Endpoint Protection

I posted a problem regarding Symantec Antivirus not updating and was told in another thread that I had to update to the latest version.  (Here is the link to the original the post:  https://www-secure.symantec.com/connect/forums/virus-definitions-updates-not-applied-corporate-edition-81)

I updated to SEP version 11 and I still am not able to update.  When I used LiveUpdate the first time, the program connected to Symantecs servers and seemed to download something.  However, the date reported on the user interface stayed at 9/17/2009.   The next time I used LIveUpdate, I recieved the following error message:  LU1803 LiveUpdate failed to get updates. 

I tried to manually install them using the instructions located here:  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030710560348.  I was unable to complete the operation because the "inbox" folder does not exist.

Thanks in advance for any suggestions.

Tim Banyas

Can you check the virus definition date in server. For this you can go to admin tabà

Server’sàlocal site under this you can see the liveupdate available updates and see which the date of definitions is.

 

this is the doc you should look for 3rd party deployment
 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008092509280648

are your clients communicating to sepm ?
if yes then you can directly udate sepm and it will update the clients.

If these clients are unmanaged then either there is corruption in liveupdate . SEP 11 not installed properly.
or you have proxy in your network that needs to be configured.

For troubleshooting information please view the
Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009082702000348

Thomas

Did you try the steps in this document?  (The link you provided does not work, so I could not confirm if it was the same one.)

Title: 'LiveUpdate fails with an Error: LU1803'
Document ID: 2009081803143348
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009081803143348

It too addresses proxy settings, so if you find that the SEPM itself is not updating (if you have a SEPM), or if all computers are not updating, this may be the cause of what you're experiencing.

The LU troubleshooting guide is good, too.

Thanks,
sandra

I followed the following steps:

1. Open the Symantec Endpoint Protection Manager
2. Click on the Admin Tab
3. Click on Servers
4. Click on Local Site
5. Click Show Liveupdate Downloads
6. Make sure that the date for 32 bit and 64 Definitions for ‘Virus & Spyware Definitions’ is up-to-date

The SEPM is reporting udates on 2009-09-10 however the updates are not reported on the client, which in this case happens to be the same machine that the SEPM is running on.

As I am not sure which country you are in, is that 9 October, or 10 September?  If the latter, that is (obviously) very out of date.

Do your SEP clients all have green dots indicating communication?

sandra

It is October 9th.  However, the SEP client (which in this case is the same computer that has the SEPM installed) is reporting September 17th. 

The only computer with SEP client installed right now is our server and it also has the SEP Manager installed.  Instead of green dot, it has a red "no" symbol (red circle with a diagonal line).

The article that Tim referenced can be found here:

How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file

(The A HREF included a trailing . which prevented it from opening:  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030710560348.  )

It would probably be best to examine the log.liveupdate for this case: that log contains details on exactly where LU is attempting to connect to, by what means, what it finds and what happens when it tries to download content. 

There are different logs, as well, that are specific to the SEP client.  Materials downloaded by the SEPM's LU to the SEPM's directories are not immediately, automatically shared by a SEP client installed on the same server.  The content needs to be processed and distributed.  By default, that happens on a periodic schedule. 

Thanks and best regard,

Mick

Cycletech, sandra.g,

Thank you for the information.  I am working through the steps in links you posted right now and I will let you know what the results are. 

1. Open and log into the Symantec Endpoint Protection Manager
2. Click Admin in the left-hand pane
3. Click Servers
4. Highlight Local Site
5. Click Show LiveUpdate Downloads under Tasks

If it is not working then  try with following site steps
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009081803143348?Open&seg=ent

I followed the steps in the article recommended by cycletech:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009082702000348

I was able to establish communication between the client and SEPM and the client received the latest update (October 10, 2009).

However, the SEPM is still not downloading updates using LIveUpdate. 

I tried to follow the instructions in the article recommended by sandra.g:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009081803143348?Open&seg=ent

I was unable to uninstall live update because the uninstaller said LuComServer is still running.  I went to the service manager and did not see a service called LuComServer.  I tried to stop a service called LIveUpdate.  When I tried to stop it,  I received an error message stating that Windows could not stop the service.

I also checked the processes running using task manager and found one called LUCOMS~1.exe.   When I tried to end the process, I got an error message stating the the action could not be completed because access was denied.

Any suggestions?

Tamper protection may be disallowing you from stopping the LUCOMS~1 process (which is the LuComServer.exe process).  Any process beginning with LU could be stopped prior to uninstalling LiveUpdate.

sandra

 Turn off Tamper Protection on the client try to kill the process if still it gives access denied reboot the computer then try un-installing liveupdate.

try to repair your sep clients from add/remove program then run intelligent updater make sure the SEP client are connected to SEPM then monitor it if the client able to update from the manager

File lucoms~1.exe is located in a subfolder of "C:\Program Files". The file size on Windows XP is 2,975,352 bytes.
The service can be started or stopped from Services in the Control Panel or by other programs. The program has no visible window. lucoms~1.exe is a Verisign signed file. The file is digitally signed. The program is not active. File is hidden. It is not a Windows system file
LUCOMS~1.exe. located in c:\windows or c:\windows\system32 folder

Sandra, Vikram Kumar,

Thanks for the tip, it allowed me to uninstall and reinstall LiveUpdate.  Unfortunately, it reinstalling did not fix the problem; LiveUpdate still fails.  Here is what the log is telling me:

October 15, 2009 10:43:07 AM EDT:  LiveUpdate failed.  [Site: My Site]  [Server: server]
October 15, 2009 10:43:07 AM EDT:  LUALL.EXE finished running.  [Site: My Site]  [Server: server]
October 15, 2009 10:43:07 AM EDT:  LiveUpdate encountered one or more errors. Return code = 4.  [Site: My Site]  [Server: server]
October 15, 2009 10:40:18 AM EDT:  LUALL.EXE has been launched.  [Site: My Site]  [Server: server]
October 15, 2009 10:40:18 AM EDT:  Download started.  [Site: My Site]  [Server: server]

I searched for Return code 4 and found this thread:

https://www-secure.symantec.com/connect/forums/sepm-liveupdate-return-code-4

The basic conclusion there is  to reinstall LIveUpdate, which I have already done.

Any other suggestions?

 have registered lucatalog.exe after re-installing liveupdate?
also add http://liveupdate.symantecliveupdate.com and http://liveupdate.symantec.com to Trusted Sites on IE.

I did not register lucatalog.exe because step 9 states that registering is only necessary if you did not back up and restore Product.Inventory.LiveUpdate.

I will try to register it and will let you know if that corrects the problem.

I registered lucatalog and added the LiveUpdate sites to the trusted sites and LiveUpdate still fails.

Run liveupdate from start - run - luall
and check are you still getting 1803 ? 

Proxies can cause this error message (and 1803) to occur, as can IE Enhanced Security and hardware firewalls...

Title: '"Error: LiveUpdate encountered one or more errors. Return code = 4" in LiveUpdate status in Symantec Endpoint Protection Manager'
Document ID: 2007121710290448
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121710290448

There is probably more information in the LiveUpdate log (default location: C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate), but that file can be very large, and I don't recommend trying to paste the entire thing in here.

sandra

Sorry, I only just saw this -- I'm not getting forum notifications, and I'm not sure why :P 

In the SEP client, under Help and Support > Troubleshooting, is it correctly identifying its SEPM (i.e. itself)?

sandra

I followed the both sets of instructions below for setting the proxy settings.  I used the same settings for IE, which is capable of browsing the LiveUpdate sites.  Should the proxy setting be different for LIveUpdate than IE?

2) Configure the Proxy to have the Liveupdate

• To Configure the Proxy server from Symantec Endpoint Protection Manager.

1. Click on Admin
2. Click on Servers
3. In the "view servers pane" select the name of the manager under local site
4. After selecting your server, in the tasks pane, click on Edit Server Properties, a dialog box will open up
5. Click on Proxy Server
6. Fill out your appropriate settings and credentials for HTTP and FTP as required for access.

• To Configure the Proxy server from Liveupdate Application.

1. Click on Start
2. Click on Settings and Go to Control Panel
3. Click on Symantec Liveupdate
4. Go to the HTTP Tab
5. Select the right Configuration as per your Requirement.

This snippet from Log.LiveUpdate suggest that I do need authentication.

10/15/2009, 20:57:04 GMT -> Progress Update: PRE_CONNECT: Proxy: "http=xxx.xxx.xxx.xxx:8080" Agent: "Symantec LiveUpdate" AccessType: 0x3      
10/15/2009, 20:57:04 GMT -> Progress Update: CONNECTED: Proxy: "http=xxx.xxx.xxx.xxx:8080" Agent: "uQF7FS/Kf7j7i+RCk+DGNUbCmRo7IvXSgAAAAA" AccessType: 0x3      
10/15/2009, 20:57:04 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.3.0.92_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads"
10/15/2009, 20:57:05 GMT -> HttpSendRequest (status 407): Request failed - Proxy Authentication required
10/15/2009, 20:57:05 GMT -> Server supports authentication scheme: NTLM
10/15/2009, 20:57:05 GMT -> Server supports authentication scheme: Kerberos
10/15/2009, 20:57:05 GMT -> Server supports authentication scheme: Negotiate
10/15/2009, 20:57:05 GMT -> Attempting proxy authentication.
10/15/2009, 20:57:05 GMT -> Abort proxy authentication attempt because authentication information is missing from the Settings file.
10/15/2009, 20:57:05 GMT -> LiveUpdate failed in all its attempts to authenticate against this server.10/15/2009, 21:01:02 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1819, The proxy server requires a user name and password to connect to the Internet and LiveUpdate is not configured to provide this information.

I will change the settings and see if  that fixes the problem.

I tried your suggestion and LiveUpdate appears to be downloading a large amount of data.  I will let you know the results once it has finished.

 Proxy Authentication is not passing

when you define your proxy server settings in SEPM
for username give Domain\Username

and retype the password just to make sure there's no typo

""

Use Windows Authentication

Enables or disables Windows Authentication. If you use Windows Authentication, type<user>@<domain> or domain\user for the user name format.""

Once I added the authentication information, LiveUpdate worked fine.

Thank you all for your efforts to help me resolve this issue.

So I used the .jdb file, and on the workstation it created a Invalid folder, had like 3 files in it and one showing the updates that were in the file and virus's and the works... What am I supposed to gather from this?

Also, how do I update the Management server with the .jdb file? I do not have an inbox on that computer, as it is self managed...

 @jdeitel-follow this link
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048

If issue persists open a new thread as this is already resolved