Hi,

I created a policy for PC to update definition with Symantec Live update server.

I found some PC haven't update from last week. Still keeping 17/12 r4 definitions.

In System Log, I found update ran successfully but no new update on 22/12 2:30 am. But no update was found in Virus and Spyware Protection Logs.

If run LiveUpdate manually in SEP, there is a definition to update.

Please advice.

Thanks

You need to enable sylink debugging to show what is going on. There is nothing to see in the logs you posted. There may also be a lue.log file as well.

Did you apply the policy correctly? Did the client pick it up?

This is usually because the policy isn't setup correctly.

For reading:

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

Hello William,

Clear the definition and run the liveupdate on the client

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

The policy is correct. I have run it for long time, just suddenly failure to update.

Client also succeed to pick up the policy.

How do I get the log for investigation ?

Thanks

If its just one Machine, Follow this...

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

Sooooo if these clients are updating directly with Symantec, then you want to look in the log.lue file for any errors and for more details on what the client is doing:

http://www.symantec.com/docs/TECH106034

A common situation I've encountered when people try to update their clients directly from Symantec, is that they route the client through a proxy server that happens to offer caching.  If this is the case, then it is recommended to disable caching for the Symantec LiveUpdate addresses.

Live Update can update definition manually, it's still definition corrupted ?

No

Attached for reference.

Thanks

Attachment(s)

Log_27.zip   22 KB 1 version

Are you absolutely certain the policy is configured correctly and the client has picked it up?

You can attach your LU policy if you wish so I can review.

Attached FYI

Attachment(s)

LiveUpdate Settings policy (IT).7z   1 KB 1 version

The policy looks fine.

Can you bypass your proxy on one of your affected clients?

What should I add to proxy to bypass it ?

Probably something you need to discuss with your admin who oversees your proxy. The client needs to be allowed to go out directly...

- How to bypass proxy connection in SEP ? Or it will use browser proxy setting ?

- Otherwise, if connect through proxy, why manual update can update definition ?

Thanks

It uses the browser setting. Otherwise you can configure it manually.

Definitely a proxy issue.  All the attempts to connect at 2:30AM all fail to connect to the http version of the Symantec LiveUpdate site and switch to the FTP one instead as below:

  Server selection failed for server HTTP://liveupdate.symantecliveupdate.com/ on port 80.
  Proxy (10.10.208.118:8080) is configured for server (liveupdate.symantecliveupdate.com). Won't go for explicit DNS query.
  Server selection complete. Server is FTP://update.symantec.com/opt/content/onramp on port 21.
  Connected using proxy: (10.10.208.118:8080).

Whereas the attempts made manually during the day (about 10:27) do successfully connect via http and subsequently succeed:

  Server selection complete. Server is HTTP://liveupdate.symantecliveupdate.com/ on port 80.
  Connected using proxy: (10.10.208.118:8080).

The logs are a bit sparse on the reasons why, though.  I'd recommend checking out your proxy server's logs for failed auth/connection attempts.  Either that or just allow everyone (unauthenticated) out to HTTP://liveupdate.symantecliveupdate.com/ along with making sure caching is disabled as I mentioned before...

Hi,

With same network settings, why schedule update fail but manual update succeed ?

Otherwise, why schedule update fail to connect to HTTP then changed to FTP but manual update succeed to HTTP ?

Furthmore, wirh same setting on other PC, I couldn't find same file ? But this PC succeed to schedule update.

Thanks

attached log from pc which succeed schedule update

Attachment(s)

Log_4.7z   8 KB 1 version

As I mentioned, there's nothing in the log to suggest why it's failing.  Therefore you're going to need to look at the logs on your proxy to investigate.

Like I said, you might consider just allowing everyone out to Symantec LiveUpdate unauthenticated if you want (and security policy allows).

BTW, that latest log you posted seems to show the client going direct to Symantec LiveUpdate, it appears to circumvent your proxy entirely suggesting the ports are already open.

The logs themselves are generally quite easy to read, I'd suggest having a rummage through them!