Endpoint Protection

Hi, as the title above states, my SEP clients are not receiving definition updates.

Here is a run down of everything i've tried:

1)  2 weeks ago I upgraded the SEPM from 11.0.6005.562 to 11.0.7101.1056.  The installation was completed with no problems or errors.  Client roll out went through without issues either.  Last week i noticed that clients were not receiving any updates.

2) Went through multiple suggestions on the symantec forum but with no avail.

3) Out of frustration and mental exhaustion i decided to completely uninstall SEPM, deleted all related folders and registry entries and start installation from scratch.

4) Stupidly i did not backup the sylink.xml or server.xml files or content.  So i continued the installation as a fresh start. Installation went well, created an install package, installed on a test client and yet again updates are not being sent through.

So now i am back @ my original problem but just worse, because i also need to get my clients to see this installation of SEPM. Without having to go out to +-150 workstation.

Any help or suggestions will be greatly appreciated.

Thanks

Further details:  Test client can be seen on SEPM with a green dot.  Policy updates are being passed through to the client. Policy serial numbers match.

There are no network problems.

I can telnet to the SEPM successfully. Both with IP and FQDN.

SEPM is running on WinXP Pro SP3.  I understand the limitations with the number of connections but currently there is only the 1 test client trying to connect which still does not work.

Is your SEPM updated?

admin

servers

local site

show liveupdate downloads, do u see u r SEPM with latest defs.

Do u use proxy?

You can try running liveudpate in interactive mode, check if that completes the download, as far as I know it  will be ur firewall or proxy :)

Steps to start LU in interactive mode:

1. Open Control Panel - double click on Symantec Liveupdate.

Select Interactive mode under 'how do you want to use LiveUpdate?'

Select Error support Level:Enhanced - Apply - Ok.

2. In Run type luall.exe click next allow Liveupdate to run.

Please report if you face any error. Also check the disk space on c: drive.

You can also use Sylink replacer to replace sylink on clients, so that clients communicate with SEPM

If you turn off the firwall on your PC with SEPM, do your clients communicate with SEPM and update then.  If so then ensure you have port 8014 open on your firewall.

I have found that you manually have to open this port on Server 2008, not sure if you have to do this manually if you install SEPM on Windows XP machine as never installed it on there, only server.

Hi Guys thanks for the replies

@Prem SEPM is fully updated with latest definitions, SEPM is downloading successfully but clients are not recieving updates from SEPM. Firewall is switched off on both SEPM as well as clients.

@Readycrest Firewalls have been switched off. Still not working.

@Prachi Have made changes to Liveupdate and receive error LU1834: Update not found.

This is part of the Log.Liveupdate file:

////////////////////////////////////////////////////////////////////////////////
2011/11/25, 06:01:36 GMT -> LuComServer version: 3.3.0.107
2011/11/25, 06:01:36 GMT -> LiveUpdate Language: English
2011/11/25, 06:01:36 GMT -> LuComServer Sequence Number: 20110526
2011/11/25, 06:01:36 GMT -> OS: Windows 7 Ultimate Edition, Service Pack: 0, Major: 6, Minor: 1, Build: 7600 (64-bit)
2011/11/25, 06:01:36 GMT -> System Language:[0x1C09], User Language:[0x1C09]
2011/11/25, 06:01:36 GMT -> IE8 support.
2011/11/25, 06:01:36 GMT -> ComCtl32 version: 6.16
2011/11/25, 06:01:36 GMT -> IP Addresses: ::1, 192.168.100.10
2011/11/25, 06:01:36 GMT -> Loading C:\ProgramData\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
2011/11/25, 06:01:36 GMT -> Opened the product inventory at "C:\ProgramData\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".
2011/11/25, 06:01:36 GMT -> Combined Product Inventory Flags 0, Permanent Flags 0, Permanent Flags Filter 0
2011/11/25, 06:01:36 GMT -> LiveUpdate flag value for this run is 0
2011/11/25, 06:01:36 GMT -> ProductRegCom/luGroup(PID=12412/TID=12696): Successfully created an instance of an luGroup object!
2011/11/25, 06:01:36 GMT -> ProductRegCom/luGroup(PID=12412/TID=12696): Path for calling process executable is C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.EXE.
2011/11/25, 06:01:36 GMT -> ProductRegCom/luGroup(PID=12412/TID=12696): Destroyed luGroup object.
2011/11/25, 06:01:36 GMT -> Scanning the following file for potentially malicious host entries: C:\Windows\system32\Drivers\etc\hosts
2011/11/25, 06:01:36 GMT -> Scanning the following file for potentially malicious host entries: C:\Windows\system32\Drivers\etc\lmhosts.sam
2011/11/25, 06:01:36 GMT -> LiveUpdate did not find any malicious host entries in any hosts files.
2011/11/25, 06:01:36 GMT -> **** Starting an Interactive Mode LiveUpdate Session ****
2011/11/25, 06:01:36 GMT -> User Type: Administrator.
2011/11/25, 06:01:40 GMT -> ***********************        Start of New LU Session        ***********************
2011/11/25, 06:01:40 GMT -> EVENT - SESSION START EVENT - The LiveUpdate session is running in Interactive Mode.
2011/11/25, 06:01:40 GMT -> Check for updates to:  Product: LiveUpdate, Version: 3.3.0.107, Language: English.  Mini-TRI file name: liveupdate_3.3.0.107_english_livetri.zip
2011/11/25, 06:01:40 GMT -> LiveUpdate is about to launch a new callback proxy process for product SESC Virus Definitions Win64 (x64) v11 with moniker {1CD85198-26C6-4bac-8C72-5D34B025DE35}.
2011/11/25, 06:01:40 GMT -> Starting Callback Proxy Worker thread.
2011/11/25, 06:01:40 GMT -> The callback proxy for moniker {1CD85198-26C6-4bac-8C72-5D34B025DE35} was successfully registered with LiveUpdate.
2011/11/25, 06:01:40 GMT -> LiveUpdate successfully launched a new callback proxy process for product SESC Virus Definitions Win64 (x64) v11.
2011/11/25, 06:01:40 GMT -> LiveUpdate is about to execute a PreSession callback for product SESC Virus Definitions Win64 (x64) v11.
2011/11/25, 06:01:41 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Successfully created an instance of an luProductReg object!
2011/11/25, 06:01:41 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Path for calling process executable is C:\Program Files (x86)\Symantec\LiveUpdate\LuCallbackProxy.exe.
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {DFB8BBDD-52DE-427e-9EB3-FB7665893221}, PropertyName = SEQ.HUBDEFS, Value = 110818021
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {DFB8BBDD-52DE-427e-9EB3-FB7665893221}, PropertyName = SEQ.CURDEFS, Value = 110818021
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {1CD85198-26C6-4bac-8C72-5D34B025DE35}, PropertyName = SEQ.CURDEFS, Value = 110818021
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Destroyed luProductReg object.
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Successfully created an instance of an luProductReg object!
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Path for calling process executable is C:\Program Files (x86)\Symantec\LiveUpdate\LuCallbackProxy.exe.
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {DFB8BBDD-52DE-427e-9EB3-FB7665893221}, PropertyName = VERSION, Value = MicroDefsB.Aug
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {DFB8BBDD-52DE-427e-9EB3-FB7665893221}, PropertyName = SEQ.HUBDEFS, Value = 110818021
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Setting property for Moniker = {DFB8BBDD-52DE-427e-9EB3-FB7665893221}, PropertyName = SEQ.CURDEFS, Value = 110818021
2011/11/25, 06:01:42 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Destroyed luProductReg object.
2011/11/25, 06:01:42 GMT -> The callback proxy finished executing the callback with a result code of 0x0
2011/11/25, 06:01:43 GMT -> The PreSession callback for product SESC Virus Definitions Win64 (x64) v11 completed with a result of 0x0       
2011/11/25, 06:01:43 GMT -> Progress Update: TRYING_HOST: HostName: "symantec" URL: "http://192.168.100.23:8014" HostNumber: 0
2011/11/25, 06:01:43 GMT -> Progress Update: TRIFILE_DOWNLOAD_START: Number of TRI files: 0    Downloading LiveUpdate catalog file
2011/11/25, 06:01:43 GMT -> LiveUpdate will download the first Mini-TRI file, liveupdate_3.3.0.107_english_livetri.zip
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 1, Estimated total size: 0
25/11/2011, 06:01:43 GMT -> Progress Update: PRE_CONNECT: Proxy: "(not-available)" Agent: "Symantec LiveUpdate" AccessType: 0x0       
25/11/2011, 06:01:43 GMT -> Progress Update: CONNECTED: Proxy: "(not-available)" Agent: "xDIMwL6fz/XNly/lrL1QTsbBxTMQC/PTgAAAAA" AccessType: 0x0       
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://192.168.100.23:8014/liveupdate_3.3.0.107_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"
25/11/2011, 06:01:43 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://192.168.100.23:8014/liveupdate_3.3.0.107_english_livetri.zip", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\liveupdate_3.3.0.107_english_livetri.zip" HR: 0x802A0026
2011/11/25, 06:01:43 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x0       , Num Successful: 0
2011/11/25, 06:01:43 GMT -> LiveUpdate will check for Mini-TRI file support on the server since the first Mini-TRI file was not available (liveupdate_3.3.0.107_english_livetri.zip).
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 1, Estimated total size: 0
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://192.168.100.23:8014/minitri.flg", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"
25/11/2011, 06:01:43 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://192.168.100.23:8014/minitri.flg", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\minitri.flg" HR: 0x802A0026
2011/11/25, 06:01:43 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x0       , Num Successful: 0
2011/11/25, 06:01:43 GMT -> Progress Update: TRIFILE_DOWNLOAD_END: Number of TRI files: "0"
2011/11/25, 06:01:43 GMT -> Progress Update: TRIFILE_DOWNLOAD_START: Number of TRI files: 1    Downloading LiveUpdate catalog file
2011/11/25, 06:01:43 GMT -> LiveUpdate could not find the MiniTri.flg file on the server.  LiveUpdate is entering legacy mode and will attempt to download the full LiveUpdate Catalog file.
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 1, Estimated total size: 0
25/11/2011, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://192.168.100.23:8014/livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"
25/11/2011, 06:01:43 GMT -> HttpSendRequest (status 404): Request failed - File does not exist on the server.
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://192.168.100.23:8014/livetri.zip", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\livetri.zip" HR: 0x802A0026
2011/11/25, 06:01:43 GMT -> HR 0x802A0026 DECODE: E_HTTP_NOT_FOUND
2011/11/25, 06:01:43 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x0       , Num Successful: 0
2011/11/25, 06:01:43 GMT -> Progress Update: TRIFILE_DOWNLOAD_END: Number of TRI files: "1"
2011/11/25, 06:01:43 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server 192.168.100.23 at path  via a HTTP connection. The server connection attempt failed with a return code of 1834, LiveUpdate could not find this update file on the server.
2011/11/25, 06:01:43 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0026
2011/11/25, 06:01:43 GMT -> LiveUpdate did not find any new updates for the given products.
2011/11/25, 06:01:43 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Interactive Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1834, LiveUpdate could not find this update file on the server.
2011/11/25, 06:01:43 GMT -> IE8 support.
2011/11/25, 06:01:47 GMT -> LiveUpdate is about to execute a PostSession callback for product SESC Virus Definitions Win64 (x64) v11.
2011/11/25, 06:01:48 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Successfully created an instance of an luProductReg object!
2011/11/25, 06:01:48 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Path for calling process executable is C:\Program Files (x86)\Symantec\LiveUpdate\LuCallbackProxy.exe.
2011/11/25, 06:01:48 GMT -> ProductRegCom/luProductReg(PID=12876/TID=9488): Destroyed luProductReg object.
2011/11/25, 06:01:48 GMT -> The callback proxy finished executing the callback with a result code of 0x0
2011/11/25, 06:01:48 GMT -> The PostSession callback for product SESC Virus Definitions Win64 (x64) v11 completed with a result of 0x0       
2011/11/25, 06:01:48 GMT -> Successfully released callback {855BA5F4-6588-4F09-AE61-847E59D08CB0}
2011/11/25, 06:01:48 GMT -> LiveUpdate has called the last callback for product SESC Virus Definitions Win64 (x64) v11, so LiveUpdate is informing the callback proxy that it can exit.
2011/11/25, 06:01:48 GMT -> The callback proxy executable for product {1CD85198-26C6-4bac-8C72-5D34B025DE35} is exiting with no errors
2011/11/25, 06:01:48 GMT -> ***********************           End of LU Session           ***********************
 

The sylink file has been replaced and users can get policy updates but still not virus definition updates.

EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server 192.168.100.23 at path  via a HTTP connection. The server connection attempt failed with a return code of 1834, LiveUpdate could not find this update file on the server.
 

its not able to connect to the internal liveupdate server. Check the IIS setting

Hi Pete

Regarding IIS settings, i have not changed any IIS settings and everything should still be default from being created by the SEPM installation.

Are there any specific settings that i need to look out for?

from 192.168.100.10 IE browser can you open the internate LUA server and see all the definitions?

I am using SEPM as internal server not LUA.

But i can access <serverIP>:8014 from client browser successfully, if that is what you have requested.

client is unable to communicate to 192.168.100.23 ( SEPM) , have you checked the communication troubleshooting steps between these.

I have followed the steps provided in link below:

http://www.symantec.com/business/support/index?page=content&id=TECH105894

All results have been positive.

But when it comes to the IIS logs the latest entries are only from yesterday and i am only seeing GET entries to /secars/secars.dll 404 and there are no POST entries.

Thanks for the input.

I followed steps on the following docs: TECH102681 and TECH105894

all results came back positive, except for the IIS logs which contain only logs from yesterday nothing from today and only GET /secars/secars.dll 404 and no POST entries.

As suggested by Prachi...did you followed those steps? Once follow those steps it will give you Error Number and on the basis of that we havve Troubleshoot

LU1834 is the error number that comes up.

can you post the sylink log from one client?

Here is the sylink file from the test client.

Attachment(s)

SyLink_2.xml   1 KB 1 version

sorry just realised that you weren't asking for the sylink.xml file.

i will post the log file asap.

Hi all

So, I have mananged to fix my problem.  The issue was with the IIS settings.  These are the steps that got things working again:

Open IIS administrator --> expand to Symantec Web Server --> right-click secars and click properties --> Select virtual directory tab --> Application Settings --> Configuration --> Mappings --> Edit --> Select "All Verbs" --> Ok all the way out.

Thanks for all the help and suggestions guys.

Much appreciated.

hope this is what you are requesting.

Attachment(s)

sylink-log1.txt   23 KB 1 version

sylink-log.txt   23 KB 1 version