Endpoint Protection

Hi

I was wondering where in the logs i can get the information about where a client is getting the AV definition updates from?

I can see the logs where it says which definition version and the time, but does not state which server the definitions came from. Is this possible?

Thanks

David

The definitions are downloaded from the Liveupdate server via your SEPM liveupdate.

Like running Windows updates to make sure that your OS is up to date and patches have been applied properly.

By default, the clients will get their definitions from the SEPM server. Unless you specified that they get it from liveupdate.symantec by enabling the liveupdate option.

We have some laptops that have been relocated to a new site.

These laptops can be in two locations. Online and offline. If in Online mode, it gets its AV updates from the management server. However, if it is offline, it can get its update from Symantec website.

Is there a way to check from the logs, to see where the clients are getting its update from? Whether it is from the internet or from the management server?

Thanks, David.

Yes, you can check the logs to know from where the client is downloading the virus defs.

Open teh client GUI

Click on View logs and check the System Logs.

Check the screen shot.

Attachment(s)

Doc1_11.doc   123 KB 1 version

when not connected to SEPM, it will get the updates from internet as per you rconfiguration. If you are looking out from the logs, sylink logs and liveupdate logs on client will help.

I am on version 11.0.6300.803.

I have already looked at System Logs, and i dont see any info about definition updates.

If i look at the systems logs from "Antivirus and Antispyware Protection", then it does show me the list of updated AV def's, but there is no info, where the updates came from.

Dave

I agree with Sir Simpson, you can check the AV came from on client side whether it came from LUA, GUP or on SEPM.

Also you can visit you LIVEUPDATE policy and see how many group are connected to your policy. From there you can ensure that those group are using the policy then they are updating from SEPM (based on LU policy)

"Thumbs up" to the advice above.

You may also be able to see what server files are downloaded from in the log.liveupdate.  If the downloads have come from an Internet or internal LiveUpdate server, you will see the servername or IP under the SERVER SELECTION line in the log.

If the "server" is a directory on the SEP client itself, then the downloads came from a SEPM or GUP on your network.

Please do update this thread with any additional questions, or mark it "solved" for the benefit of future admins!  &: )

As said, the system > client activity logs will give you this information. But it is only with RU7 & later versions, it will not work with earlier versions.

As Mick said, you can check the log.liveupdate(C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate) only if it is getting the updates from an internal LU server.

Thanks guys.

For some reason, the only suggestion that works for me is looking into the log.liveupdate.

Thanks again.

Dave