Endpoint Protection

 View Only

  • 1.  SEPM definitions stop updating, SEPM 12.1.6 Windows 10 Pro

    Posted Feb 24, 2016 05:19 PM

    New Windows 10 Pro install (version 1511, build 10586.71), running SEPM 12.1.6 MP1 (12.1.6306.6100). Everything works fine for a few days, then the virus definitions stop updating.

    Management console shows correct "Latest from Symantec", but "Latest on Server" remains stuck on older version. Once the problem occurs, running LiveUpdate from the management console gives only:

    February 24, 2016 7:37:13 AM CST:  LiveUpdate succeeded.  [Site: My Site]  [Server: <server name>]
February 24, 2016 7:37:13 AM CST:  LUALL.EXE finished running.  [Site: My Site]  [Server: <server name>]
February 24, 2016 7:37:13 AM CST:  LUALL.EXE successfully updated the content. Return code = 0.  [Site: My Site]  [Server: <server name>]
February 24, 2016 7:37:12 AM CST:  LUALL.EXE has been launched.  [Site: My Site]  [Server: <server name>]
February 24, 2016 7:37:12 AM CST:  Download started.  [Site: My Site]  [Server: <server name>]

    When I then look in Log.Liveupdate, the last entry is for the last time it actually downloaded files, in today’s case almost six hours before. There are errors at the end of that run "PRODUCT UPDATE FAILED EVENT", "aborted because LiveUpdate was unable to launch its callback helper process." and "A callback proxy process was still running at the end of the LiveUpdate session." (end snippet of Log.Liveupdate attached).  The SesmLu.log also has no entries after the last time LiveUpdate actually downloaded files (end snippet of SesmLu.log attached).

    The only error messages in the Windows log are reminders that we have however many days left on our trial license (currently 17).

    I have tried stopping the Symantec processes:
    Symantec Embedded Database
    Symantec Endpoint Protection
    Symantec Endpoint Protection Launcher
    Symantec Endpoint Protection Manager
    Symantec Endpoint Protection Manager Webserver
    and then restarting them, but the problem continues.

    The only solution I have found is to reboot the machine, after which SQL Anywhere Network Server (32 bit), Symantec Install Component (32 bit), and Symantec Service Framework (32 bit) do a lot of work for over 30 minutes, spiking at to 30% CPU, 50% disk I/O (10-20 MB/s) for long periods. Then everything goes back to normal for a few days, until the problem occurs again.

    And, yes, I did try reinstalling LiveUpdate when this first happened. That seemed to "fix" it, but it was really the reboot at the end of the install. Problem occurred again after a few days.

    Also, I set up a notification to trigger when the virus definitions were more than two days out of date, but this doesn’t trigger until after the reboot, even when the virus definitions are much older.

    Does anybody have any ideas where I should go from here?

    Thanks.

     

    Attachment(s)

    txt
    snip Log.LiveUpdate.txt   191 KB 1 version
    txt
    snip SesmLu.txt   1.84 MB 1 version


  • 2.  RE: SEPM definitions stop updating, SEPM 12.1.6 Windows 10 Pro

    Posted Feb 25, 2016 11:23 AM

    Please run the symhelp tool on it to do further error checking:

    Troubleshooting computer issues with the Symantec Help support tool



  • 3.  RE: SEPM definitions stop updating, SEPM 12.1.6 Windows 10 Pro

    Posted Feb 26, 2016 03:01 PM

    Thanks. I ran SymDiag on the system last night.

    One odd thing: The "data collection for support" twice popped up a window titled "dbisqlc" with the message "Error at line 1. Invalid user ID or password." This was in "Endpoint Protection Manager: Detailed data for support. 14 of 83 data sets. Collecting additional information from SEPM Database." Clicking on the Continue button each time allowed the data collection to run to completion.

    Here are SEPM complaints from the self-help reporting:

    1. One or more of the Network adapters with IPv4 are using DHCP.

    Comment: True, but it has a reserved DHCP address. Per our policy.

    2. System does not meet the recommendations for Symantec Endpoint Protection Manager 12.1
        Warning    UAC is enabled
        Missing data    Unable to retrieve User Account Control (UAC) Information.
         Warning    SQL Server or client is not installed on this machine. You can ignore this test if you are using embedded database

    Comment: Comment: OK, I'll ignore the SQL message. UAC being enabled is bad?

    3. The installed version of Endpoint Protection Manager is not the latest.
        Warning    Installed version: Endpoint Protection Manager 12.1.6306.6100
        Information    Latest version: Endpoint Protection Manager 12.1.6608.6300

    Comment: We could update to 12.1.6608.6300 this weekend, although I don't see anything in the release notes that applies to our problem. Of course, the required reboot would correct the problem for several days. And we have only 14 days left on our trial.

    I'm tempted to do a clean install of 12.1.6608.6300 this weekend.

    Any other suggestions?

     



  • 4.  RE: SEPM definitions stop updating, SEPM 12.1.6 Windows 10 Pro

    Posted Feb 29, 2016 09:52 AM

    Additional information from this weekend:

    1. Attempting to update the definitions by downloading the .jdb file results in no update and the creation of the .jdb.err file.

    2. Attempting to start the LiveUpdate service from the services console instantly gives the error:

    Windows could not start the LiveUpdate Service on Local Computer.
    Error 1053: The service did not respond to the start or comtrol request in a timely fashion.

    3. Taking a deeper look at the logs, I discovered errors in the System log. Correlating the logs, the sequence of IDs looks like the following sample:

    Source:        SEPM
    Date:          2/24/2016 7:18:44 AM
    Event ID:      7210
    Level:         Information
    Scheduled LiveUpdate session started.

    Source:        Microsoft-Windows-DistributedCOM
    Date:          2/24/2016 7:18:44 AM
    Event ID:      10005
    Level:         Error
    DCOM got error "1053" attempting to start the service LiveUpdate with arguments "Unavailable" in order to run the server:
    {03E0E6C2-363B-11D3-B536-00902771A435}

    Source:        Service Control Manager
    Date:          2/24/2016 7:18:44 AM
    Event ID:      7000
    Level:         Error
    The LiveUpdate service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.

    Source:        Service Control Manager
    Date:          2/24/2016 7:18:44 AM
    Event ID:      7009
    Level:         Error
    A timeout was reached (30000 milliseconds) while waiting for the LiveUpdate service to connect.

    Source:        SEPM
    Date:          2/24/2016 7:18:45 AM
    Event ID:      7211
    Level:         Information
    LiveUpdate session completed. Total time elapsed: 1 seconds.

    Source:        SEPM
    Date:          2/24/2016 7:18:45 AM
    Event ID:      7201
    Level:         Warning
    Content download to the server failed.

    After the problem starts, the system may generate multiple 10005, 7000, and 7009 events, sometimes several sets within a minute. The 7201 events do not always occur (I missed them the first time), sometimes there are multiples, with gaps of a few minutes between. Sometimes the system will generate a 7210 and 7211 pair alone, but the elapsed time is always 0 or 1 second.

    I did not reinstall SEPM this weekend, since the problem appears to be in LiveUpdate, which I have already uninstalled/reinstalled once since this problem occurred.

    I also found out that the notification I set to trigger when the virus definitions were more than two days out of date only triggers when the client's definitions are more than two days out of date from the server. Since it's the server that isn't updating here, that's no help. I couldn't find any way to monitor server vs. Symantec definition dates.