Endpoint Protection

Hello!

I have a SEP management server ver. 11.0.6005.562 on Windows 2003 x64. It manages 2 networks  - local and remote connected via low-bandwidth ipsec tunnel. Local clients's LU policy is set to get virus definitions from the default management server, the other one force remote clients to take updates directly from internet due to bandwidth limitations.

Few days ago I started to get that famous "Sesclu event id 13" error in system logs. Sometimes clients get updates, sometimes not.

It seems like I've tried almost all reffering to KB and this forum - cleared broken definitions, reassigned policies, reinstalled LU and re-registred SEPM with LU, tried to use Intelligent Updater and so on, but I'm still getting this error. After 3 days  of trying to get rid of it I'm almost giving up.

Here are come suspicious strings from LU log, right on that time when event 13 is registered in windows logs :

16.11.2011, 10:54:01 GMT -> LuComServer version: 3.3.0.107
16.11.2011, 10:54:01 GMT -> LiveUpdate Language: RUSSIAN
16.11.2011, 10:54:01 GMT -> LuComServer Sequence Number: 20110526
16.11.2011, 10:54:01 GMT -> OS: Windows 2003 Standard, Service Pack: 2, Major: 5, Minor: 2, Build: 3790 (64-bit)
16.11.2011, 10:54:01 GMT -> System Language:[0x0419], User Language:[0x0419]
16.11.2011, 10:54:01 GMT -> IE8 support.
16.11.2011, 10:54:01 GMT -> ComCtl32 version: 6.0
16.11.2011, 10:54:01 GMT -> IP Addresses: 192.1.2.2, 192.168.3.100
16.11.2011, 10:54:01 GMT -> Loading C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
16.11.2011, 10:54:01 GMT -> Opened the product inventory at "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
16.11.2011, 10:54:01 GMT -> Account launching LiveUpdate is not a logged in user's account
16.11.2011, 10:54:01 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
16.11.2011, 10:54:01 GMT -> LiveUpdate flag value for this run is 0
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Successfully created an instance of an luProductReg object!
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Path for calling process executable is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SescLU.exe.
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Setting property for Moniker = {4F889C4A-784D-40de-8539-6A29BAA43139}, PropertyName = LU_SESSION_OPTOUT, Value = YES
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Set property error -- Moniker {4F889C4A-784D-40de-8539-6A29BAA43139} is not found.
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Setting property for Moniker = {6062B9BA-E8F2-4e5c-97B9-8B669A14AFC1}, PropertyName = LU_SESSION_OPTOUT, Value = YES
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Set property error -- Moniker {6062B9BA-E8F2-4e5c-97B9-8B669A14AFC1} is not found.
16.11.2011, 10:54:01 GMT -> ProductRegCom/luProductReg(PID=5748/TID=8540): Destroyed luProductReg object.
 

16.11.2011, 9:04:44 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server C:\PROGRAM FILES (X86)\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\SMCLU at path C:\PROGRAM%20FILES%20(X86)\SYMANTEC\SYMANTEC%20ENDPOINT%20PROTECTION\SMCLU\CONTENT.ZIP0000 via a LAN connection. The server connection attempt failed with a return code of 1814, Программе LiveUpdate не удалось получить файл каталога доступных обновлений продуктов и компонентов Symantec.

16.11.2011, 9:41:51 GMT -> LuComServer version: 3.3.0.107
16.11.2011, 9:41:51 GMT -> LiveUpdate Language: RUSSIAN
16.11.2011, 9:41:51 GMT -> LuComServer Sequence Number: 20110526
16.11.2011, 9:41:51 GMT -> OS: Windows 2003 Standard, Service Pack: 2, Major: 5, Minor: 2, Build: 3790 (64-bit)
16.11.2011, 9:41:51 GMT -> System Language:[0x0419], User Language:[0x0419]
16.11.2011, 9:41:51 GMT -> IE8 support.
16.11.2011, 9:41:51 GMT -> ComCtl32 version: 6.0
16.11.2011, 9:41:51 GMT -> IP Addresses: 192.1.2.2, 192.168.3.100
16.11.2011, 9:41:51 GMT -> Loading C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
16.11.2011, 9:41:51 GMT -> Opened the product inventory at "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
16.11.2011, 9:41:51 GMT -> Account launching LiveUpdate is not a logged in user's account
16.11.2011, 9:41:51 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
16.11.2011, 9:41:51 GMT -> LiveUpdate flag value for this run is 0
16.11.2011, 9:41:51 GMT -> **** Starting a Silent LiveUpdate Session ****
16.11.2011, 9:41:51 GMT -> ***********************        Start of New LU Session        ***********************
16.11.2011, 9:41:51 GMT -> The command line is -S -temphostex "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smclu\content.zip0000" -M{CC40C428-1830-44ef-B8B2-920A0B761793} -updateoptout=yes
16.11.2011, 9:41:51 GMT -> ***** This LiveUpdate session is running in TempHostEx mode. *****
16.11.2011, 9:41:51 GMT -> TempHostEx moniker is {CC40C428-1830-44EF-B8B2-920A0B761793}
16.11.2011, 9:41:52 GMT -> EVENT - SESSION START EVENT - The LiveUpdate session is running in Silent Mode.
16.11.2011, 9:41:52 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027
16.11.2011, 9:41:52 GMT -> LiveUpdate did not find any new updates for the given products.
16.11.2011, 9:41:52 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1814, Программе LiveUpdate не удалось получить файл каталога доступных обновлений продуктов и компонентов Symantec.
16.11.2011, 9:41:52 GMT -> IE8 support.
16.11.2011, 9:41:52 GMT -> ***********************           End of LU Session           ***********************
 

The folder C:\PROGRAM FILES (X86)\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\SMCLU is empty and does not contain any files.

I need help with this, thanks in advance.

 http://www.symantec.com/docs/TECH91615     check this article for  Sesclu event id 13 ..PTP will not work on Server OS. If you have PTP installed with the sep client on the Server,then remove the feature by modifying the package.

I also see the return code 1814 & HOST_SELECTION_ERROR: Error: 0x802A0027
 in the log you pasted above.

IE8 is used it seems.Disable IE ESC if it's enabled.check in the host file if loop back address is listed.Location C:\windows\system32\drivers\etc\host.

If possible upload the full log.live update file

I checked this article and tried all the solutions with no luck.

PTP is installed on server. I know it's not working on server OS, but support says there is no any harm installing it. I disabled IE ESC today. Loopback address is listed in hosts file. 

It seems like this error occurs only on SEP management server, all clients are ok.

Yesterday I created new group with LU policy set to obtain defs from internet servers only and moved server to it. There is no "error 13" for almost 10 hours, host selection error still occurs in LU logs.

Complete logs from LU in attach.

Attachment(s)

Log_11.zip   89 KB 1 version

Seems like server is not getting any updates anymore. It I try to do "Update Content" manually from SEPM, I'm getting the same "event 13" and HOST_SELECTION_ERROR in LU logs:

17.11.2011, 4:40:49 GMT -> LuComServer version: 3.3.0.107
17.11.2011, 4:40:49 GMT -> LiveUpdate Language: RUSSIAN
17.11.2011, 4:40:49 GMT -> LuComServer Sequence Number: 20110526
17.11.2011, 4:40:49 GMT -> OS: Windows 2003 Standard, Service Pack: 2, Major: 5, Minor: 2, Build: 3790 (64-bit)
17.11.2011, 4:40:49 GMT -> System Language:[0x0419], User Language:[0x0419]
17.11.2011, 4:40:49 GMT -> IE8 support.
17.11.2011, 4:40:49 GMT -> ComCtl32 version: 6.0
17.11.2011, 4:40:49 GMT -> IP Addresses: 192.1.2.2, 192.168.3.100
17.11.2011, 4:40:49 GMT -> Loading C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
17.11.2011, 4:40:49 GMT -> Opened the product inventory at "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
17.11.2011, 4:40:49 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
17.11.2011, 4:40:49 GMT -> LiveUpdate flag value for this run is 0
17.11.2011, 4:40:49 GMT -> **** Starting a Silent LiveUpdate Session ****
17.11.2011, 4:40:49 GMT -> ***********************        Start of New LU Session        ***********************
17.11.2011, 4:40:49 GMT -> The command line is -S
17.11.2011, 4:40:49 GMT -> EVENT - SESSION START EVENT - The LiveUpdate session is running in Silent Mode.
17.11.2011, 4:40:49 GMT -> Check for updates to:  Product: LiveUpdate, Version: 3.3.0.107, Language: RUSSIAN.  Mini-TRI file name: liveupdate_3.3.0.107_russian_livetri.zip
17.11.2011, 4:40:49 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027
17.11.2011, 4:40:49 GMT -> LiveUpdate did not find any new updates for the given products.
17.11.2011, 4:40:49 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1814, Программе LiveUpdate не удалось получить файл каталога доступных обновлений продуктов и компонентов Symantec.
17.11.2011, 4:40:49 GMT -> IE8 support.
17.11.2011, 4:40:49 GMT -> ***********************           End of LU Session           ***********************
 

I also tried to add symantec.com, symantecliveupdate.com and akamai.net to trusted sites, no luck.

PTP wont work on server OS and doesnt create any harm also.However the event id 13 may occur when the definitions for PTP are downloaded .So you can modify the package and remove the feature to avoid the error.

Also i find the following error in the log.live update file you uploaded.

17.11.2011, 3:23:21 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
17.11.2011, 3:23:21 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
17.11.2011, 3:23:21 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x0       , Num Successful: 0
17.11.2011, 3:23:21 GMT -> HttpSendRequest (status 200): Request succeeded
17.11.2011, 3:23:21 GMT -> Download complete: Original estimated file size: 5294; Actual bytes downloaded: 5294
17.11.2011, 3:23:21 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: URL:

However the live update has succeeded at 3:23:21 itself as it shows HttpSendRequest (status 200): Request succeeded Download complete: Original estimated file size: 5294; Actual bytes downloaded: 5294  
 

So the problem could be your proxy or firewall or any third party application used to control internet traffic( if you use one).

check the above mentioned possibilities for any blockage and try to give exceptions for *.symantec.com & all the live update sites for symantec(3 sites).

also you can try the following Article http://www.symantec.com/docs/TECH140671 

Note: the log also has error :The server connection attempt failed with a return code of 1814, Ïðîãðàììå LiveUpdate íå óäàëîñü ïîëó÷èòü ôàéë êàòàëîãà äîñòóïíûõ îáíîâëåíèé ïðîäóêòîâ è êîìïîíåíòîâ Symantec.

After the error 1814 the letters are not in english  and iam not sure what font it displays.

But when this kind of informations is dispalyed the possibility is that the SEPM language you have installed and the language for download selected  in the live update policy doesnt match.

Go to SEPM-Admin tab-Servers-select Local Host-R.clisck and edit properties-Live update-check the Languages to download section and ensure it's the same as teh SEPM type.(Eg: if you have installed SEPM in english language then the live update should also have english and not any other language).

This could mostly give you the Host selection error as it reaches the site properly ,but not sure which language o download.

Seems like trying to solve this issue was a bad idea.

Yesterday I decided to create a new client package without PTP defs and removed the old one from server. After installing the new I've got SEP client and LU completely not working with SEP client's installation running continously. I removed SEP only after stopping "windows installer" service.

After that I've got multiple errors (Event IDs: 7023, 20070, 20151, 20063) in windows logs. I solved this case with http://www.symantec.com/business/support/index?page=content&id=TECH103837 article.

But now every try of client's installation on this machine ends with roll back. LU is also not working. I also tried to install client as unmanaged - installation still rolls back.

The next strange thing is also that inner time in SEPM is one hour less than OS's system time. I think it's due to summer/winter time shift cancellation in Russia, but I dont know how to fix it.

//////

The strings after "The server connection attempt failed with a return code of 1814", are in russian, it can be translated as "LiveUpdate could not retrieve the catalog file of available Symantec product and component updates".

As for downloaded languages, i have 2 selected: english and russian. SEPM is russian. But in Admin-Servers-LU properties i'm unable to uncheck "english" at all (it is grayed option ).

But it seems like now it is not important cause SEP is not working at all.

Attachment(s)

SEP_INST_41.zip   195 KB 1 version

Well, I've managed to repair LU and SEP client after reinstallation both of them. But "event 13" still occurs.

Server is behind firewall, but during last 2 hours I made absolutle transparent to internet direction on ports 80, 441 and 21. No any access errors on something like that - but still no updates at all and "error 13".

I reinstalled LU, SEP client, repared SEPM installation. It seems to work fine for 3 days, with no errors detected.

Thanks for help!

Well, it is not working once again.

Only clients that get defs directly from internet are updating. Those which use SEP management server are not taking updates neither from LU servers nor from management server.

Probably you need to create a support ticket with Symantec to check this issue.

Already did that 2 days ago, nothing new so far.

Still trying to troubleshoot this issue on clients. I've got multiple "E_HTTP_NOT_FOUND" errors in Liveupdate.log.

Maybe anybody knows what does it mean:

24.11.2011, 7:00:54 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.3.0.107_russian_livetri.zip", Estimated Size: 0, Destination Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads"
24.11.2011, 7:00:55 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
24.11.2011, 7:00:55 GMT -> The callback proxy executable for product {812CD25E-1049-4086-9DDD-A4FAE649FBDF} is exiting with no errors
24.11.2011, 7:00:55 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.3.0.107_russian_livetri.zip", Full Download Path: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\liveupdate_3.3.0.107_russian_livetri.zip" HR: 0x802A0026
24.11.2011, 7:00:55 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
 

24.11.2011, 7:00:55 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/automatic$20liveupdate_3.3.0.107_russian_livetri.zip", Estimated Size: 0, Destination Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads"
24.11.2011, 7:00:55 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
24.11.2011, 7:00:55 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://liveupdate.symantecliveupdate.com/automatic$20liveupdate_3.3.0.107_russian_livetri.zip", Full Download Path: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\automatic$20liveupdate_3.3.0.107_russian_livetri.zip" HR: 0x802A0026
24.11.2011, 7:00:55 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
 

Upgraded to 11.0.7. Still getting it.

The most strange thing I found is that LU runs OK only one time after repairing SEPM. Second, third,.. etc times it fails with LU1814.

I've got a mail from support, answered some questions,  no responce for 2 days.

LU fails with 1814 error so fast that it seems like actually it is not even trying to connect to anywhere. I think that HOST_SELECTION_ERROR in LU.log is the key, but why it is possible for LU to connect 1 time after repair and fail the other times?

It's almost 10 days with no solution. I cannot afford myself to waste time anymore. Tomorrow I'm going to completely uninstall SEPM and use cleanwipe. It seems like there is no other option.

Is there anybody from support team? Are there any movements on case 415-794-013?

Try to delete legacy proxy settings in registry and reboot the machine.

Re-generate the current proxy settings.

Back up registry
1. Click Start, and then click Run.
2. In the Open box, type regedt32, and then click OK.
3. Locate HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\.
4. Right Click on Connections from the menu, click Export.
5. In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save.

Remove DefaultConnectionSettings & SavedLegacySettings
1. Delete the following registry keys:
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2. Reboot the system.

Note: Windows will detect the keys have been removed and re-generate the keys to the current values.

Also check below link and ensure you have performed the steps after reinstalling live update to re register sepm with live update.

http://www.symantec.com/docs/TECH102609