Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEP clients not able to get virus definition update from SEPM

Created: 05 Apr 2011 | 43 comments

hi guy,

we are currently having issue on getting the latest virus definition from SEPM, at SEPM show liveupdate status showed that the virus definitions had been updated to the latest but the clients are not getting it. Need advise for this, thanks for the help.

Comments 43 CommentsJump to latest comment

w-d's picture

Ensure if clients communicate correctly to the SEPM (do they have green dots?).

You can enable Sylink Debugging for 15-20 minutes and upload here the log file:

http://www.symantec.com/business/support/index?pag...

(in order to be sure you collect all necessary data, after doing the step 8b, please right click on SEP icon on client and select Update Policy

zomwalk's picture

hi w-d

we had done the changes to the client registry but not able to get the sylink.log file, and yes all the clients have a green dot. any idea on this? Thank you.

pete_4u2002's picture

after the change in the registry entry, you need to stop and startthe smc service.

w-d's picture

In the step 7 of the procedure you need to create the location (path) for the file:

7. In the Value data field, specify the location and name desired for the log file. (I.E. C:\Sylink.log) Then click OK.

Did you create that? If yes, search for Sylink.log inside C: drive

zomwalk's picture

hi w-d,

we created the entry in regedit which point to d:\sylink.log and did not create a sylink.log in D drive, do we need to physically create the sylink.log file in D drive? it will not be create automatically? Thanks

Rafeeq's picture

it will be created automatically

try stopping and starting the client

start - run

smc -stop

smc -start

then click on update policy....wait for 1 min u should get the log in 1 min

w-d's picture

It should be created automatically. If does not, please download SylinkMonitor tool:

http://www.symantec.com/business/support/index?pag...

and make those changes:
- Set registry key: HKLM\Software\Symantec\Symantec Endpoint Protection\SMC - smc_debuglog_on = 1
- Stop SMC: START > RUN > smc –stop
- Start SMC: START > RUN > smc –start
- Right click SEP interface and select Update Policy
- Run SylinkMonitor

Then after 15-20 minutes stop the tool, save the log, and change back the settings:

- Set registry key: HKLM\Software\Symantec\Symantec Endpoint Protection\SMC - smc_debuglog_on = 0
- Stop SMC: START > RUN > smc –stop
- Start SMC: START > RUN > smc –start

zomwalk's picture

Hi w-d,

we are able to get the log from sylinkmonitor tool, attached is the log file, kindly advise. thank you.

AttachmentSize
symantec-update.txt 81.88 KB
w-d's picture

Could you upload Log.LiveUpdate from the same machine as well? The defaul location is:

C:\Documents and Settings\All users\Application Data\Symantec\LiveUpdate

I see you are using GUPs. Do this machine update correctly?

Chetan Savade's picture

Hi,

Very first check whether is GUP is updated or not ?

After that check Client and GUP connectivity.

You can check connectivity with following commands

telnet (your Gup ip) 2967

Ping (your Gup ip)

Also check is there any proxy between SEP client & GUP.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

zomwalk's picture

hi guys,

thanks for the assist but we do not use GUP to update our client and it's not configured in the policy, the clients are will connect to the SEPM to get the latest virus definition. Thanks

w-d's picture

I supposed that there is GUP because the client is trying to download the content on port 2967 (which is used by GUP):

http://10.199.11.27:2967/content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/110405037/Full.zip

 

If there is no GUP, please test on one client group:

1. Create a fresh LiveUpdate policy and assign to this group

2. Right click on that group and select Run this command on a group -> update content

3. Verify then if any client got the update

Rafeeq's picture

yeah he said it right

 

http://10.199.11.27:2967/content/{1CD85198-26C6-4bac-8C72-5D34B025DE35}/110405037/Full.zip

is in LOG, open sepm

policies

liveupdate

set the first option for all group to use the management server, that should fix the issue.

zomwalk's picture

hi guys,

sorry had overlooked the settings, yes we had configure the GUP on the policy, but the GUP was also infact was also the SEPM server, so does this have any impact? or is there any changes need to be done? as currently our environment have 3 dmz zone which all the clients will connect back to this SEPM/GUP server. Thanks guys.

zomwalk's picture

hi guys,

 we had solve the GUP issue and the client is able to download now, but would like to ask a adhoc question, since we have DMZ server and not able to connect back to the SEPM/GUP can we manually update those servers with the full.zip? which folder does the full.zip goes to? Thanks

pete_4u2002's picture

do you mean update on GUP?

full.zip is provided by SEPM to GUP. It is not generated unless clients contact the SEPM to deliver the content through GUP.

John Harkins's picture

Wow what's that man ?

/* Please vote for good post */

John Harkins
IT Professional
Facebook: http://www.facebook.com/profile.php?id=100000958800056

zomwalk's picture

hi Pete,

no what i mean is getting full.zip and manually update on the DMZ SEP client since they are not able to connect back to the GUP to get the update. Would like to know if is possible/ways to do it? Thank you.

pete_4u2002's picture

hi,

You can use teh jdb file to update the client in the DMZ. Steps to do that mentioned in the below URL.

http://www.symantec.com/business/support/index?page=content&id=TECH104363&locale=en_US

 Note this will update only AV/As definition.

zomwalk's picture

thanks for the info Pete, what able the IPS and truscan definition? it is not possible? thanks

pete_4u2002's picture

IPS signatures are not updated using the jdb file.

 

Also if the client is not able to reach the SEPM, convert client to unamnaged; so that the unmanaged client can connect to Symantec Liveupdate (internet) for updates.

zomwalk's picture

Hi Pete, we just checked, we did not find any inbox directory in the client, btw the clients are running windows 2008 R2 64-bit. is there any other stuffs to check? thanks

zomwalk's picture

hi Pete, that will not be possible as in the DMZ, there's no external connections to the clients. which is why the only way to do it was to manually update it. Thanks

pete_4u2002's picture

Hi,

To have inbox created , SEP client needs to contact the SEPM. Becuase this clients contact SEPM to have inbox folder created.

Via the Symantec Endpoint Protection Manager:

  1. Go to "Clients"
  2. Open the Group in which the Clients can be found that need to be updated manually
  3. Edit the LiveUpdate Settings Policy
  4. In the LiveUpdate Policy, open the Tab "Servers Settings"
  5. On the "Servers Setting" Tab, enable the option "Enable third party content management.

As said, if the client does not talk to the SEPM then have it converted to unmanaged mode.

Rafeeq's picture

from the updated client go to c:\program files \comman files\symantec shared\virus defs

you will see a dated folder which has the latest definitions, copy the contents of that folder; it will be like 201104003

create a folder called incoming on the machine u want to update the defs

c:\program files \comman files\symantec shared\virus defs\incoming

paste the contents of  201104003 folder inside incoming folder

wait for a min it should be udpated

 

zomwalk's picture

Hi Rafeeq,

we are actually trying to update all 3 definitions (AV,truscan,IPS) definitions and would need advise on that. thanks

hi Pete,

when you mention the client need to contact the SEP in order to get the inbox directory created, we are actually able to see the host in the SEPM clients tab, so does that means the client do talk with the SEPM?

pete_4u2002's picture

It has contacted or still communicating?

Does it show green dot on the SEPM console?

Does the client takes policy change? If yes, then you can have the Liveupdate policy on the client to take the updates from SEPM.

zomwalk's picture

hi Pete,

yes it does show up green dot in SEPM, but because those machines are in DMZ hence they are not able to connect back to the SEPM due to network restriction or port 2976 is not open etc, hence comes the manual update. Hope you get the meaning. Thank you.

pete_4u2002's picture

SEPM and SEP clients talk on the website configured port (default 8014).

SEP talks to GUP on port 2967.

zomwalk's picture

in our case the SEPM and GUP is the same server hence, SEP will talk to the server on port 2967 (suspect that the port is not open) while SEP talk to the SEPM through port 8014. Thanks

pete_4u2002's picture

I might be wrong on your requirement, since I feel that having GUP on SEPM does not make sense. The reason is if the client communicates to the SEPM and SEPM being the content provider to clients, having GUP on the SEPM is not needed.

zomwalk's picture

so we still need help on how to manually update the AV,Truscan,IPS definition for those DMZ machines, need advise from Symantec. Thanks.

Rafeeq's picture

that would update all the components,Install Liveupdate adminstrator on a computer in DMZ which has intenet access. configure it to download all the defs

for a computer which is managed by sep, make it get from liveupdate administrator, no matter if its not communicating with Luadmin

once you have configured this in SEPM, the client gets modified liveupdate.settings file, this will have the luadmin info.

you need to replace this settings file on all the computers which are in DMZ ,they will get the udpates from luadmin.

check this link and sublinks for more info

http://www.symantec.com/business/support/index?page=content&id=TECH103198

zomwalk's picture

Hi Rafeeq,

thanks for your advise, but the issue is in all of the 3 DMZ zone, there's no internet connectivity as all of it is not expose to the internat hence not able to config a liveupdate manager there. if the manually copy of full.zip works we will actually thinking to create a batch file which does the copy of full.zip from the SEPM/GUP server to the machines in DMZ to update their definitions manually. if there such path where we are able to place the full.zip or other file that SEP client will update? Thanks

Rafeeq's picture

for the client to know where to udpate its stored in settings.liveupdate.

we wont be able make some change coz, these are not communicating with SEPM

for all the defs to udpate, we need intenet connectivity

you can try the UNC path , I never tried that, look in the help topics 

http://www.symantec.com/business/support/index?page=content&id=TECH95244&key=54619&actp=LIST

once you make this change, u need to distribute the settings.liveudpate file to the clients.

zomwalk's picture

we will post the sylink logs from the DMZ machine, just to confirm whether it is able to communicate with SEPM as in SEPM the machines are all in green dots. Thanks

John Harkins's picture

ok, how about reinstalling the CLient using Cleanwipe and then start the install of the latest Client using SEP 11.06 MR6 MP3 ?

/* Please vote for good post */

John Harkins
IT Professional
Facebook: http://www.facebook.com/profile.php?id=100000958800056

point-blanc's picture

I had gone through a similar issue where client had problem getting the updates where SEPM sever was configured as GUP. I removed GUP configuration and let the clients get updates from the SEPM directly which resolved the issue. Make sure incoming and outgoing for 8014 port is not getting blocked. This actually resolved the issue. You may try the same.

If that doesn't work creating a new test group and let the clients report there.

zomwalk's picture

hi Guys,

we have get the logs from a DMZ machine and a problem machine which not in DMZ but not able to update the definitions, need advise on it. appreciate it thanks.

AttachmentSize
DMZ1.txt 65.09 KB
problem machine1.txt 124.77 KB
pete_4u2002's picture

the DMZ machine is contacting the SEPM

http://10.199.11.27:8014

however there are errors

Throw Internet Exception, Error Code=4294967287;Internet Session Timeout

RECH's picture

Hello.

 

I had the same issue with my clients not updating. It turns out that one of my policies was corrupted.

 

What I had to do was to restore the SEPM database to a day previous to the last day that the good client updates occurred. It all started working, but then I had to find the policy that was corrupted, once I found it I created a new one from the policy section on the SEPM and then I assigned from there to the affected groups, once that was done I removed the 'bad' policy from the system.

 

Hope that this helps.