Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEPM not updating virus/spyware defs

Created: 05 Sep 2012 | 26 comments

LU runs fine, however, i get messages that no new updates were found,  up to date, etc.

LU shows the last virus and spyware defs came in on August 29, 2012 at a bit after 7pm CDT
 

The servers themselves, and clients do not show anything past this date - the defs are all 8/29/2012 r18 (too bad this sort doesn't work properly, mixing up years, etc.)
Here is what's on the SEPM servers -


Makes sense if the last LU for virus defs is from that evening.
Clients all show the same as well:

And my own computer, here's the log - shows nothing new coming in since that time...

 

So.... LU runs, it finds and retreives the later defs and other patterns, but NOT for the virus/spyware part.  The SEPM servers are stuck at 8/29 r18, clients are stuck at 8/29 r18, I can't get the SEPM server or any clients to update.

Another puzzle - why THIS? ->

 

Wow, 303 clients up to date? Hardly. That many are stuck in last week defs. Out of date only 3? Again, wrong..... and why does the SEPM show the latest from Symantec is 09/04 as if it knows, and yet says we are up to date on defs?  (by the way, it took like 5 refreshes to get it to the point of even showing this for defs)

All clients update from the SEPM servers unless they can't make contact, then LU is enabled. With a network outage last week, a few that could not contact the SEPM servers did update the virus defs - and guess what - they are CURRENT. So, why, if these FEW computers lost contact with the SEPM servers once last week for a couple of hours would they have kept up since then, while the other computers, most of them, still be stuck?
Why does LU not show any new virus defs coming in or being downloaded since that date last week?

My log shows no new content from the SEMP servers as far as virus/spyware - as if there is no content on the SEPMs.

This is the strangest combination I've ever seen.
Thoughts? Hopefully solutions? **Clients are now a full week behind**

 

 

Comments 26 CommentsJump to latest comment

pete_4u2002's picture

can you check if this helps

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.
Article: TECH166923   |  Created: 2011-08-11   |  Updated: 2012-02-06   | 
Article URL http://www.symantec.com/docs/TECH166923 

ShadowsPapa's picture

They need to fix the document, sorry - there is no such path on W7 OR Server 2008 R2 as "documents and settings\all users" as quoted here:

1. Delete the content of folder "C:\Documents and Settings\All users\Application Data\Symantec\LiveUpdate\Downloads\"
Note: Application Data is a hidden folder. Delete the content of the Downloads folder, but not the folder itself.

So, where on the server would one really go to delete what is being referred to?

Ever since Vista, Windows no longer has a documents and settings folder, and no longer has an "all users" folder.  LOL - sort of surprised support hadn't noticed  ;-)

There is  c:\users  and there is under that  "public", however, there is no place on a server for liveupdate\downloads under any user profile.

 

.Brian's picture

How much free space do you have on C: on your SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

the document seems to be already updated

Note 1: In Server 2008, the Downloads folder in step 1 is located at  %programdata%\Symantec\LIveUpdate\Downloads
Note 2: In 64 bit operating systems the "Symantec\Symantec Endpoint Protection Manager\inetpub\content" folder will be located in C:\Program Files (x86) and not C:\Program Files
Note 3: For Windows Server 2008 or similar systems the location of the %commonprogramfiles%\Symantec Shared\SymcData\ will be following: C:\ProgramData\Symantec\Definitions\SymcData\

ShadowsPapa's picture

Ah, hidden in a note down below. I see.

I think I'll sit and rewrite this so it makes sense, and break it down according to server OS instead of having to jump back and forth, up and down to determine which lines apply where.

 

 

ShadowsPapa's picture

It was quite confusing following that thing as it makes you jump all around - each next step one must find a note - ok, where it that REALLY.

How about "if you have server 2008R2, do this" and then "if you have a 32 bit server, do this" ?

Free space? Well, DATA is redirected to a D drive as it takes so bloody much space, out of the DATA drive, which is 60 gig, I've got 20 gig free.

On the C drive which is supposed to be programs only, but I see Symantec still sticks downloads and defs there instead, it's 22 gig free out of 100 gig.

I think I'll make a suggestion - when I tell the SEPM install to use D as the data drive, to not use C for ANYTIHNG data, don't download to C, don't store 50 gig of LU content on C! Yikes.

I had to go the D route as SEPMs were killing the servers by filling 60 gig application drives with data and temp files.

So, plenty of space, not even close to full.

 

ShadowsPapa's picture

OK, followed that, launched a LU session after getting to the last step and enabling the manager again. It's been running for 20 minutes - still no sign of virus/spyware defs!

After all that work, it just keeps saying there's nothing new. It's not even TRYING the virus defs - there's no indications at all it's even made that attempt, while I DO see it's beeng checking all the other stuff. I keep getting "revocation data" messages, success, whatever the heck revocation data is.........

This thing is broken really good.

 

ShadowsPapa's picture

I've tried this now 3 times on each of the two SEPM servers, no joy, still very broken. Keeps saying there's no new content - no updates found, however, it's not even lookiing for virus/spyware defs.

I ran it according to the document - BEFORE restarting the manager service on the SEPM servers, and it appeared to be doing something, but the console STILL says this ->

 

Windows Definitions  
Latest from Symantec: 09/05/2012 r2
Latest on Manager: 08/29/2012 r18

So why no change? I've deleted everything it says to in that little document that's hard to follow, multiple times, both servers, but not a change! it's stuck on 8/29 r18 defs, even deleting all those files made no difference - the console STILL says it's a week behind. Odd, how does it know about the 8/29 defs if I deleted all that stuff, eh?

This is it - this is the extent of the log in SEPM console ->

September 5, 2012 2:10:44 PM CDT:  No updates found for Symantec Endpoint Protection Manager Content Catalog 12.1.  [Site: SEP01]  [Server: sepm1]
September 5, 2012 2:10:44 PM CDT:  No updates found for Windows Host Integrity templates 12.1.  [Site: SEP01]  [Server: sepm1]
September 5, 2012 2:10:44 PM CDT:  No updates found for Intrusion Prevention signatures Win32 11.0.  [Site: SEP01]  [Server: sepm1]
September 5, 2012 2:08:22 PM CDT:  LUALL.EXE has been launched.  [Site: IVRS-SEP01]  [Server: sepm1]
September 5, 2012 2:08:21 PM CDT:  Download started.  [Site: IVRS-SEP01]  [Server: sepm1]

 

Rafeeq's picture

Lucatalaog.exe - cleanup

and lucatalog.exe -update

Liveupdate not working on SEPM installed on 2008 Server

http://www.symantec.com/business/support/index?page=content&id=TECH138384

 

ShadowsPapa's picture

>>Symptoms:
When trying to open Symantec Liveupdate from the control Panel you get an error.<<

Well, I get no such error messages, in fact, it's acting just like all is normal but it doesn't update the defs. I guess nothing to lose now - it's now 8-9 days we are behind and we can't afford that. If this doesn't help, I'll have to open a case and make it a priority 1 as I'm gone tomorrow and next week would mean TWO weeks with no definitions updates! Bad, very bad, but this seems to be a common theme with SEP. I've seen us have issues before, but NEVER like this. This is severe, bad.
Thanks for the link - it's worth a shot since no one else has been able to help.

I am now seeing these messages (posted below) in the server activity logs - but what baffles me is that we have TWO SEPM servers, TWO of them, clients can connect with either. They are the exact same thing other than name and IP address.

Don't both servers run LU independently of each other - SEPM1 runs LU, AND SEPM2 runs LU? Or does it not work that way - and if not, why not? Why would just 1 if you have 2 - what if the one failed?

OK, now why does one column say "antivirus and antispyware Win64 11.0" and the other say "intrusion detection system signatures 12.1".
Isn't this a contradiction? The same log entry refers to AV defs Win64 11.0 - then contradicts that by saying "intrusion detection 12.1"
Then still another line says "Win64 11.0 microdefs" while in another column, it says Win21 12.1 "
What's up with that?
???????????????????????????????

 

'117695000',
'3',
'1346888714675' );">

-->

'117694996',
'3',
'1346888714535' );">

-->

'117694990',
'3',
'1346888711878' );">

-->

'117694976',
'3',
'1346888710738' );">

-->

09/06/2012 05:15:02 Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update IVRS-SEP01 vrdsmsepm1 Warning Symantec Endpoint Protection Manager could not update Client Intrusion Detection System signatures 12.1.  
09/05/2012 18:45:14 LiveUpdate failed IVRS-SEP01 VRDSMSEPM2 Error LiveUpdate failed. LiveUpdate failed.
09/05/2012 18:45:14 LiveUpdate All process failed to launch IVRS-SEP01 VRDSMSEPM2 Warning LiveUpdate encountered one or more errors. Return code = 4.  
09/05/2012 18:45:11 Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update IVRS-SEP01 VRDSMSEPM2 Warning Symantec Endpoint Protection Manager could not update Virus and Spyware definitions Win32 12.1.  
09/05/2012 18:45:10 Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update IVRS-SEP01 VRDSMSEPM2 Warning Symantec Endpoint Protection Manager could not update Virus and Spyware definitions Win64 12.1.

Does this mean the same exact issue took place on BOTH servers at the exact same time on the same day?

Or, does it mean that Symantec had an issue when we received the updates, an issue they quickly fixed, but it was too late for us?

I have real issues with trying to believe that two SEPM servers running LU would both get stuck on the same day, same time, same defs download, and both be stuck on the same exact defs level, and both have the exact same symptoms. I believe that something changed on the Symantec LU servers, and we got caught in the middle.

 

 

 

Mithun Sanghavi's picture

Hello,

Could you follow this Article:

Only 32 Bit Antivirus / Antispyware Definitions are not updating on the 32 Bit / 64 Bit Operating System.

If the above steps do not resolve the issue, uninstall and re-install Symantec Endpoint Protection Manager.

The following articles will help should this be necessary:

About uninstalling Symantec Endpoint Protection Manager

Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

Had the same issue awhile back. Recommendation was to uninstall/reinstall but no way I was doing that. So Symantec had me remove set the number of updates kept to 3 and remove all LU content. Finally, it kicked in and downloaded and updated. Still don't know what caused it but doing that fixed it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ShadowsPapa's picture

Mithun - no offense, but prior messages show that I've already done that. I know you are trying to be helpful.... In one thread I describe where I've done it multiple times - one both SEPM servers. I deleted all those files (the document is also a bit of a mess to follow), and it changed nothing.

I am also not going to AGAIN remove and reinstall the SEPM servers - I just spent my whole summer removing, reinstalling, deleting database, recreating, killing ALL SEPM servers and reinstalling from scratch, including database, etc. - I've been since December of last year doing nothing but killing and recreating SEPM servers and I've got to say "enough".
The first time I removed and reinstalled the SEPMs was because Symantec tech support said we had a corrupt database, so after days of following their documents, I learned we never did have a corrupt database and all that work was for nothing (that still bugs me as that was a major effort taking a lot of hours). I've got other duties here, and to have to baby sit a fragile definitions structure is becoming a big problem. If I can't get my other things done, and spend so much time on this - and it still doesn't work, I know what the next questions will be "so is this becoming too much of a problem......." and so on..........

Brian I have been told by Symantec people (right to my face, in person) - engineers, sales engineers, etc. that we really need to keep something like 42 revs of the updates. I have also read it online. So I've slowly moved us up to that point - because "Symantec said to" that it was best for performance, and for cases where computers may be off several days. A user group meeting recently a fellow very well versed in SEP said "keep xx revisions for best performance". I heard it earlier from another Symantec person - so I was doing just that. Defs updates went pretty quickly.... until now, and Brian's statement is the second time I've read that we should only keep a few. Engineers tell us "keep a lot" while support says no, keep just a few.
It is getting to the point that it is really hard to decide who and what to believe - it appears that perhaps no one inside Symantec knows?
LOL - imagine if you were buying a car, and each salesperson told you a different story on the engine - one says it's got a V8, another says, no, it's a 6 and you need premium fuel, still another says, naw, don't need gas at all, it's electric. Who would you believe? They all work for the same dealer - but they all say different things about the same product.
That's what I'm starting to hear about SEP - engineers say keep 40+ revs, support says no, keep 3. I replaced the batteries in my calculator and did a little math - it tells me that's a difference of.... FORTY!
Can someone settle that part please?  - should we be keeping 40+ revs, or just 3? And what about computers that are shut off for say a week, then VPN in on what's probably a slow connection?  i feel like as a customer, we're sort of stuck in the middle not knowing who to believe.

 I've already followed all of the suggested documents (except the one Rafeeq suggests, that's next).  I'll back the revs down to 3 and the folks on slow connections will just have to grin and bear it when they turn on their computers and get 100 meg of defs updates......

Sorry to all those who I know are only trying to help -  but I'm quite frustrated I've been through too much work and pain this year with support so I'm not reinstalling the SEPM servers - tech support has had me do that and blow out the database - to try to solve several other issues, and to no avail. I guess my frustration is showing a bit....

.Brian's picture

Sorry, should've mentioned I did kick it back up to 30 once everything was working again.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ShadowsPapa's picture

cool  That does sort of help understand what you did, the process and why. Funny how just a single sentence can sort of change things.  wink

I've sort of followed your posts in general - appears you also learned the trial by fire method - school of hard knocks. Those are things you typically don't forget easily.

.Brian's picture

I still don't understand how what I did fixed it, but it did. The support guy that helped new what he was doing but never really gave me a good explanation. I was just happy it was working again.

I rarely make a support call. I'd rather just figure it out on my own. Probably not a smart thing to do but I've made it this far wink

Luckily, Connect is loaded with tons of good info and support to so I usually get things solved quicker than making the call.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

thromada's picture

Sorry ShadowsPapa I don't have a different suggestion than what's already been posted.  But I wanted to ask Brian81 -- what's the reason for keeping even more than 1 content revision?

SEPM Console > Admin > Servers > Local Site > Edit Site Properties > LiveUpdate tab > Disk Space Management for Downloads.  Mine is currently set to the default of 3.  They had you fiddle with yours and it started working.  But you bumped it back up to 30.  Is the reason having even more than 1 for some type of recovery?  Thanks.

.Brian's picture

My understanding is that by only keeping 3 or less, that's only really 1 day worth of updates so clients that have been off the network for 2 days or more will download a full update. By keeping more content revisions, it will allow clients that have been off the network for a few days to only download deltas, saving on bandwidth.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

thromada's picture

That makes sense and is a great reason.  I'll check my space available and adjust the content number accordingly.  Thanks.

.Brian's picture

Definitely make sure you have enough space if you make the change.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I understand your frustuation. However, if you could have opened the Article, you would have seen it's not the same article which you have followed. This is more in reference to Registry changes.

I read your posts whenever I could. I know you for a long time now as one of the oldest members on forums.

Incase, if you have faced any issues in reference to the Support, you could simply PM me your support case # and I would check into the same.

Secondly, I agree with Brian, DiskSpace could be 1 reason.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ShadowsPapa's picture

Mithun - suggestion - I think this article needs to be pulled - or rewritten. It's confusing and hard to follow (and somewhat outdated I feel).  It also seems to be somewhat redundent as other documents also include modified versions of those steps

 - this is what your link above resolves to - and there are no registry entries referenced in it at all ->
http://www.symantec.com/business/support/index?page=content&id=TECH166923

I have a printed copy in front of me. It's the same documents, just in a different path.

 This is what you had posted:
------------------------

Hello,

Could you follow this Article:

Only 32 Bit Antivirus / Antispyware Definitions are not updating on the 32 Bit / 64 Bit Operating System.

----------------------------------------------------------------

I did - and it was the same article referenced in the first reply - from pete.

Here is a screen shot showing what it resolved to, the same 166923 when I hover over the link ->

I followed that on both SEPM servers multiple times. If there is another or a different document, I can give something one more try - then I've got to launch an official case and make it TOP priority as spending a whole week on a single issue is going to get me and the product in deep hot water otherwise.

After taking a much needed break, being on "vacation" Friday, I return today, Monday, to find that not only did nothing I did last weeek work, it's actually WORSE now and my inbox is full of "LiveUpdate failed" messages from both SEPM servers.

I had uninstalled and reinstalled LU, did everything it said to do in TECH103112 but now not only are we sitting at old defs, LU won't even work properly. So following that document 103112 literally broke LU. At least it used to update everything BUT the AV defs, now it won't do anything.

I've got several other open cases, and I've totally removed and reinstalled the SEPM servers multiple times. I followed the disaster recovery steps RECOMMENDED BY SYMANTEC only to find out later it was not at all necessary as they had "made a mistake" (one that was rather expensive time-wise on this end)

Disk space is certainly not a reason on this end for this case -
On SEPM2 - C: 69 gig free out of 100 gig / D:  52 gig free out of 60 gig  D is SEPM data but LU ignores that and uses C anyway.

On SEPM1 - C: 64 gig free out of 100 gig  / D: 4.8 gig free out of 25 gig

 

ShadowsPapa's picture

See if this makes it easier to follow than the original TECH166923  (I don't typically start a process then jump to the end to see if there are notes that change what I should be doing, so the fact there are "notes" at the end of the original don't help a bit as you get part way down and realize, it's not matching up. Shouldn't have to search a document to find corrections or changes, they should be in the flow or stream of the process.)

 

Problem

 

Symantec Endpoint Protection (SEP) Clients do not update virus definitions.

·         Symantec Endpoint Protection Manager (SEPM) shows old virus definitions in "Admin > Server > Local Site > Show LiveUpdate Downloads".

Environment

 

SEPM  12.1
WIndows 2003 SP 2 32 bit

Windows Server 2008 R2 64bit

SEP clients Windows XP , Windows 7 .

 

Cause

 

Old or corrupted virus definitions present on the SEPM prevent the SEPM's ability to update the SEP clients with new virus definitions.

Solution

 

For Server 2003 and 32 bit OS

1. Delete the content of folder "C:\Documents and Settings\All users\Application Data\Symantec\LiveUpdate\Downloads\
Note: Application Data is a hidden folder. Delete the content of the Downloads folder, but not the folder itself.

2. Stop the service "Symantec Endpoint Protection Manager".
To stop this service:

1.    Go to Start > Run.

2.    Type the following: Services.msc

3.    Select and stop the above mentioned service

3. Delete the numbered or TMP folders inside the paths:

·         %programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{535CB6A4-...

·         %programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{07B590B3-...

·         %commonprogramfiles%\Symantec Shared\SymcData\spcVirDef32

·         %commonprogramfiles%\Symantec Shared\SymcData\spcVirDef64

For Server 2008/2008R2 64 bit

1. Delete the content of folder "%programdata%\Symantec\LIveUpdate\Downloads
2. Stop the service "Symantec Endpoint Protection Manager".
To stop this service:

4.    Go to Start > Run.

5.    Type the following: Services.msc

6.    Select and stop the above mentioned service

3. Delete the numbered or TMP folders inside the paths:

·         %Program Files(x86)%\symantec\symantec endpoint protection manager\inetpub\content\{535CB6A4-...

·         %Program Files(x86)%\symantec\symantec endpoint protection manager\inetpub\content\{07B590B3-...

·         %ProgramData%\Symantec\Definitions\SymcData\spcVirDef32

·         %ProgramData%\Symantec\Definitions\SymcData\spcVirDef64

4. Launch the process LUALL.EXE

5. Restart the Symantec Endpoint Protection Manager service when LiveUpdate is complete. 

1.    Log on to Symantec Endpoint Protection Manager Console and launch a LiveUpdate from Admin >Server > Local Site > Download LiveUpdate content.

2.    Verify the correct download/usage of new virus definitions from "Admin > Server > Local Site>Show LiveUpdate Downloads".

ShadowsPapa's picture

Can someone please take a look at the attached files - LU logs, etc. and see if SEPM2 may now be closer to normal?

SEPM1 hadn't changed the liveupdate log since the 6th! It in fact was really messed up so I totally removed LU from SEPM1 and am following document 171060 which I ran across by accident as it seems to be the very best tech doc regarding SEPM12.x and LU out there. So many of the others apply mostly to 11.x and simply have some changes to make them compatible with 12.x where this doc seems to have been written from the ground up for SEPM 12.x and Server 2008R2.

Due to the many other issues, and multiple open cases with SEPM and SEP, I sort of received an ultimatum regarding SEP this AM, so this must be repaired before end of day today.......

Thanks.

 

AttachmentSize
SEPM2_Log-LiveUpdate_9-10-2012-b.txt 4.89 MB
SEPM2_ShowLUStatus_9-10-2012-am.txt 7.33 KB
SEPM1_Log-LiveUpdate_9-10-2012-from-9-6-2012.txt 2.5 MB
jcritzer's picture

Was this ever resolved?  This concerns public safety machines so I'd really like to get this fixed...

 

I'm currently encoutering the same issue but with "Latest on Manager: 10/24/2012 r18" and "Latest from Symantec: 11/20/2012 r3."  Also, out of 633 total endpoints, 454 are "up-to-date" which I know is NOT the case, with 176 being offline which is conceivable given the holiday week.

I've followed all of the same steps it appears you followed but to no avail.  And I hate calling Symantec because I normally get someone reading a script.

Any feedback appreciated!  I really don't want to reload this server if I can avoid it.