Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEPM 12RU3 not updating with latest definitions

Created: 05 Sep 2013 • Updated: 11 Sep 2013 | 24 comments
ThaveshinP's picture
This issue has been solved. See solution.

Since 2 days ago, the SEPM's have not updated with the current definitions. Yet, when you run luall.exe, everything is fine. Under the Admin tab - servers >> the liveupdate is launched, download started and finishes without any updates . I have tried the following

1. Restarting the SEPM services, the SEPM servers and SQL database server.

2. Ran a repair on the SEPM and everything is connecting and ports are connecting.

3. Checked that the SEPM has internet access and ran the luall.exe successfully.

4. Downloaded the JDB file and the logs show that the rapid response content installed successfully but still no updates added to the SEPM.

What else can I do or check to get the SEPM updated with the latest definitions?

PLease help..

Running SEP 12 RU3, seperate SQL 2012 database server...

 

 

Comments 24 CommentsJump to latest comment

ThaveshinP's picture

Where would I find the liveupdate log?

Ambesh_444's picture

Hi,

 

Please check this article.

https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-reset-client-communication#comment-8511141

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

SebastianZ's picture

How many definition revisions are you keeping on the SEPM? Check on the side of SQL database if the FG_CONTENT table did not reach its maximum value - if this happens SEPM won't be able to process any downloaded definitions.

Could not allocate space for object 'dbo.BINARY_FILE' in database 'SEM5' because the 'FG_CONTENT' filegroup is full.

Article:TECH106075  |  Created: 2008-01-30  |  Updated: 2013-04-01  |  Article URL http://www.symantec.com/docs/TECH106075

 

ThaveshinP's picture

DBA has set it to unlimited.Restarted the SQL server and still the same issue.

ThaveshinP's picture

We have about 80 revisions...have asked the SQL dba to check this out and will let you know.

Thanks.

Mick2009's picture

80 revisions is extremely high- most companies need 35-40, maximum.  I recommend setting this lower!!

With thanks and best regards,

Mick

ThaveshinP's picture

Ok, will set it to 40 and will monitor. The recommendations to set to 80 were from Business Critical support.

We have been running it like this for almost 1 yr now.

Mick2009's picture

There are usually 15-17 releases of certified defeinitions per week for SEP.  If a SEPM keeps 35 past revsiions, that means that even a SEP client managed by that SEPM will be able to connect in and get a delta rather than the full monthly set, even after being offline for two weeks.  Keeping 70 to 80 revisions pushes that date back to a full month.  

I doubt that such a number would really be worthwhile: those oldest deltas would be about the size of a full.zip anyway, and how often would a SEP client machine be offline for more than two weeks?  Only in very, very large organizations would there be enough clients doing that frequently enought to justify the additional costs in resources on the SEPM.   

See how you get on with 40.  That really should do a fine job of keeping all clients up-to-date with deltas.  &: )

With thanks and best regards,

Mick

SameerU's picture

hi

Please follow the document given by SebastianZ

Regards

 

admin shrinivas's picture

hi,

please let me know what is SQL version is it an express addition or standerd or enterprice.?

admin shrinivas's picture

if SQL version is standerd or enterprice.

then go ahead with following steps;

1) Stop SEPM manages serverices 

2) delete the contents from folder {535CB6A4-441F-4e8a-A897-804CD859100E} and {07B590B3-9282-482f-BBAA-6D515D385869} ( note:  do not delete the these folder only delete the what is inside of these folders)

3) clean lucatolog  

    • From the Start menu select Run

    • Enter the following command including the quotes: 

      "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -cleanup

       

    • From the Start menu select Run

    • Enter the following command including the quotes: 

      "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -update

 

4) start SEPM servevices

5) wait for 20 min then run lull from run.

 

if your SQL is express addition then see for datatbase size, SQL express will support only 10 GB of database limit.

SameerU's picture

Hi

Reinstall the liveupdate

Regards

 

 

ThaveshinP's picture

SQL 2012 Enterprise, reinstalled liveupdate and will check...

ThaveshinP's picture

Hi All,

still having the same issue, done all the recommended and still nothing.

What other fields , tables can the SQL DBA check for the definitions not getting update. When I run the liveupdate , it goes through and updates everything and is successful but yet no updates.

Please help.....

ThaveshinP's picture

Anyone know why this error comes up in the log:

09/07 15:14:54 [1368:24b8] ERROR      spcVirDef64 ProductUtil Initialize Tomcat server xml file failed.
at ProductUtil.cpp[1046]
09/07 15:14:54 [1368:24b8] INFO(Med)  spcVirDef64 SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&ClientMoniker={07B590B3-9282-482f-BBAA-6D515D385869}&FilePath=C:\ProgramData\Symantec\Definitions\SymcData\spcVirDef64\20130906.017&Hash=400A86C15F2FE8C9EB66122268EA054F&Language=SymAllLanguages&Product=SEPM%20Virus%20Definitions%20Win64%20(x64)%2012.1%20RU2%20H&SequenceNum=130906017&SequenceTag=CurDefs&ServerMoniker={307D2C61-0AB4-F6D4-00BE-15391E224ABA}&SrcSequenceNum=130905033&Version=MicroDefsB.CurDefs&action=UploadLuContent
09/07 15:14:55 [1368:24b8] ERROR      spcVirDef64 SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]
09/07 15:14:55 [1368:24b8] ERROR      spcVirDef64 SesmLu Failed to notify SESM servlet of new LiveUpdate package.at SesmLu.cpp[1465]
09/07 15:14:55 [1368:24b8] INFO(Med)  spcVirDef64 SesmLu Notified server about new LiveUpdate content
09/07 15:14:55 [1368:24b8] ERROR      spcVirDef64 SesmLu Failed to notify servlet of new content.at SesmLu.cpp[1307]
ThaveshinP's picture

and this:

09/07 15:14:58 [1368:24b8] ERROR      sepmludbosinfo SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]
09/07 15:14:58 [1368:24b8] ERROR      sepmludbosinfo SesmLu Failed to notify server of up-to-date content.at SesmLu.cpp[1465]
ThaveshinP's picture

Another:

09/09 07:32:13 [2508:2e3c] ERROR      spcIronWl SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]
09/09 07:32:13 [2508:2e3c] ERROR      spcIronWl SesmLu Failed to notify SESM servlet of new LiveUpdate package.at SesmLu.cpp[1465]
09/09 07:32:13 [2508:2e3c] INFO(Med)  spcIronWl SesmLu Notified server about new LiveUpdate content
09/09 07:32:13 [2508:2e3c] ERROR      spcIronWl SesmLu Failed to notify servlet of new content.at SesmLu.cpp[1307]
ThaveshinP's picture
09/09 07:39:04 [2968:25fc] ERROR       SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]
09/09 07:39:04 [2968:25fc] ERROR       SesmLu Server failed to publish the LU inventory.at SesmLu.cpp[1465]
ThaveshinP's picture

Is it possible to reset the FG_Content field (delete all contents) and then start the database...anyone know what will happen? The SQL DBA's have confirmed enough space available for table and server.

pete_4u2002's picture

fg_content if its full it will be seen in the scm-server log. do not delete the content unless it is required.

check the scm-server-0.log for any error related to db.

 

SebastianZ's picture

Have you tried already the most basic step - reinstall of LU on the SEPM?:

http://www.symantec.com/docs/TECH102609

 

1. Remove Live update from "Add/ Remove Programs"
2. Reboot the machine
3. In Windows Explorer, if they are present delete the following folders, without saving the existing content:
- C:\ProgramData\Symantec\LiveUpdate
- C:\ProgramData\Application Data\Symantec\LiveUpdate
- C:\Program Files (x86)\Symantec\LiveUpdate
4. Install LU using lusetup.exe (execute with local admin rights - build in administrator)
5. in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin:
- Type lucatalog -cleanup and press Enter.
- Type lucatalog -forcedupdate and press Enter.
6. in  C:\Program Files (x86)\Symantec\LiveUpdate start luall.exe (execute with local admin rights)
7. Please let the Live update express session run till the end and check if any errors are occuring
8. If the session was successfull check the path: "D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" to see if there is any content downloaded - you should see here several folders

ThaveshinP's picture

Hi all ,

Thanks for all the feedback and suggestions. We have tried this fix and will let you all know.

Symantec Endpoint Protection Manager 12.1 is not updating 32-bit or 64-bit virus definitions due to corrupt content

http://www.symantec.com/business/support/index?page=content&id=TECH166923

 

SOLUTION
Tony K.'s picture

The only issue is now that even though the DBA has now made that change - it does not change the fact that if it was not set before, the data in the FG_Content table is already corrupt.

 

That being said, at this stage - your only choice now is to dump ALL the revisions from the database and start loading definitions.

The way you do that is to set the content revisions to keep down to one (this will purge everything but the last set [which is more than likely corrupted]), drop a JDB file into the SEPM then let that install - once that is installed you may restore 80 revisions [although I would recommend that you set that to 40 at most]. 

Here is the major downside though - this will cause massive traffic between the SEPM and the clients. One thing you may want to consider is to help spread out the damage and that would be to implement GUPs throughout the organization -- the more the better (I would designate every machine that is a server OS as one temporarly).

 

Either that - perhaps create a backup of the DB and open a ticket with tech and see if the backline teams will take the DB and analyse the DB itself, perform repairs and send it back (hopefully they can keep most of the content).