Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP Clients stock-up with old Virus Definition update. Please help.

Created: 16 Apr 2012 | 28 comments

majority of our SEP Clients were stock-up with old Virus Definition update. Feb 20, 2011.

We are running out of solution on this, please help, our SEPM is v11, clients are XP and Windows 7, servers are 2003 and 2008 (x86 and x64)

70% of our clients is not updating, roughly around 200 users we have in the network.

Appreciate your response. Thank you.

-roger

Comments 28 CommentsJump to latest comment

roger2011's picture

does the client shows green dot? No, its yellow circle with exclamation mark.

pete_4u2002's picture

can you post the sylink log from one of the machine?

also suggest to check the link for troubleshooting communication issue.

http://www.symantec.com/docs/TECH95789

roger2011's picture

Communication with SEPM server is not an issue, this was verified with this http://www.symantec.com/business/support/index?page=content&id=TECH102682

Attached on this responsed is Sylink.log. I saved it in Doc format Sylink.doc.

AttachmentSize
Sylink.doc 121 KB
greg12's picture

Can you send your scm-server-0.log file as well? Can be found under <SEPM folder>:\tomcat\logs.

dgh's picture

Do your clients update direct from the SEPM(s), via GUP, or via LiveUpdate? Is the SEPM healthy (eg disk not full)?

Use the Support Tool (any client Help & Support, Download Support Tool) on a client which is updating and compare to one which is not.

roger2011's picture

@greg12, attached file is scm-sever-0.log, I named it scm-sever-0.log.txt.

@dgh, all of our clients are updating thru SEPM server, i tried to use LiveUpdate (internet) as their update server but to no avail- same issue occurs.

I reinstall my SEP client in my system, now i have the old definition file dated 20 Feb 2012 for Antivirus and Antispyware Protection/ Proactive Threat Protection/ and Network Threat Protection.

To mention, our SEPM server has the outdated definition file as well, 26 March 2012.

Appreciate your help.

AttachmentSize
scm-server-1.log_.txt 91.27 KB
Simpson Homer's picture
FileNotFoundException: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\temp\indexM.html (The system cannot find the file specified)
Cause

Symantec Endpoint Protection Manager (SEPM) is unable to access a remote resource. The "...\tomcat\temp\index[X].html (The system cannot find the file specified)" messages generally indicate that the SEPM is not able to access current Symantec threat information over an Internet connection.

In another instance, the SEPM points to the internal LiveUpdate Administrator 2.x (LUA 2.x) server to download the definitions and the index file is never cleared on the SEPM.

Solution
If there is no internet connection from SEPM [ie. secure environment] the errors are expected and by design.
To verify, try browsing to "http://securityresponse.symantec.com/avcenter/venc/auto/index/indexA.html" and check for the return of any text.
Check if there is a proxy in the environment.
To check the settings, open Internet Explorer
1.    Click “Tools”
2.    Click  “Internet options”
3.    Click  “Connections”
4.    Click on the button “Lan settings”
5.    Verify the  “Proxy Server” setting section. It should be blank and the check box unchecked if there is no proxy present.
 
Verify the settings on the Symantec Endpoint Protection Manager,
1.  Click on “Admin”
2.    Click on the “Server” bar.
3.    Right click on the name of the server that is being checked and select “Edit Properties”.
4.    Click on the “Proxy  Server” tab.
Verify the that the settings match those of IE and then click on the “OK” button.
roger2011's picture

Dear Simpson,

SEPM server has internet connection, and yes, we have firewall/proxy inplaced in our network, Forefront TMG, everything seems well before, almost a year were using this SEP, later we have noticed that few clients are updating their definition files and majority are in Feb20 update- does this update needs to be cleared in SEPM server? I reinstalled my SEP client in my system few minutes ago and allow it to update thru SEPM server but the old definition file applied, Feb20.

I was able to access this http://securityresponse.symantec.com/avcenter/venc/auto/index/indexA.html thru SEPM server, please see attached file.

Sample2.jpg
pete_4u2002's picture

i looked into the sylink logs, it shows the SEPM itself is not updated after 20/Feb/2012 rev 1, update the SEPM using the jdb file

How to update definitions for Symantec Endpoint Protection Manager using a JDB file
http://symantec.com/docs/TECH102607
 

roger2011's picture

HI Pete, that sylink logs is generated in my system not in SEPM server, do i need to do the same in SEPM server? as i recalled you ask me to get sylink from one of the machine- i assumed this is client machine. Appreciate your response.

roger2011's picture

I didnt update the definition file yet by using the jdb file.

I just want to mention that base on the snapshot attached- Symantec Virus Distribution, it is clearly mentioned that majority of our client has Feb 20, 2012 def file. How can we resolve this? I believe that sysmantec faced the issue before as numerous post ive seen in the Internet with same issues.

SymVirDistr.jpg
nia's picture

Hello Roger,

A few questions:

1) Does the SEPM Server has the latest updates?

2) Have you tried to run the liveupdate on a client (if there is internet access) to see if the client is updated.

3) Do you have only one liveupdate policy for all machines (to download definitions from default management server)?

4) Are all clients on the same VLAN? Since some times there are firewall rules, try to move the client (physically) to a location that clients do get updates.

Do the following and let us know:

1) From the client side, open the client console, go to logs, client management control log and check if there is any error from liveupdate.

2) Reboot SEPM Server and run update content on clients (from the SEPM console)

Regards,

Nikos

Nikos Apostolou Systems Engineer

roger2011's picture

Hi Nikos,

you're asking:

1) Does the SEPM Server has the latest updates? No. March 26, 2012

2) Have you tried to run the liveupdate on a client (if there is internet access) to see if the client is updated.

I tried these: (all clients have internet access)

- Run luall.exe from the client that has updated def file> result: successful

- Run luall.exe from the client that has outdated def file (Feb 20,2012)> result: Failed. (see snapshot1)

3) Do you have only one liveupdate policy for all machines (to download definitions from default management server)? Yes, only one update policy for all the machines, and yes- clients are downloading updates from sepm server.

4) Are all clients on the same VLAN? Since some times there are firewall rules, try to move the client (physically) to a location that clients do get updates. No. clients are in different VLANs. There is no pattern on the VLANs, what i mean is, some clients in different VLANs have the latest updates.

Do the following and let us know:

1) From the client side, open the client console, go to logs, client management control log and check if there is any error from liveupdate. Client Management Control Log is Blank (No Logs generated)/ I captured the System Log for your reference in SEPM client connection (Snapshot 2)

2) Reboot SEPM Server and run update content on clients (from the SEPM console), same issue after rebooting the SEPM server.

-Roger

snapshot1.jpg snapshot2.jpg
greg12's picture

As Pete wrote, the clients are indicating in the sylink.log that the SEPM has content definitions from 02/20/2012. You write SEPM content is from 03/26/2012. 

Please send a screnshot of the "Show LiveUpdate Downloads" form (Admin > Servers > Local Site > Show LiveUpdate downloads).

nia's picture

Hello Roger,

Interesting results.

First of all, you need to update the SEPM running live update from console.
Second, regarding the manual update of the clients:

a) running live update, the definitions are downloaded from the internet as you can see.

b) client that is not updated, does not have access to symantec live update server or other issue with the live update.

I propose the following:

1) Update the SEPM Server

2) check the live update troubleshooter as described on the following link:

http://www.symantec.com/business/support/index?page=content&id=TECH95790

3) From the screenshots you have sent, (system log) I cannot see any logs from live update. That means that either you have to change the view (more days) or your live update policy is to download definitions more rarely (default is push every 4 hours)

My feeling is that this is a problem either with corrupted definitions on clients from a failed live update or proxy issue (ISA usually interferes in internal traffic also. You could ask network team to check the traffic)

Let us know about the finding.

Regards,

Nikos

Nikos Apostolou Systems Engineer

roger2011's picture

@greg, please see attached file- screenshot of "Show LiveUpdate Downloads", majority of our clients have 20Feb2012 def update- only 15% runs in latest update. our SEPM server is in 26Mar2012 update.

@Nikos, updating the SEPM server from the console give this error, snapshot3, the link you gave is on how to clear the def file from the client system- the corrupted def file resides on the client or in the sepm server who gaves the corrupted definition?

Appreciate you help.

ShowLiveUpdateDownloads.jpg snapshot3.jpg
roger2011's picture

How can we delete/ clear the old def file (20Feb2012) from the SEPM server?

nia's picture

Hello Roger,

In the provided url, there is also a comminucation check with symantec sites:

  • Troubleshoot Communication issue:
      1. Make sure that you are able to browse to the web sites below:
        1. Liveupdate.symantecliveupdate.com
        2. Liveupdate.symantec.com
        3. Symantec.com
      2. Make sure that the perimeter firewall has exceptions for the web sites above

For the SEPM Server, i suppose you have to find the definition files (do not remember where) and after stopping the services to delete them.

Better way is to change the live update on the server to keep only the last definition and not the 3,4 last which is the default.

I still bet on proxy or networking issue.

Let us know.

Regards,

Nikos

Nikos Apostolou Systems Engineer

roger2011's picture

Hi Nikos,

everything is going well before, we have our clients without internet connection but were able to update its definition thru sepm server.

URLs you gave to test the connection are successfully open from sepm server and clients who have Internet connection.

  1. Liveupdate.symantecliveupdate.com
  2. Liveupdate.symantec.com
  3. Symantec.com

one question, those LUALL.EXE will get updates directly from Internet or from SEPM server?

Maybe this is another issue of corrupted def file of sepm server, is there anyway to delete this file?

nia's picture

Hello Roger,

So, clients with internet access are downloading updates if I understand correct.

Runnint LiveUpdate from client (luall.exe or liveupdate from GUI) download the definitions from internet not from SEPM.

Check the following thread (old one) for the deletion of old definitions from SEPM. ALWAYS BACKUP BEFORE.

https://www-secure.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm

or:

http://www.symantec.com/business/support/index?page=content&id=TECH104721

for client deletions:

http://www.symantec.com/business/support/index?page=content&id=TECH103176

Hope that helps.

Regards,

Nikos

Nikos Apostolou Systems Engineer

roger2011's picture

Hi Nikos, is this a well known issue with symantec?

your first link: https://www-secure.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm is for 32bit OSes, our server is 64bit Windows 2003, i came accross before with the following links that you gave but im afraid to do so as if this will resolve our issue- ill stop there and post our issue here in this forum hoping that symantec tech supp team can help us- anyway, ill give it a try. I keep you posted.

nia's picture

Hello Roger,

I think that second link fits better to your case.

I have seen this issue on a couple of our customers but the problem was usually proxy or networking issue.

More often, we came up with corrupted definitions on client side. Since some of your clients download defintions correctly (make sure it is from SEPM/GUP and not internet) SEPM definitions should be ok.

On my client, you can see the attached log. It appears clearly that the definitions were downloaded with live update, but I can not see any simiral log on your screenshots.

I propose to see if it works and if none of the above solutions works, then open a case to Symantec Support.

In any case, let us know what was the fix.

Regards,

Nikos

systemlog.PNG

Nikos Apostolou Systems Engineer

ajhay.siingh's picture

HI Roger,

Thanks to all posts posted by forum members to solve the issue.

please alsos check following things to cleanup live update contents from SEPM

  • Uninstall Liveupdate from Add remove programs and delete the instance from the machine.
    C:\ProgramData\Symantec\LiveUpdate
  • Then reinstall Liveupdate and register it with Symantec endpoint protection manager and Client as well if it's installed.
  • To register SEPM with LiveUpdate:
  • Click Start, then Run.
  • Type cmd, then click OK. This will bring up a command prompt.
  • At the command prompt type cd and the path to lucatalog.exe. By default the command would be:

    cd C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin

  • Type lucatalog.exe -cleanup
  • Type lucatalog.exe -update   in case of SEPM 12.1 type -forceupdate.

Remember, If you have to reregister SEPM live update follow above steps, if you have to reregister SEPM's SEP client live udpate, please go to add/remvoe program from here select Symantec Endpoint protection, click change and repair it. you should also do this step.

then try to run luall from command prompt. It will download all defenitions from symantec live update server to SEPM

then check the SEPM current defenition status, If SEPM shows current definition as current date or a day before, the clients will start updating automatically,

I affraid in your case on SEPM you will have check on Live update server option

go to Policies- Live Update-Server Settings-uncheck Use a Live update server option if checked.

If it would be checked all clients will try to connect to symantec live update server or your internel live udpate server to update in case of not updating from SEPM.

Also please check on SEPM proxy settings, if proxy configured to update through itnernet, please give all permission to this server IP, because I have cross checked through proxy update dwonload  to SEPM it gives error, there should be all permission assigned to SEPM IP or proxy user id including FTP download permission

Please cross check, may be your problem would be shorted out.

Regards,

Ajay Kr singh

Regards,

Ajay Kumar Singh (Consultant- Information Security)

AravindKM's picture

Are you still facing this issue?

If yes, try by clearing virus defs as per this KB

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind