now.

They'll be calling me back again tomorrow to know if the issue has already been resolved.

I'll be sending another update regarding this tomorrow.

How about the lastest sevinst.exe file (System event)? Have you tried this?

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1998092408260848

Maybe i'll try that at a later date. Right now, we're having Symantec fix this for us. While that's happening, I'm not touching it.

And nobody still has any idea what's going on. I've been getting possible solutions without any clue on the source of the problem.

Upgrade to SEP11 Which is Far better than what you are using.

recieved from email:

I was on the phone again this morning for the last day of WebEx session with Symantec. The problem was still unresolved when we checked today.

[Symantec] checked the current configurations of the antivirus software again and we tried to run a script via Scheduled task but still problem was not resolved. We also tried restarting the Symantec Antivirus service again but still it hangs-up at the stopping status and we had to restart the server again.

[Symantec] said that he will be escalating this problem to the next level support that they have to work and resolve this problem. He also said that he will be sending me his report & recommendations regarding this problem either today or tomorrow.

Once I receive his report and recommendations I will be cascading it to [boss] & [big boss] for advice. For now this will be the last actions for this non-updating virus definitions problem on the two servers.

@Bijay:

Yes, I'd like them to do that. But at the moment, we're still on the implementation for the other sites. I'm handling over 13k clients here (last I checked), 2 SEP servers + 1 SEP test server and 16 or so SAV servers. So it would take a while to implement, that's why I have to do this. :(

Just like to ask if its just these 2 servers having update problems? Do you have any servers which of the same purpose (services,specs, etc)?

Aside from the symantec update problem, do you have any other issues with these servers? I really can't find a pattern with this problem.

Yes, these 2 problematic servers are backups of another set of servers. They have the same applications/databases on them but the one used for production have no problems.p

Just a recap:
We have 2 clients not updating. We have done what the Symantec website says about copying files, restarting and reinstalling. We filed a case with Symantec...

This is the latest news:

"We resumed the WebEx session today and we have already uninstalled and re-installed the SAV client software and set it to unmanaged. Schedule of Live Update was set to daily at 5am. Server is now under observation."

I hope you fix the issue.

Did symantec recommended the following?

1. Update Sym Event
2. Update/Upgrade to 10.1.8

This still doesn't answer my original question. Why only these 2 clients refuse to update properly?
I'd like to know the reason for them not updating instead of blindingly following whatever solution or workaround that comes my way.

As you said mon, you have the same case with other servers, we cannot further troubleshoot the problem if we dont have any errors encountered.

check ur firewall settings?
look if it is on or  off??

We have 2 clients that does not update. They have server roles. There is no connection problem as this are production servers. All firewalls are disabled in the internal network. These are SAV clients and their version is irrelevant as their other counterparts have the same version and these 2 are the only ones not updating. We have done what the knowledge base suggests which includes - copying the grc.dat, copying the certificates, manual download of updates, rebooting (which worked, but we wouldn't want to restart the servers just to update), reinstalling. Migration to SEP is still in the planning stage and would have to go to higher management to give the go signal, which would take days - not ideal for definition update issues.

"
Good news!!! I checked the two [company] servers today and its virus definitions got updated automatically through a scheduled Live Update which was set since last Thursday (see attached screenshot [this just shows the SAV client main window having the latest virus definitions in the lower right]).

The Symantec antivirus software on these servers were uninstalled and re-installed last Thursday and was set to "unmanaged" in order to troubleshoot and isolate the problem. With the "unmanaged" settings, these servers are able to get virus definition updates automatically from the internet instead of getting it from the SAV server.

I'll be sending another update tomorrow after the WebEx session that is scheduled tomorrow.
"

Good for you Ramon, but with this scenario, we verified that the servers can do liveupdate by themselves. But still interested with the problem why is not updating when "managed". If you have the time please try my other suggestions on the previous posts.

@Pauli: Which one? The one with the link? You sent them twice, btw. I sent them the instructions. I'll wait for the reply. But since Symantec is the one handling the case, I'll let them have a go at it. I might ruin the momentum. ;)

WebEx session yesterday did not push through but we had it this morning instead and I was on the phone with [employee] of Symantec for the WebEx troubleshooting session.

He checked the virus definitions of the two servers and verified that Live Update is working in an "unmanaged" configuration without a problem, and that the virus definitions are updated automatically through a scheduled Live Update. With this latest development on these servers, he said that there is a communication/network problem between [the 2 PCs] and the parent server ([av server]) and he recommends to have it checked by our Network team for a permanent resolution. Attached is his email regarding this case.

So far, virus definitions on these servers gets updated automatically since last Thursday until today with the "unmanaged" configuration.

"
Initially we had problems with two windows 2000 server running Symantec antivirus client version 10.1.5.5010 are not able to get the updates from the primary server.

We had found through the logs when Symantec antivirus is installed as managed client on these machine not able to get the updates from the primary server. We found that the packets are getting lost and liveupdate is not able to receive the virus definitions from the server.

In-order to isolate the problem and to check Symantec is able to perform automatic liveupdate on these computers we uninstalled Symantec completely and reinstalled as unmanaged client on the same server. They had been configured to get the updates from the internet. Now they are able to get the updates automatically from the internet. Hence it proves that Symantec antivirus is able to get the automatic updates on the same machine without any problem. As we have installed Symantec antivirus as unmanaged clients on these machine, they will not show up on the Symantec system center. We can understand that this was not the setup you had previously.

Since there is a problem with the physical network connection we are currently not configuring them as managed clients to get the liveupdate definition from the primary server. Once you have fixed the physical network connectivity with the help of your networking team you can follow the instructions I had given you to convert the computer from unmanaged to manage. I am providing you with a document for your reference.

Changing a Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x client installation from unmanaged to managed

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005040414260248

Troubleshooting communication problems with Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005033015282148




At Symantec, our goal is to provide a quick and accurate solution for your issue, please let me know if there is anything further I can do to exceed your expectations.


Your response to this email will be added to your current case, and I will be notified.


Thanks for using Symantec Support Services!


Sincerely,
"

I guess you need more testing mon, you said before that you have other servers with the same specs/roles, and av client on that servers are communicating well with the parent server.

Please check also if those computers has an existing application whick conflicting the installation of sav and its liveupdate component.

I forgot to say that you also have to check the histore of that computer.Is there any othe av installed before?have you removed it completely on the registry or on program files?

thnaks

@Gilbert08: The previous AV used was Symantec and then I asked them to do a reinstall. This machine have been using Symantec to my knowledge.

4/28/2009, 3:49:20 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.1.0.90_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads"
4/28/2009, 3:49:21 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
4/28/2009, 3:49:21 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.1.0.90_english_livetri.zip", Full Download Path: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\liveupdate_3.1.0.90_english_livetri.zip" HR: 0x802A0026
4/28/2009, 3:49:21 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND

Email I received regarding the use of SymEvent:

"
We ran SymEvent before (without parameters) and I sent him the logs but that was before the software was uninstalled and re-installed as unmanaged. We didn't do this after the software was re-installed. Attached are the logs I sent him for your reference.

May I know how can this help in resolving the communication problem between the server/client and the parent server, and what are the standard procedures to follow in resolving communication issues?
"

You should use the proper parameters when updating Sym Event.,

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1998092408260848

@Paul: I'm pretty sure they did it properly or according to the supports' recommendations.

but as you said from your previous post "We ran SymEvent before (without parameters" <--- this should not be.. you to use proper parameters.

To clear it up. We didn't use the switches found at the bottom of the page you posted.
Anyway, the info is in my previous post.

This is probably the last update.

"
This is not our usual setup but this will do for now while the communication problem between these servers and the parent server is not yet resolved. I was not able to work on this lately because I was busy with other tasks and I am still busy with SEP issues in [remote site].
"

For those who haven't got the time to read the trail:
SAV10 is not getting any updates from the parent server, we tried all the procedures found in the KB articles, we reinstalled it, and lastly, configured it as stand-alone.

They finally received updates. :D