Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12.1 RU1 MP1 not updating

Created: 17 Oct 2012 | 10 comments

Hey guys.

I work for small company. We are providing IT services to small business customers in Ireland.

At the moment i have about 25 customers using endpoint on average 10 clients pc each.

Problem i have is developing accross the board, where clients will stop getting updates from SEP manager.

SEP manager has the latest update (same date and revision as update available from symantec) clients however are staying over a week behind.

It is starting to consume so much of my time to keep up with multiple sites with update problem.

What i noticed is that old folders in C:\program files\symantec\symantec endpoint protection manager\inetpub\content\{XXXXXXXXX...} are not being deleted and only content of 3 oldest folders is extracted to folder "FULL". I assume that is the reason why clients are not getting updates.

If i will delete all old folders except for the last (newest) one and restart endpoint manager service, clients will update soon, but after a week or so i will start getting emails from manager about outdated clients and updates are stuck again.

I had case opened with symantec, but every time they did something (to collect logs etc.) the were changing something and updates start working for a week or so... Symantec support was not patient enough, cases got closed and i still have problem.

I will appreciate any help with this.

Thanks

Comments 10 CommentsJump to latest comment

Ashish-Sharma's picture

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions

http://www.symantec.com/business/support/index?page=content&id=TECH166923

How to clear out corrupted definitions for a Symantec Endpoint Protection client manually

http://www.symantec.com/business/support/index?page=content&id=TECH103176

In this case, check if the clients are connecting to the SEPM properly, check these Articles:

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/docs/TECH160964

Troubleshooting communication problems between the management server and the client

http://www.symantec.com/docs/HOWTO55017

Then, Troubleshoot the Liveupdate Issue, check this Article:

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

Thanks In Advance

Ashish Sharma

.Brian's picture

Do the client have the green dot on the icon in the system tray?

Can the clients ping the server and vice versa?

See this:

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

https://www.symantec.com/business/support/index?pa...

Can you post the sylink log from one of the clients?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

What version of SEP 12.1 are you running?

What OS is installed on SEPM server?

Did you try updating the SEPM using the .jdb file? http://www.symantec.com/docs/TECH102607

I would recommend you to please PM me your case #.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

if the sepm is unable to process the definition, collect the log at that time.

computershop's picture

Read my 1st post.

Clients are connecting fine, And if I will delete old content from inetpub folder they will update fine.

Problem is that old content is not being deleted automatically despite that manager is set to keep 3 revisions, therefore new content is not being extracted and update not passed to clients.

When it goes wrong clients don't have green dot, they have yellow clock like dot (waiting for updates).

Problem with sylink is that in order to enable it (and i can do it only on server as all my customers are remote from me and i cant disturb them, but have access to servers) i have to do tricks in registry, restart the whole thing and then it works for another 2 weeks or so before breaks again, and nobody want to wait for log that long.

Mick2009's picture

Hi computershop,

manager is set to keep 3 revisions,

That is a very low number - basically that means that if the SEP clients of that SEPM are more than one day out of date, they will need to download a full set of definitions from the SEPM (very large package, instead of the very small direct deltas).

I recommend setting SEPMs to retain at least 10 past revisions.  It will consume more hard drive space on the SEPM, but will really save a lot of network bandwidth.  Can you increase that to 10 and see if the clients receive their updates in a reliable fashion?

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

I completely agree with Mick's comment.

Disk Space Management procedures for the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH96214

Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH92225

Also, check these Articles: 

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

http://www.symantec.com/docs/TECH131528

Symantec Endpoint Protection clients download full definitions from Group Update Provider or from Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH122612

With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

http://www.symantec.com/docs/TECH94916

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

computershop's picture

I dont mind them downloading full package. I have very small sites (10 clients on average) all working in local network, mainly 1Gb/s so a bit of traffic is not an issue.

My problem is: old updates stuck in manager and not being deleted regardless of how many i set in manager. And i have same problem with many of my customers so it must be a bug of some sort. I have a good mix of sites with embedded db, sql db, fresh installs on brand new servers and some of them upgraded from version 11.x so i can rule those variations out.

Thank You

P.S. if 3 revisions to keep is not good idea, then WHY is that default setting in manager ?

Mick2009's picture

Hi computershop,

If it's a potential bug, I do recommend getting in touch with Tech Support and presenting them with your situation and research.  They can collect some logs and get to the bottom of it. 

I believe the default is set so low so that SEPM "out of the box" won't consume a huge amount of space.  There's a very good sizing and scalability document which then provides advice on what settings should be used to tune it for a customer's unique network.

Symantec Endpoint Protection (SEP) Sizing and Scalability recommendations
Article:TECH123242   |  Created: 2010-01-16   |  Updated: 2011-12-08   | 
Article URL http://www.symantec.com/docs/TECH123242 
 

Hope this helps!  &: )

With thanks and best regards,

Mick

computershop's picture

I had a case with support, but we were getting nowhere. Once they logged in to the server and set collecting sylink, they had to restart everything and SEPM started to work so no faulty data has been collected. When server stopped updating again my case was closed already and they couldn't reopen it. As i have much more in life to take care of than never ending problem with symantec, i can't be sitting and troubleshooting it any more than i do. So it ends with me just deleting content manually, restarting SEPM and its fine for another few days.

There is sylink from one of my sites: http://www.mediafire.com/?jfesahxbulc2bkf

And image of content folder:

I had another thought... Would it be possible for me to move current licences to new Cloud version? I think this should sort out my problems.

Thanks