Video Screencast Help

SEP 11 and LiveUpdate

Created: 12 Oct 2007 • Updated: 21 May 2010 | 13 comments

I have SEP 11 on two Windows XP SP2 computers. Both have similar behaviour.
LiveUpdate stops and starts once a minute.

Windows Event Viewer is full of these three messages:

  1.    The LiveUpdate service was successfully sent a start control.
  2.    The LiveUpdate service entered the running state.
  3.    The LiveUpdate service entered the stopped state.

Here is few lines from The Log.LiveUpdate.
These lines are logged in every minute,
// Start LuComServer
12.10.2007, 11:03:37 GMT -> LuComServer version:
12.10.2007, 11:03:37 GMT -> LiveUpdate Language: English
12.10.2007, 11:03:37 GMT -> LuComServer Sequence Number: 20070811
12.10.2007, 11:03:37 GMT -> OS: Windows XP Professional, Service Pack: 2, Major: 5, Minor: 1, Build: 2600 (32-bit)
12.10.2007, 11:03:37 GMT -> System Language:[0x040B], User Language:[0x040B]
12.10.2007, 11:03:37 GMT -> IE 6 Support
12.10.2007, 11:03:37 GMT -> ComCtl32 version: 6.0
12.10.2007, 11:03:37 GMT -> IP Addresses: < removed >
12.10.2007, 11:03:37 GMT -> Loading C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
12.10.2007, 11:03:37 GMT -> Opened the product inventory at "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
12.10.2007, 11:03:37 GMT -> Account launching LiveUpdate is not a logged in user's account
12.10.2007, 11:03:37 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
12.10.2007, 11:03:37 GMT -> LiveUpdate flag value for this run is 0
12.10.2007, 11:03:37 GMT -> ProductRegCom/luProductReg(PID=3784/TID=4012): Successfully created an instance of an luProductReg object!
12.10.2007, 11:03:37 GMT -> ProductRegCom/luProductReg(PID=3784/TID=4012): Path for calling process executable is C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe.
12.10.2007, 11:03:37 GMT -> ProductRegCom/luProductReg(PID=3784/TID=4012): Destroyed luProductReg object.
// End LuComServer

Discussion Filed Under:

Comments 13 CommentsJump to latest comment

Oivin's picture
Just for the record, I have seen this behaviour on some of my clients, and would also be interested in a solution. Have you tried to re-install Liveupdate?
SKlassen's picture
I've got this one as well on some client systems.
heikkuri's picture

Thanks for comments!

Yes I have unistalled the SEP 11.0 with LiveUpdate from both computers.
I used SCSCleanSweep to remove what may be left even it does not officially support SEP 11.0
After restart I installed the SEP 11.0  again.
Nothing is changed. SEP 11.0 works just like before. Once a minute the LiveUpdate
gives a notice to Event Viewer.

LiveUpdate Service startup type is manual. Which service or program starts LiveUpdate?

JimBr's picture
This is a characteristic of the way the product integrated the LiveUpdate component. Basically components within the Symantec Endpoint Protection solution are querying LiveUpdate on a frequent basis for status information. That is why you are seeing the LiveUpdate process activity.
Are there problems that this creates?
SKlassen's picture
I would have to disagree.  If this were normal expected behavior, it would be happening on all systems.  For those of us with this issue, it is only happening on a few machines.
As far as impact goes, each time the three processes that make up LU run, it does tend to use up memory and processor clocks, both for these processes themselves and in terms of the massive amount of windows log events it is generating.  On the handful of systems I'm experiencing this on, I would prefer not to lose important event data because every minute I get events logged that LU is starting, running, and stopping.
JimBr's picture
Okay. I understand better. I am not seeing any windows log events via the MS Event Viewer on my managed client. I would hope there is a setting in C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate that would address this. Let me check with the LU team on this.
SKlassen's picture
Great, thanks.  You must be a HumbleDev with Symantec.  Ask them to fix the LU/group policy issue thing too while your at it.  :)  Getting a bit tired of clients not getting policies and logon scripts when they should.
JimBr's picture
Can you provide a link or some more info on the "LU/group policy issue thing"? I am not familar with it. Thanks.
JimBr's picture
Ok, I have more info. Unfortunately, this log event caused by the Service Control Manager itself. As such, LU cannot disable the logging. I did some quick Internet searches and was not able to locate any filters in the MS event logging system. I am sorry to say that I think we might be stuck on this for at least version 11.0 for now ... unless someone else can find a filtering mechanism in the MS event logging system.
SKlassen's picture
Sent you the link and info in a PM HumbleDev.
KTH's picture
This occurs on all my systems where the Communications Setting policy is set for "Push mode". I switched to Pull mode with a Heartbeat of 30 minutes and now it's logged every half hour.
JimBr's picture
I appologize. I am new to this forum and did not receive anything that I can see.
SKlassen's picture
I changed to PULL with a longer heartbeat interval as well.  It works as a temporary workaround.
Seems the root problem is that when using PUSH, on some clients the set heartbeat interval is ignored and the client tries to update every 60 seconds.
Also, resent the PM to you HumbleDev. 

Message Edited by Scott Klassen on 10-25-2007 08:40 AM