SEPM - LiveUpdate - Return code = 4
Hi,
I’m having trouble getting definition updates via the Symentec Endpoint Protection Manager. When I go to the “Admin” tab,
click local site and do the “Download LiveUpdate Content” task, I get the “LiveUpdate encountered one or more errors.
Return code = 4; [Site: XXX] [Server: YYY]. It worked OK a few times right after I installed it then, started to the
“…Return code = 4…” error.
I tried the download task while watching my proxy and firewall logs. The firewall is allowing all connections to *.symantec.com
and *.symantecliveupdate.com OK. The proxy shows me a lot of “304 Not Modified” and “404 Not Found” status codes. I also
get a couple of “200 OK” codes. But, about half way through the update I start getting sporadic “500 Internal Server Error”,
“503 Service Unavailable”and “504 Gateway Timeout” codes. Right before I get the “…Return code = 4…” I get a series of 404’s
for url requests that look like “GET http://liveupdate.symantecliveupdate.com/F0%5E$d3$11$1e7$a2$28$b1$ea$22$ad$7dQ$b1$e8$b3f_
F1%5E$8b$e8$f1$c2$3c$40k$81_F2%5Eo$b9R$28m$cd$3b$08$1f$bc3$b1$a7X$c0$b9$22$ad$7dQ$b1$e8$b3f_F3%5E$ab$88$d9
$ff$b0$1fM$1e_F4%5E$17c$01W$c7$12$1c$e9_F5%5E$17c$01W$c7$12$1c$e9_F6%5E1RFtrFcYc+Otylzz/DU4PgdYBwoBTZURwAAAAA”.
I’ve tried running LUALL.EXE (version 3.3.0.61) manually. It returns errors indicating I need a new version of LiveUpdate. I can download
virus definitions via the web but, I would prefer the scheduled update on SEPM would do it.
Any light anyone could shed on this situation would be greatly appreciated.
Thanks.
Comments
OK,
I think I found the solution a few days ago.
I tried to uninstall the SEP client from my SEPM server. This had no results, so I uninstalled and reinstalled SEPM starting from scratch (new database, etc.). In both instances neither the SEPM console nor running LUALL.EXE updated my definitions and, I kept getting the same errors.
While running LUALL.EXE, I kept noticing three error codes, LU1871, LU1825 and LU1806. After looking these three codes up it dawned on me (I'm a little slow on the uptake sometimes), the problem is in the live updated engine (which I never never thought to uninstall or disturb in any other way).
As a desperation shot I decided to uninstall LiveUpdate, reboot the server in question a couple of times then reinstall LiveUpdate from the cdrom (<cd-rom>:\SEPM\LUSETUP.EXE).
It's been four days now and, my scheduled LiveUpdate is running on schedule, automatically grabing new definitions and getting them out to my clients.
Hope this helps...
Hey Packet Pusher. I just wanted to say thanks for the solution, it worked great!
However I am confused as to how this incident hapened on my environment because it was a fresh install of SEPM (so I assume a fresh simultaneous install of LiveUpdate).
I'm concerned that this mix just be a temporary fix. Can anyone who has done this fix a while ago confirm that LiveUpdate won't revert back to it's previous unfunctional state?
Thanks for the reply, I was hoping you still occasionally visited these boards. I'll keep you advice in the back of my head if I run into problems in the future.
On a side note how can I tell if I am running MR1?
Message Edited by DeepSky on 02-22-2008 07:33 AM
I had a vanilla install on a brand new server and had the same problem.
Uninstalling LiveUpdate, rebooting and reinstalling from the CD worked a treat for me.
Thankyou.
De facto when AV does something, it starts jumping up and down, waving its arms, and shouting "Hey! I found a virus! Look at me! I'm soooo goooood!"
Hello. I tried to go through your procedure, but it still fails.
Could you please have a look at the log here:
Looks like many of the features are updated, but not all of it.
I just wanted to add a positive data point. This worked for me (at least so far). My issue was that LiveUpdate would sometimes work and then stop. I did find that deleting the (possibly) corrupted virusdefs worked as well, but definitely not as elegant or as quick as running the above commands. BTW, I'm reasonably sure there was a typo in the flag in the 2nd command. It should be "update", not "upudate".
It remains to be seen whether this is somewhat of a permanent fix; I'll find out over the next few days.
Hope this helps.
_KJH
Whoever Has the Most Toys Wins!
Oh well. It appears that that was only a one-time fix. So I've thrown in the towel for now and written a batch file that simply runs those lucatalog commands periodically. I don't have time to troubleshoot any more, but would be interested in trying any suggestions and/or potential solutions and reporting back.
Whoever Has the Most Toys Wins!
Bad news update.
This method (using the lucatalog.exe tasks) only worked twice. Since then, I've been forced to update the Win32 virus definitions manually by downloading the .jdb file and letting SEPM unpack and install. Others in this thread have had the same experience.
The somewhat good news is that downloading the .jdb definitions file has been working consistently. The bad news on that is that it's not a long-term solution.
SYMC folks - I'd be somewhat content just to know that you're working on this.
Thx.
Whoever Has the Most Toys Wins!
I came in this morning to the same error code 4 failure message for LU. After trying a couple of things while monitoring my ISA firewall logs I configured the Proxy Server tab for the server (found in the server properties page under the admin tab). I manually launched LU from the Local Site (My Site) node using the Download LiveUpdate Content link and the command completed successfully.
I can't understand why it failed since it appears to have been working fine without having the proxy config entered. I also noticed that the anon rule I setup in the ISA server was getting ignored in favor of a different rule I have setup for Windows Update (WSUS).
Pretty goofy if you ask me but for those out there having LU issues and error code 4 you might try the proxy settings. ISA does not permit unauthenticated connections so the proxy config takes care of that.
What about us not using a proxy and still experience the same issue? Very frustrating and time consuming. Still no good working solution.
The above corrected my LiveUpdate issue.
Thanks
Update.
I've found a pseudo-fix about a week ago. I uninstalled the SEP client that was running on the SEPM server and voila, my 32-bit virus definitions are being updated without issue on the server. Now my LiveUpdate sessions work every time; no more "Return Code = 4" messages.
Of course, this is not a real fix. I need the SEP client back on that box. I've got a ticket open with SYMC and am waiting for their next suggestion.
Whoever Has the Most Toys Wins!
Had the same problem. I havent fixed it but I have a workaround.
Go to your Liveupdate (ie c:\program files\symantec\liveupdate) directory on SEPM and find a 1.Settings.Host.LiveUpdate file open it up and make sure it has either your liveupdate details in it (eg internal liveupdate settings). Copy it to another directory, if it has a 1,2,3 etc at the start rename the file without the number eg (1.). Create a scheduled task which runs a scipt to copy your host file back into the c:\program files\symantec\liveupdate directory, then run luall.exe -s. SEP seems to forget the settings applied to SEPM. This works for me but it is annoying, running SEP in a corporate environment has become a fulltime job.
Update: Success:
Reinstalled SEP client on the SEPM box. This time, instead of doing a client push, we created a Client Install Package (based on the Feature Sets, Settings, etc. that I had already set up) and then used that exe package to install the SEP client.
I've now had LiveUpdates running successfully on the SEPM box for at least a week now.
Whoever Has the Most Toys Wins!
That's how I installed the client in the first place. All installations were not PUSH, I created a package and every machine is installed from that package.
I'm still having the same problem. Can't get updates after install of client on the server...
Assuming you've followed the other suggestions in this thread, I'd try doing a clean uninstall of the client (including diving into the registry and purging anything that remains). There's a page in the Symantec KB somewhere that explains how to do this step by step. G'luck!
BTW, my install has been humming along without issue for about 5 weeks.
_KJH
Whoever Has the Most Toys Wins!
Packet Pusher - I searched on my error LU1871 and found your post which worked great. :smileyhappy: I uninstalled LU, rebooted twice and ran LUSETUP.EXE. Now LU updates SEP w/o error. Many thanks.
hi to all
if you use proxy on your system try to check:
The following steps explain how to setup the Symantec Endpoint Protection Manager to use a proxy server to download content via LiveUpdate.
its work:smileyvery-happy:
If you have ISA running on your network, Liveupdate will work perfectly if you allow access to all users (best to specify from the SEPM Server) to *.liveupdate.symantec.com
It works perfectly
Regards,
Tony Baylis
Hi - i has the same problem ... if you have Proxy is probably thats the problem, go to Start - Run - cmd.. in command prompt go to c:\prog Files\symantec\symantec endpoint protection manager\bin\ run this command ..
LUCATALOG -UPDATE
this command Register LiveUpdate with SEPM
If Problem continue
go to Control Panel
Symantec Live Update
in FTP & HTTP Tab use second Option - I want to customize my FTP Setting for LiveUpdate
and write your proxy Address & port and Apply Changes
then
go to SEPM console
Admin
local Site(server)
Download LiveUpdate Content
Definition must be Downloaded
I hope this Help you
Regards
So I'm also getting the return code 4. I uninstalled live update, reinstalled it, re registered it, and did everything in this thread. But nothing. My proxy settings is right.
Here are 2 things I need to verify:
1: I originally installed SEP on the D drive. After i re-installed LU, i noticed it did not give me the option to reinstall on D, and the program folder for it is on C now. Will this cause an issue?
2: Did anyone have to open up a port for the firewall for this to work?
jdb update
Hi,
I've downloaded vd*.jdb and copy to \program file\symantec\symantec endpoint protection manager\data\inbox\content\incoming folder, the folder seems processing and CPU running high utilization but I waited for 20-30 minutes, its was not showing anything. Did I make the right steps to update SEPM manually ?
pls advise.
user options settings
Hi,
I have a following question related to SEP.
In Symantec endpoint protection status bar we have options available on the right side of screen. We want to grey down those options button, As users can disable antivirus & antispyware disable pro-active threat protection and network threat protection etc .....
Plz can you help us sort out this prb.
Thanks & best regards,
Meraj
Try "chkdsk c: /f" in command
Try "chkdsk c: /f" in command prompt and reboot server.
This will fix errors in file system.
Than definitions updated correctly.
Works fine for me.
Can we automate this command ?
I'm also facing the same problem guys with SEP Mgr. MR5
URL: http://service1.symantec.com/SUPPORT/ent-security....
I wonder if this can or should be run with batch script weekly ?
Note: To re-register the manager without reinstalling the software, follow the steps below:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin
/* Infrastructure Support Engineer */
LiveUpdate encountered one or more errors. Return code = 4.
any update on this problem please ?
/* Infrastructure Support Engineer */
Would you like to reply?
Login or Register to post your comment.