Video Screencast Help

SEPM - LiveUpdate - Return code = 4

Created: 03 Dec 2007 • Updated: 02 Mar 2009 | 37 comments

Hi,

 

I’m having trouble getting definition updates via the Symentec Endpoint Protection Manager.  When I go to the “Admin” tab,
click local site and do the “Download LiveUpdate Content” task, I get the “LiveUpdate encountered one or more errors.
Return code = 4;  [Site: XXX] [Server: YYY].  It worked OK a few times right after I installed it then, started to the
“…Return code = 4…” error.

 

I tried the download task while watching my proxy and firewall logs.  The firewall is allowing all connections to *.symantec.com
and *.symantecliveupdate.com OK.  The proxy shows me a lot of “304 Not Modified” and “404 Not Found” status codes.  I also
get a couple of “200 OK” codes.  But, about half way through the update I start getting sporadic “500 Internal Server Error”,
“503 Service Unavailable”and “504 Gateway Timeout” codes.  Right before I get the “…Return code = 4…” I get a series of 404’s
for url requests that look like “GET http://liveupdate.symantecliveupdate.com/F0%5E$d3$11$1e7$a2$28$b1$ea$22$ad$7dQ$b1$e8$b3f_
F1%5E$8b$e8$f1$c2$3c$40k$81_F2%5Eo$b9R$28m$cd$3b$08$1f$bc3$b1$a7X$c0$b9$22$ad$7dQ$b1$e8$b3f_F3%5E$ab$88$d9
$ff$b0$1fM$1e_F4%5E$17c$01W$c7$12$1c$e9_F5%5E$17c$01W$c7$12$1c$e9_F6%5E1RFtrFcYc+Otylzz/DU4PgdYBwoBTZURwAAAAA
”.

 

I’ve tried running LUALL.EXE (version 3.3.0.61) manually.  It returns errors indicating I need a new version of LiveUpdate.  I can download
virus definitions via the web but, I would prefer the scheduled update on SEPM would do it.

 

Any light anyone could shed on this situation would be greatly appreciated.

 

Thanks.

Comments 37 CommentsJump to latest comment

packet pusher's picture

OK,

I think I found the solution a few days ago.  

I tried to uninstall the SEP client from my SEPM server.  This had no results, so I uninstalled and reinstalled SEPM starting from scratch  (new database, etc.).  In both instances neither the SEPM console nor running LUALL.EXE updated my definitions and, I kept getting the same errors.

While running LUALL.EXE, I kept noticing three error codes, LU1871, LU1825 and LU1806.  After looking these three codes up it dawned on me (I'm a little slow on the uptake sometimes), the problem is in the live updated engine (which I never never thought to uninstall or disturb in any other way).

As a desperation shot I decided to uninstall LiveUpdate, reboot the server in question a couple of times then reinstall LiveUpdate from the cdrom (<cd-rom>:\SEPM\LUSETUP.EXE).

It's been four days now and, my scheduled LiveUpdate is running on schedule, automatically grabing new definitions and getting them out to my clients.

Hope this helps...

Jason Grusnick's picture
I'm having a similar problem.  I can't get LiveUpdate to download successfully.  I keep getting the "Liveupdate encourntered one or more errors.  Return code = 4." 
 
Does anyone know what 'Return code = 4" is?  I haven't been able to find anything on this.
 
I tried doing the uninstall/reinstall of LiveUpdate and I can't seem to do that either.  When I go to Add/Remove Programs and try to remove it, I get a error saying "LuComServer is currently running.  Please wait until it completes and run Setup again."  Is there a service that I need to stop in order to uninstall LiveUpdate?
packet pusher's picture
Jason,
 
I don't remember having to stop a service to do the uninstall. 
 
That being said, one of the things I did during my trouble shooting of this problem was watch the running processes and the services console while doing the "Download LiveUpdate Content" under "Admin > Servers > Local Site (x)".  There is a service that starts called "Live Update" and maps to that "C:\Program FIles\Symantec\LiveUpdate\LuComServer_3_3.exe"  The service comes on then hangs around for a while after you get the "Return code = " message appears.
 
You may need to manually stop that service right before doing the uninstall.
 
Hope this helps...
 
 
Stephen Whitaker's picture
Wow Thank you so much packet pusher!
I was getting the same error code for my Liveupdate on SEPM. So I went to Add remove programs and removed LiveUpdate like you said. It had a warning, but i said ok anyways. Then rebooted the Server only one time. Got back in, installed the LiveUpdate EXE from the SEP CD under the SEPM directory just to make sure if there were any differences. Went back into SEPM and told it to download new updates and sure enough, worked first time around with no errors.
 
Thanks so much!
 
I think i was receiving this error code because i uninstalled the SEP client from my SEPM server and kept SEPM on it just because SEP is messing up my servers, so i went back to 10.0 SAV.
 
But now I have the newest Liveupdate, SEPM and SAV 10.0 CE working just fine together. ::smileyhappy:
 
 
Borodov's picture
Hello, I had the same problem "Return code = 4". So I uninstall Liveupdate (original from CD) and reinstall it by the latest version from Symantec web. Now the liveupdate procedure goes well. But Liveupdate is unable to handle wit antivirus and antispyware def. Always get message: "Antivirus and antispyware definitions Win32 11.0 MicroDefsB.CurDefs failed to update." So now I have to download this manually from web. Any ideas?
 
When I download the *.jdb file from web it is save with *.zip extension and I have to rename it. Could it be the same problem?
 
Thanks 
Jan van Setten's picture
We had the same problem ................ it indicates corrupted virus defs (in my case the 32bit defs)
 
I have solved this problem by removing all files from subdirectory "sesmvirdef32" and re-run liveupdate
 
Regards
Jan

 

DeepSky's picture

Hey Packet Pusher.  I just wanted to say thanks for the solution, it worked great!

However I am confused as to how this incident hapened on my environment because it was a fresh install of SEPM (so I assume a fresh simultaneous install of LiveUpdate).

I'm concerned that this mix just be a temporary fix.  Can anyone who has done this fix a while ago confirm that LiveUpdate won't revert back to it's previous unfunctional state?

packet pusher's picture
Hey DeepSky,
 
I haven't had this specific issue since I last posted.  I have had corrupt definitions a few times, it acts a little different.  There have been ohter problems with LiveUpdate.  I got through them by looking through this board and finding information that way. 
 
Since my last post, I updated to MR1.  That seemed to fix a lot of issues.
 
One stray thought involving LiveUpdate.  Every day I check the SEPM console and take note of any client computers with two-day-old (arbitrarily picked age) virus def's.  If any clients come up that way, I check their hard drives in the C:\Program Files\Common Files\Symantec Shared\VirusDefs directory and delete any tmp*.tmp directories therein.  That seems to unclog the client's LiveUpdate.  (I found that solution here on this board.)
 
Hope this Helps...
DeepSky's picture

Thanks for the reply, I was hoping you still occasionally visited these boards.  I'll keep you advice in the back of my head if I run into problems in the future.


On a side note how can I tell if I am running MR1?



Message Edited by DeepSky on 02-22-2008 07:33 AM

reza akhlaghy's picture
Hi,
 
Uninstalling liveupdate is not an wise option if you use other symantec product on same machine,
after some investigation I find out another way that sometimes works without harming other
symantec applications:
 
1) goto Document and settings\all users\application data\symantec\liveupdate
2) you should see downloads directory, empty its content (do not delete the directory itself)
3) delete log.liveupdate and settings.liveupdate and all other x.settings.liveupdate files
4) run luall.exe (from Program files\symantec\liveupdate)
 
 
packet pusher's picture
DeepSky,
 
The only way I know to tell if you're running MR1 is to look at the version of SEP client you're running.  Either open SEP on the client computer, hit the "Help and Support" button and select "About..."  The version number should be 11.0.1000.1375.  I don't remember what the old version was, but the third number was less than 1000 (something like 780).
 
When I was updating the clients, I used the monitor tab in SEPM and under logs did a "Computer Status" log.  Under the advanced options I searched by Product Version on a regular basis to check on the client update progress.
 
Hope this helps...
jiska78's picture

I had a vanilla install on a brand new server and had the same problem.

Uninstalling LiveUpdate, rebooting and reinstalling from the CD worked a treat for me.

Thankyou.

Mike Stone's picture
The reboot after the uninstall of LU is critical, without that, it retains whatever corruption there is.  Thanks for the posts guys.
Sandeep Cheema's picture
This is a related thread :
 
 
What i would suggest is that, do only the database deletion part.
Then goto "%Program Files%\Symantec\Symantec Endpoint Protection Manager\Bin"  and type "lucatalog -cleanup" and then the next command as  "lucatalog -upudate"
Try running the liveudpate from the console again.
 
If it doesnt succeed, go for the registry cleanup as well but of course needless to say, you are gonna take a backup before hand.
 
 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

rauneh's picture

Hello. I tried to go through your procedure, but it still fails.

Could you please have a look at the log here:



Looks like many of the features are updated, but not all of it.

kjh's picture


Sandeep_Cheema wrote:

Then goto "%Program Files%\Symantec\Symantec Endpoint Protection Manager\Bin"  and type "lucatalog -cleanup" and then the next command as  "lucatalog -update"
Try running the Liveudpate from the console again.


I just wanted to add a positive data point. This worked for me (at least so far). My issue was that LiveUpdate would sometimes work and then stop. I did find that deleting the (possibly) corrupted virusdefs worked as well, but definitely not as elegant or as quick as running the above commands. BTW, I'm reasonably sure there was a typo in the flag in the 2nd command. It should be "update", not "upudate".

It remains to be seen whether this is somewhat of a permanent fix; I'll find out over the next few days.
Hope this helps.

_KJH

kjh's picture

Oh well. It appears that that was only a one-time fix. So I've thrown in the towel for now and written a batch file that simply runs those lucatalog commands periodically. I don't have time to troubleshoot any more, but would be interested in trying any suggestions and/or potential solutions and reporting back.

kjh's picture

Bad news update.

This method (using the lucatalog.exe tasks) only worked twice. Since then, I've been forced to update the Win32 virus definitions manually by downloading the .jdb file and letting SEPM unpack and install. Others in this thread have had the same experience.

The somewhat good news is that downloading the .jdb definitions file has been working consistently. The bad news on that is that it's not a long-term solution.

SYMC folks - I'd be somewhat content just to know that you're working on this.
Thx.

bozman's picture
I also was getting the error 4 .
 
I found that someone had changed the proxy options to point to a server which required manual authentication.
 
Basically this meant that the server was not able to get out onto the internet to get the updates.
 
Once I corrected this and pointed the server to a proxy which did not require authentication I was able to get updates again.
 
 
J Penrose's picture

I came in this morning to the same error code 4 failure message for LU. After trying a couple of things while monitoring my ISA firewall logs I configured the Proxy Server tab for the server (found in the server properties page under the admin tab). I manually launched LU from the Local Site (My Site) node using the Download LiveUpdate Content link and the command completed successfully.

 

I can't understand why it failed since it appears to have been working fine without having the proxy config entered. I also noticed that the anon rule I setup in the ISA server was getting ignored in favor of a different rule I have setup for Windows Update (WSUS).

 

Pretty goofy if you ask me but for those out there having LU issues and error code 4 you might try the proxy settings. ISA does not permit unauthenticated connections so the proxy config takes care of that.

SEPUser's picture

What about us not using a proxy and still experience the same issue?  Very frustrating and time consuming.  Still no good working solution.

SEPUser's picture

Sandeep_Cheema wrote:

This is a related thread :
 
 
What i would suggest is that, do only the database deletion part.
Then goto "%Program Files%\Symantec\Symantec Endpoint Protection Manager\Bin"  and type "lucatalog -cleanup" and then the next command as  "lucatalog -upudate"
Try running the liveudpate from the console again.
 
If it doesnt succeed, go for the registry cleanup as well but of course needless to say, you are gonna take a backup before hand.
 
 

The above corrected my LiveUpdate issue.  

 

Thanks

kjh's picture

Update.

I've found a pseudo-fix about a week ago. I uninstalled the SEP client that was running on the SEPM server and voila, my 32-bit virus definitions are being updated without issue on the server. Now my LiveUpdate sessions work every time; no more "Return Code = 4" messages.

 

Of course, this is not a real fix. I need the SEP client back on that box. I've got a ticket open with SYMC and am waiting for their next suggestion. 

MF's picture

Had the same problem. I havent fixed it but I have a workaround.

 

Go to your Liveupdate (ie c:\program files\symantec\liveupdate) directory on SEPM and find a 1.Settings.Host.LiveUpdate file open it up and make sure it has either your liveupdate details in it (eg internal liveupdate settings). Copy it to another directory, if it has a 1,2,3 etc at the start rename the file without the number eg (1.). Create a scheduled task which runs a scipt to copy your host file back into the c:\program files\symantec\liveupdate directory, then run luall.exe -s. SEP seems to forget the settings applied to SEPM. This works for me but it is annoying, running SEP in a corporate environment has become a fulltime job.

kjh's picture

kjh wrote:

Update.

I've found a pseudo-fix about a week ago. I uninstalled the SEP client that was running on the SEPM server and voila, my 32-bit virus definitions are being updated without issue on the server. Now my LiveUpdate sessions work every time; no more "Return Code = 4" messages. 

Update: Success:

Reinstalled SEP client on the SEPM box.  This time, instead of doing a client push, we created a Client Install Package (based on the Feature Sets, Settings, etc. that I had already set up) and then used that exe package to install the SEP client.

 

I've now had LiveUpdates running successfully on the SEPM box for at least a week now.

swade's picture

That's how I installed the client in the first place. All installations were not PUSH, I created a package and every machine is installed from that package.

 

I'm still having the same problem.  Can't get updates after install of client on the server...

 

 

kjh's picture

swade wrote:

That's how I installed the client in the first place. All installations were not PUSH, I created a package and every machine is installed from that package.

 

I'm still having the same problem.  Can't get updates after install of client on the server...

 

Assuming you've followed the other suggestions in this thread, I'd try doing a clean uninstall of the client (including diving into the registry and purging anything that remains). There's a page in the Symantec KB somewhere that explains how to do this step by step.  G'luck!

 

BTW, my install has been humming along without issue for about 5 weeks.

 

_KJH 

RichardB's picture

Packet Pusher - I searched on my error LU1871 and found your post which worked great. :smileyhappy: I uninstalled LU, rebooted twice and ran LUSETUP.EXE. Now LU updates SEP w/o error. Many thanks.

Message Edited by RichardB on 09-03-2008 02:21 PM
Message Edited by RichardB on 09-03-2008 02:22 PM

Eng.Rimawi's picture

hi to all

if you use proxy on your system try to check: 

The following steps explain how to setup the Symantec Endpoint Protection Manager to use a proxy server to download content via LiveUpdate.

  1. Click on Admin
  2. Click on Servers
  3. In the "view servers pane" select the name of the manager under local site
  4. After selecting your server, in the tasks pane, click on Edit Server Properties, a dialog box will open up
  5. Click on Proxy Server
  6. Fill out your appropriate settings and credentials for HTTP and FTP as required for access.

its work:smileyvery-happy:

tbaylis's picture

If you have ISA running on your network, Liveupdate will work perfectly if you allow access to all users (best to specify from the SEPM Server) to *.liveupdate.symantec.com

 

It works perfectly

 

Regards,

 

Tony Baylis

Anibal Bravo HN's picture

Hi - i has the same problem ... if you have Proxy is probably thats the problem, go to Start - Run - cmd.. in command prompt go to  c:\prog Files\symantec\symantec endpoint protection manager\bin\ run this command ..

LUCATALOG -UPDATE

this command Register LiveUpdate with SEPM

If Problem continue

go to Control Panel

Symantec Live Update

in FTP & HTTP Tab use second Option - I want to customize my FTP Setting for LiveUpdate

and write your proxy Address & port and Apply Changes

then

go to SEPM console

Admin

local Site(server)

Download LiveUpdate Content

Definition must be Downloaded

 

I hope this Help you

Regards

 

 

Fadi T's picture

So I'm also getting the return code 4.  I uninstalled live update, reinstalled it, re registered it, and did everything in this thread.  But nothing.  My proxy settings is right.

 

Here are 2 things I need to verify:

1: I originally installed SEP on the D drive.  After i re-installed LU, i noticed it did not give me the option to reinstall on D, and the program folder for it is on C now.  Will this cause an issue?

 

2: Did anyone have to open up a port for the firewall for this to work?

jim1292's picture

Hi,

I've downloaded vd*.jdb and copy to \program file\symantec\symantec endpoint protection manager\data\inbox\content\incoming folder, the folder seems processing and CPU running high utilization but I waited for 20-30 minutes, its was not showing anything. Did I make the right steps to update SEPM manually ?

pls advise.

meraj2k's picture

Hi,
I have a following question related to SEP.
In Symantec endpoint protection status bar we have options available on the right side of screen. We want to grey down those options button, As users can disable antivirus & antispyware disable pro-active threat protection and network threat protection etc .....

Plz can you help us sort out this prb.

Thanks & best regards,
Meraj

Aleksandr Karlin's picture

Try "chkdsk c: /f" in command prompt and reboot server.
This will fix errors in file system.
Than definitions updated correctly.
Works fine for me.

Symanticus's picture

I'm also facing the same problem guys with SEP Mgr. MR5

URL: http://service1.symantec.com/SUPPORT/ent-security....

I wonder if this can or should be run with batch script weekly ?

Note: To re-register the manager without reinstalling the software, follow the steps below:

  1. Open a command prompt browse to:
    C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin
  2. Type lucatalog -update and press Enter.
  3. Run LiveUpdate to verify that there are no errors.

/* Infrastructure Support Engineer */

Symanticus's picture

any update on this problem please ?

/* Infrastructure Support Engineer */