Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEPM 12.1 Clients not updating virus defs.

Created: 17 Sep 2012 • Updated: 17 Sep 2012 | 24 comments
Macht Schnell's picture

HI,

I have an SEPM 12.1 server that stopped receiving a/v definitions after removal of Backup Exec.  After re-registering SEPM with Liveupdate, the server is able to receive upddates, but they are not being pushed out to clients.  System try icon is showing a green dot on client machines.  If I modify the policy to allow manual operation of Liveupdate, clients download the latest defs from liveupdate.symantecliveupdate.com fine.

While the SEPM license did expire 9 days ago, according to this FAQ:

https://www-secure.symantec.com/connect/articles/sep-121-and-license-concept

Clients should still be receiving definitions as we are running the enterprise version of SEPM.  As such, I'm not sure if the issue is due to license expiration or a problem with the server.  Renewal of the licenses is on the agenda, but the defs are a week old at this point and I need to get them updated asap.

Sylog attached, any input would be greatly appreciated.

Thanks..

Comments 24 CommentsJump to latest comment

Ashish-Sharma's picture

Please try this steps and check

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions

http://www.symantec.com/business/support/index?page=content&id=TECH166923

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

Thanks for the reply...I should have detailed the troubleshoot steps I've taken so far...

The article you sent was on of the first I tried, it didn't seem to do anything (live update via SEPM's Admin>servers>Local Site>Download LiveUpdate Content) failed with an Error=4.

I also:

Uninstalled/re-installed (from the installation package) LU on the server, was able to download 32/64 bit defs via SEPM's Admin>servers>Local Site>Download LiveUpdate Content, not being pushed out to clients.  Local server client not updating unless I run LU manually (gets defs directly from symantec).

Uninstalled/re-installed (from the installation package) LU on a client, all communication seems OK, not getting updates from manangement server.  Local client not updating unless I run LU manually (gets defs directly from symantec). 

Ran Secars test from client, received status "OK".

Downloaded latest JDB file, placed in "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming" - files picked up by system and numbered folders appear in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758} which contain full.zip files.

I'm probably forgetting something, but will update the thread as I remember.

Ashish-Sharma's picture

Hi,

How is the client communication push/pull? If pull what is the heartbeat?

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

See attached...I also ran a repair install of SEPM as part of the troubleshooting a day or two ago.  I'm using 3 different client groups (server/private/public), but the communications settings are indentical for all three.

communications_settings.jpg
pete_4u2002's picture

the SEPM is updated till 2012/09/03 rev003, the agent is updated with the same definition. YOu first need to update SEPM. use jdb file for updating AV definition

How to update definitions for Symantec Endpoint Protection Manager using a JDB file
http://symantec.com/docs/TECH102607
 

Macht Schnell's picture

Thanks for the reply...I forgot to list the troubleshooting steps that I had performed...the JDB file I downloaded was vd3a6202.jdb, downloaded and installed today around 3pm EST.

Are you seeing the SEPM server updated till 2012/09/03 rev003 via the sylog?  The SEPM interface is showing 2012/09/17 r2.  

See attached screenshots just taken now (around 11pm EST).

Current_Defs_on_SEPM.jpg Current_Defs_on_Server_SEP.jpg LU_Status.jpg
Ashish-Sharma's picture

hi,

Try to create one test group and move one or two Client ..

Also Check SEP client Policy serial no and SEPM Group policy no both are same or not ?

can you post the sylink logs?

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

Checked policy numbers prior to TEST group creation, policy #'s match.

Created a new TEST group, left all settings as default.  Moved client, client's system tray icon's green dot disappeared and troubleshooting tool shows the client as disconnected.  (See screenshots).

Thanks very much for your input on this Ashish, I really appreciate it.  The sylink log is attached to my first post.

Policy_Number.jpg Connect_status.jpg
Macht Schnell's picture

Also, the SEPM console is showing the client that was moved to the TEST group as being online, even though from the client end it says it's disconnected.

Ashish-Sharma's picture

Hi,

are you able telnet 80,8014 ?

Please Disable Windows firewall and UAC ?

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

Server is Server 2003, client is XP so no UAC.

Strangely, the secar test that succeeded before now fails w/ a 403 error.  Using URL:

http://192.168.9.8:8014/secars?hello,secars 

On 80 I get:

C:\>telnet egrn-ws 80

Connecting To egrn-ws...Could not open connection to the host, on port 80: Connect failed
 
8014 seems to connect fine, the cmd window switches to a blank telnet window.  Random character entry followed by <Enter> produced the following:
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
                                                  <html><head>
                                                              <title>501 Method
Not Implemented</title>
                       </head><body>
                                    <h1>Method Not Implemented</h1>
                                                                   <p>sdsa to /
not supported.<br />
                    </p>
                        </body></html>
                                      f 
Macht Schnell's picture

Disregard comment about secar failure..was using the wrong URL string...:

http://192.168.9.8:8014/secars/secars.dll?hello,se...

Produces a status "OK".

Also, firewall on the server was alreay disabled.

Ashish-Sharma's picture

You can say Port 80 are not able to telnet.

Please Check and open Port..

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

From what I'm seeing here:

http://www.symantec.com/business/support/index?page=content&id=TECH163787

Port 80 was used prior to SEPM 11.x MR3, and changed to 8014 in later  builds...since we're on 12.1, should port 80 even be responding?  Like I said, the server firewall is disabled and SEPM is using Apache (not IIS) for web services.

Thanks again...

Ashish-Sharma's picture

Check SEP 12.1Communication Troubleshooting

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/business/support/index?page=content&id=TECH160964

Troubleshooting Symantec Endpoint Protection

 
 
Troubleshooting communication problems between the management server and the client
 

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

Thanks for the links, Ashish...I'm seeing some troubleshooting steps in them that I haven't tried yet.

Getting late here, so I'm going to try those out in the morning and I'll report back. 

pete_4u2002's picture

though the dashboard seems to be showing latest def, the logs says different story. I strongly suggest to follow the link

http://www.symantec.com/business/support/index?page=content&id=TECH166923

Macht Schnell's picture

I ran through the steps in that link, manual run of LUALL.exe in step 4 downloaded and installed 4 items sucessfully (2 of which were 32/64 bit definitions, don't recall the other 2).

Fired up SEPM and ran a Liveupdate from Admin > Server > Local Site > Download LiveUpdate content.

Status of SEPM LU download, screenshot shows installed downloads:

September 18, 2012 1:05:31 AM EDT:  LiveUpdate succeeded.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:31 AM EDT:  LUALL.EXE finished running.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:30 AM EDT:  LUALL.EXE successfully updated the content. Return code = 0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:28 AM EDT:  No updates found for Symantec Endpoint Protection Win64 12.1 (English).  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:28 AM EDT:  No updates found for Symantec Endpoint Protection Win32 12.1 (English).  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for Centralized Reputation Settings 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for SONAR scan engine Win32 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for AP Portal List 12.1 RU2.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for TruScan proactive threat scan commercial application list Win32 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for SONAR scan whitelist Win64 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for Virus and Spyware definitions Win32 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for Intrusion Prevention signatures Win64 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:27 AM EDT:  No updates found for Client Intrusion Detection System signatures 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for Revocation Data.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for SONAR scan engine Win64 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for Submission Control signatures 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for Submission Control signatures 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for SONAR scan data 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:26 AM EDT:  No updates found for Symantec Whitelist 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for SONAR Heuristics engine 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for SONAR scan whitelist Win32 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for TruScan proactive threat scan commercial application list Win64 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for SEPM LiveUpdate Database 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for SONAR scan commercial application engine 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for Extended File Attributes and Signatures 12.1 RU2.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for Virus and Spyware definitions Win64 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for Symantec Endpoint Protection Manager Content Catalog 12.1.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:05:25 AM EDT:  No updates found for Intrusion Prevention signatures Win32 11.0.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:04:34 AM EDT:  LUALL.EXE has been launched.  [Site: My Site]  [Server: egrn-ws]
September 18, 2012 1:04:33 AM EDT:  Download started.  [Site: My Site]  [Server: egrn-ws]
LU_Downloads.jpg
Macht Schnell's picture

Homepage of SEPM showing installed updates as 09/17/2012 r16, clients still showing 09/03/2012 r3.

Ashish-Sharma's picture

Please Clear out Definations

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

Please folow this steps again

http://www.symantec.com/business/support/index?page=content&id=TECH166923

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

OK, I did this on a client machine...after re-downloading all defs to the SEPM server, all folders in the client's "\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions" received definitions from the server except for the "HIDefs" and "VirusDefs" folders which only contained an empty "newdefs-trigger" folder.

I tried updating the server via JDB file again, same result.  Seems that server communication isn't the issue, given the ability to download the other def types.

After doing this, the client's SEP interface said that there were no virus definitions loaded, so I fully uninstalled SEP from the client and re-installed from a freshly created installer package.  Same result, all defs update except for the virus defs.  The client now shows virus defs from 9/2011, around the time taht the server was originally deployed.  All other def time stamps are from Aug/Sept 2012

Def_Dates.jpg
Ashish-Sharma's picture

Hi,

Please folow this steps again

http://www.symantec.com/business/support/index?page=content&id=TECH166923

or

Please create new installation package and install atleast on SEP Client and check virus defination are update or not ?

Thanks In Advance

Ashish Sharma

Macht Schnell's picture

In my previous post, after removing the virus defs from the client manually I cleared and redownloaded defs to the SEPM server according to:

http://www.symantec.com/business/support/index?page=content&id=TECH166923

The client downloaded all defs except for the a/v defs...I then reinstalled defs to the SEPM server via JDB file.  Client still wouldn't download the a/v defs.

I then uninstalled SEP from the client and reinstalled using a freshly created installer....again, all defs updated except for the a/v defs which are showing a date around 9/2011...aproximately when the SEPM server was deployed.

Ashish-Sharma's picture

Hi,

We have try all of thing but we can't received any solution

You can raised Support ticket

Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

OR 

Technical Support

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Please contact Symantec Technical Support via the support phone numbers listed below

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp   India: Toll-Free 000 800 4401 456 directly         

Thanks In Advance

Ashish Sharma