Endpoint Protection

 View Only
Expand all | Collapse all

SEP11 Definitions Out of Date BUT Only Some Machines

  • 1.  SEP11 Definitions Out of Date BUT Only Some Machines

    Posted May 27, 2011 04:17 PM
      |   view attached

    Hello everyone,

    As of May the 13th (that'd be a Friday the 13th for the superstitious) some of our machines have decided not to update any more.  I have tried upgrading from 11.0.6200 to 11.0.6300 (latest revision), which did not help at all.  I have also tried repair installing and also reinstalling the SEPM server software, all to no avail.  I have also tried installing the virus definitions manually using the .jdb files in the incoming folder, still to no avail.  At this point, all of our GUP servers have the old version of virus definitions installed on the clients (not necessarily the oldest for the GUP share...they seem to be updating).  Also, even the SEPM server has an out-of-date client.  I have tried uninstalling SEPM completely and even running the Norton Removal Tool, but I receive a Visual C++ runtime error when I run the NRT.  I have since enabled SyLink logging and have the log files for viewing on one of the machines having problems.

    Any assistance would be greatly appreciated!

    ~Ryan

    Attachment(s)

    zip
    Sylink.zip   89 KB 1 version


  • 2.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted May 28, 2011 12:10 AM

    follow this document; 

    then install the JDB file

    restart the symantec manager service.



  • 3.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted May 28, 2011 02:36 AM

    05/27 15:05:27 [872] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {1CD85198-26C6-4bac-8C72-5D34B025DE35} Seq:110513002
    05/27 15:05:27 [872] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
    05/27 15:05:27 [872] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=1
    05/27 15:05:27 [872] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {42B17E5E-4E9D-4157-88CB-966FB4985928} Seq:110512001
    05/27 15:05:27 [872] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
    05/27 15:05:27 [872] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=0

    Seen from your log that when the liveupdate is intiated, Moniker file which updates the definition info of the client to the manager is unable to do the same. This could be due to corrupted definitions on the client.

    Follow this article for clearing the corrupted virus definitions

    http://www.symantec.com/docs/TECH98276

    Then use the .jdb file to update the definitions

    http://www.symantec.com/docs/TECH104363

    This should fix the issue. Once fixed, please monitor for a day to see if the next definition is updated.



  • 4.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Trusted Advisor
    Posted May 30, 2011 12:52 PM

    Hello,

    After Looking at the Logs, we found: 

     

    05/27 16:07:31 [872] 16:7:31=>Send HTTP REQUEST
    05/27 16:07:31 [872] 16:7:31=>HTTP REQUEST sent
    05/27 16:07:31 [872] <SendUrlAndReceiveResponse:>SMS return=400
    05/27 16:07:31 [872] <ParseHTTPStatusCode:>400=>400 Bad Request
    05/27 16:07:31 [872] Removing LU download from queue since SEPM can't have the LU Info..  Moniker: {D3769926-05B7-4ad1-9DCF-23051EEE78E3} Target Seq:110512001
    05/27 16:07:31 [872] <mfn_PrepareLUContent:>Requesting LU Info for :  Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Target Seq:110513002

    ......

    .........

    ...........

     

    05/27 16:07:31 [872] 16:7:31=>Send HTTP REQUEST
    05/27 16:07:31 [872] 16:7:31=>HTTP REQUEST sent
    05/27 16:07:31 [872] <SendUrlAndReceiveResponse:>SMS return=400
    05/27 16:07:31 [872] <ParseHTTPStatusCode:>400=>400 Bad Request
    05/27 16:07:31 [872] Removing LU download from queue since SEPM can't have the LU Info..  Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Target Seq:110513002
    05/27 16:07:31 [872] <PostEvent>going to post event=EVENT_SERVER_ONLINE
     
     
     
    Follow These Symantec Articles:
     
    1) HTTP 400 - Bad Request communication error for Symantec Endpoint Protection Manager (SEPM) 11.x
     
     
    2) Troubleshooting for Symantec Endpoint Protection Manager (SEPM) 11.x error "HTTP 400 - bad request"
     
     
    3) Symantec Endpoint Protection clients do not communicate with their Manager: 400 - Bad Request in Sylink log
     
     


  • 5.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted May 31, 2011 01:38 PM

    Hello,

    I have tried purging the bad virus definitions and the workstations never get new virus definitions after I do this.

    I also went through the suggestion of SEPM being corrupted.  However, I find this very hard to believe since some workstations function correctly.

    I noticed that if I go on the client while the client is listed in specific groups, they will say "Offline" when you go to "Help and Support" and click "Troubleshooting."  However, they quickly start working again when I place them back into their old temporary group that works (they say online with the server name listed under Troubleshooting).  From there, it seems like they are trying to work but still can't.

    I should also mention that last Friday I created a new group and imported current policies into this group.  I update the policy individually, but when I go to Details under the client "tab," it says "Policy Serial Number" and that number is blank.  All of the systems under this group are unable to communicate with the SEPM.  When I go on the client, it says Server Offline.  However, when I move the clients out of that group and into a known working group, they can at least communicate with the server, but we're still having the virus definitions issue.

    I tried going through and purging the virus definitions on the server and following the instructions from Article: TECH98276. I then went and hit manual "LiveUpdate" where LiveUpdate Express came up and downloaded the definitions from the internet.  It took a while but eventually everything was "installed" and I saw that files popped back up under the LiveUpdate/Downloads folder and later into the VirusDefs folder.  However, the client still says warning like the virus definitions are still out of date.

    I also recently found out that all the GUPs are not properly updating themselves.  The last update was from the 27th when I ran a manual JDB file insert into the incoming folder on the SEPM server.

    I spoke with our hosted services provider about LiveUpdate being blocked from our firewall, but they said that they have Symantec's servers whitelisted (liveupdate.symatecliveupdate.com).

    I'm not completely convinced that reinstalling the server is going to resolve this issue since it's only for certain machines.  I have, however, already tried a repair install of the SEPM server software to no avail.



  • 6.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted May 31, 2011 06:31 PM

    For the clients having issues, run the SEP Support Tool. It will help identify exactly what is wrong with the clients.

    https://www-secure.symantec.com/connect/downloads/sep-support-tool



  • 7.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 01, 2011 03:38 PM

    1) Make sure your WINDOWS FIREWALL is not enabled, this will not allow it to communicate with the SEPM - - its something NEW with MP3

    2)  When you installed the client - - did you allow the LIVEUPDATE to process the entire way thru ??? I didnt and caused myself some issues

    3)  Have someone from Symantec Tech Support help you do a LUCATALOG cleanup and rebuild  - - this allowed my LIVEUPDATE to start to work again and I could move on ...  I had a SYMANTEC TECH SUPPORT person on a WEBEX session help me with it ((actually - I wouldnt have done it - but they recommended it and he watched my every move - - - it worked great ))

    Just things that helped me with 11.0.6300 to communicate with the SEP Clients from SEPM and to get LIVEUPDATE to work correctly - - BEST OF LUCK

    Mike



  • 8.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 01, 2011 11:53 PM

    Hi.

    Do you have any more details on the LUCATALOG cleanup process?

    • What did you have to do?
    • What did it fix?
    • Is there a KB article available?


  • 9.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 02, 2011 03:18 PM

    As I stated in my last post - - I had a Symantec TECH SUPPORT person on the phone helping me 'step by step' with this process and I would suggest you do the same...

    What it did for me ?  I could not do LIVEUPDATE at all and it cleaned out all of the LIVEUPDATE files and once that was done the TECH SUPPORT Person helped me with the next step and then we Ran a LIVEUPDATE - -now this LIVEUPDATE took a loooong time, because it had to rebuild from stratch, BUT it worked great and I even got back some disk space from it - - not a lot - but some.

    Here are a couple articles I found on LUCATALOG :

    http://www.symantec.com/business/support/index?page=content&id=TECH139361&actp=search&viewlocale=en_US&searchid=1307042018712

    THIS IS THE PROBLEM I HAD BELOW :

    http://www.symantec.com/business/support/index?page=content&id=TECH93563&actp=search&viewlocale=en_US&searchid=1307042018712



  • 10.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 03, 2011 01:31 PM

    I have found that if I add/remove programs and remove Symantec Endpoint, then reinstall it - then the client will not update it's pattern files.   I'm using version 11.0.6300 and just came off of 11.0.6200.

    This has happened to me several times now.   What I have discovered is that I have to remove SEP, remove Live Update, reboot, then run the Symantec CleanWipe utility two times.  After that I can reinstall Symantec Endpoint Protection and it will begin updating and be fine.

    In my case it is a client issue, as I have 600 other PCs working just fine.   I have tried clearing the clients local copy of the updates, but this does not fix the problem.  If I manually update the pattern files using the 2011xxxx.exe updates on this site, then the client will update to that version however it will never automatically update to newer versions.   The logs show LUALL working just fine, and it shows downloading content from the GUP and it shows applying it. No errors.  However the real time pattern files never actually update.   



  • 11.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 06, 2011 12:44 PM

    I typically run the Symantec Removal Tool when I do an uninstall of SEP because of the issues that PrimeInc mentioned.  However, I will say that on a couple of the machines with issues, they would all say Visual C++ Runtime Error and wouldn't let me load the SymNRT.exe file (that's compressed inside the Symantec Removal Tool).

    At this point, I have pretty much given up all hope on figuring out what's wrong with the server and have done a fresh install of the OS.  I'm actually right about to reinstall SEPM then try and dump the Key Password and whatever else needs to be in the system to make it find the old clients.  I would hate to have to go through all of that again...

    I will keep everyone posted on what I find or if I run into any hurdles.  By the way, I did actually completely clean out the LiveUpdate Catalog using the TECH98276 article (How to clear out corrupted definitions for a Symantec Protection Center and Symantec Endpoint Protection Client manually).



  • 12.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 06, 2011 01:17 PM

    Is this a Windows Server and if so, what version ??

    Best of luck my friend - please let us know what works for you

    Mike



  • 13.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 06, 2011 02:10 PM

    This is a Windows Server with version 2003 R2 (32-bit).



  • 14.  RE: SEP11 Definitions Out of Date BUT Only Some Machines

    Posted Jun 07, 2011 01:58 PM

    Do you have the Windows Firewall turned on - - on the SEPM Server ?

    Did you open any of the ports to allow traffic to be sent thru  (( on the SEPM Server and SEP Client )) ??

    see this forum entry : https://www-secure.symantec.com/connect/forums/sepm-1106-mp3-communications-ports-allow-clients-talk-sepm

    it's one I started and seemed to help me out ..... not sure it will help you out at this point, but might open up some discussion with a SYMANTEC TECH SUPPORT person - - just trying to give you some suggestions - I am by NO MEANS a SEPM expert - - rather a novice who has had some bumps to get over along the way and learned from them .... just trying to give you some ideas



  • 15.  RE: SEP11 Definitions Out of Date BUT Only Some Machines
    Best Answer

    Posted Jun 08, 2011 10:59 AM

    Hi,

    I actually tried disabling the Windows Firewall and later disabled the entire Service so it wouldn't even have a chance to start to no avail.  I ended up scrapping the entire install and reinstalling the OS along with SEPM.  I spoke with Tech Support and they provided me a very nice tool [SyLink Replacer] (since I didn't have to write on myself!), which automatically replaced the Sylink.xml file on all the current systems in the network.  I ran that yesterday and almost all machines are not only showing up correctly but also updating virus definitions.  The only thing I can think of is that the system became corrupted somehow.  I also find it interesting how this happened at the same time that our firewall vendor made some changes (same day and approximately the same timeframe).  However, they deny it had anything to do with it.

    But, the good news is that everything is back up and running.  I have my work cut out for me redoing all the groups and settings...but I still have the old box in a virtualized environment that I can boot to pull settings from.

    I wanted to say thank you very much for your help and time trying to help.  I know exactly what you mean about learning from experience and sometimes experiencing it is the best way to learn and understand.  I will keep your settings in mind for the firewall on workstations should I run into trouble with individual ones again.

    Thanks to everyone else who chimed in and provided your assistance as well; it is always humbling to a fellow technology professional that we still like helping one-another :).