Endpoint Protection

About a week ago, we came across some boxes which had old defs. I thought nothing of it, sometimes it happens, and resolves automatically on next update cycle.

Fast forward to today, the issue persists. The defs for Win32 are the only thing that aren't updating. They're stuck at [Virus and Spyware definitions Win32 12.1 RU5    03/15/2015 r22    March 17, 2015 12:01:21 AM PDT].

What's going on with the Win32 defs? We haven't changed anything, and all other defs are succeeding in download/update process.

March 31, 2015 11:46:33 AM PDT:  LiveUpdate succeeded.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:33 AM PDT:  LUALL.EXE finished running.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:33 AM PDT:  LUALL.EXE successfully updated the content. Return code = 0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SPC AntiVirus Client Mac 11.0 (English).  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Symantec Endpoint Protection Win64 12.1 (English).  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Symantec Endpoint Protection Win32 12.1 (English).  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Centralized Reputation Settings 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan engine Win32 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for AP Portal List 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for TruScan proactive threat scan commercial application list Win32 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan whitelist Win64 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  Symantec Endpoint Protection Manager could not update Virus and Spyware definitions Win32 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Intrusion Prevention signatures Win64 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Client Intrusion Detection System signatures 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Revocation Data 12.1 RU5 .  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan engine Win64 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Submission Control signatures 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Symantec Endpoint Protection Manager Content Catalog 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Submission Control signatures 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan data 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Symantec Whitelist 12.1 RU5 .  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR Heuristics engine 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan whitelist Win32 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for TruScan proactive threat scan commercial application list Win64 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for SONAR scan commercial application engine 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Extended File Attributes and Signatures 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Mac Host Integrity content 12.1.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Power Eraser Definitions 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Client Intrusion Detection System signatures Mac 12.1 RU4.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Virus and Spyware definitions Win64 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Windows Host Integrity content 12.1 RU2.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:31 AM PDT:  No updates found for Intrusion Prevention signatures Win32 11.0.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:23 AM PDT:  LUALL.EXE has been launched.  [Site: Corp]  [Server: SEP_SERVER]
March 31, 2015 11:46:23 AM PDT:  Download started.  [Site: Corp]  [Server: SEP_SERVER]

Run the symhelp tool to check for errors and whether or not that particular set of definitons may be bad:

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

Have you tried using the JDB file to manually update to see what the result is?

Download .jdb files to update definitions for Endpoint Protection Manager

Running the SymHelp tool, nothing came up in regards to bad defs.

Importing the JDB file yeilded action but no results. Drag & Drop into the appropriate folder, SEP processes it (extracts to folder). Folder disappears, file is renamed to "vd44fe02.jdb.err".

Looking at the LiveUpdate content in SEPM, everything is still at the same version as previous.

Running luall, manage to capture this;

.......

Total Download 20930.8 KB 

Downloading SEPM Virus Definitions Win32 12.1 RU5 (1 of 1), complete.

Installing SEPM Virus Definitions Win32 12.1 RU5 (1 of 1), complete.

LiveUpdate session is complete.

However Win32 defs remain at the same version

SEPM is able to download defs but not able to insert it into DB. 3 things to check.

1) need to check your sesmlu.log , please update the same with us .. you can find on SEPM/TOMCAT/SESMLU.LOG

2)If you are using SQL DB make sure its set to Auto growth or size as per this document

http://www.symantec.com/business/support/index?page=content&id=TECH184770

3) Port 9090 should be used by symantec, if anyother application is using it then it wont update.

Here's a few lines from sesmlu.log I found;

04/01 04:38:07 [0694:07c8] INFO(Low)  spcVirDef32 DefaultDefUtilsContentHandler CDefUtils::PreMicroDefUpdateInternal (HubDir:C:\ProgramData\Symantec\Definitions\SymcData\spcVirDef32\tmp703a.tmp, DirectDir: C:\ProgramData\Symantec\Definitions\SymcData\spcVirDef32\tmp1fa6.tmp, Version: MicroDefsB.Error, HubIsOk: false) - returning DU_S_OK (File = update.cpp, Line = 1217

04/01 04:38:07 [0694:07c8] INFO(Med)  spcVirDef32 AbstractLuContentHandler LASTPATCH.STATUS: 'FAIL'.

04/01 04:38:07 [0694:07c8] ERROR      spcVirDef32 AbstractLuContentHandler Moniker:{B6453A57-0AB4-F6D4-00BE-1539CD2A614D},Set Version = MicroDefsB.Error : Failed.at AbstractLuContentHandler.cpp[596]

04/01 04:38:07 [0694:07c8] INFO(Med)  spcVirDef32 SesmLu PreProcessing... finished. Result: 0x802a0015

On a side note, our SQL DB has 1.5GB free space remaining - certainly not an issue. Port 9090 is in use by SEPM on the server by process semsvc.exe, and is listening.

1.5 GB is still less I would say, its stuck on 3/15 and would certainly load more than that, how many content revisions you have stored in SEPM?

In the SEPM Console, go to Admin>Servers>Local Site>Edit Site Properties

On the LiveUpdate tab, change the number of revisions to keep to 3.   The SEPM will chug away for the next hour or so, getting rid of the old revisions.  You can monitor the progress by watching the folders below.

Drive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{535CB6A4-441F-4e8a-A897-804CD859100E}

Drive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{07B590B3-9282-482f-BBAA-6D515D385869

once purged check the space on SQL and run the liveupdate again it should update fine.

https://www-secure.symantec.com/connect/forums/sepm-not-updating-content-latest-def-10-jan-2014

This seems to be progressing in the right direction as this message no longer appears during LiveUpdate in SEPM; 

March 31, 2015 11:46:31 AM PDT:  Symantec Endpoint Protection Manager could not update Virus and Spyware definitions Win32 12.1 RU5.  [Site: Corp]  [Server: SEP_SERVER]

I have attached the spcVirDef32 section of SesmLu.log, as it's too long to paste in here.

Attachment(s)

sesmlu.txt   69 KB 1 version

unfortunately, no.

Tried downloading the defs a couple times, noticed that the Win32 line was omitted a few times. Finally, the original message still reappears.

April 1, 2015 1:07:40 PM PDT:  Symantec Endpoint Protection Manager could not update Virus and Spyware definitions Win32 12.1 RU5.  [Site: Corp]  [Server: SEP_Server]

Attempted to use the Intelliegent Update exe, gives same results;

Wed Apr 01 14:31:41 2015 : PROCESSING ENTRY: VIRSCAN.zip - Virus Definitions
Wed Apr 01 14:31:41 2015 : Entry details:
Wed Apr 01 14:31:41 2015 :     Update-File:             VIRSCAN.zip
Wed Apr 01 14:31:41 2015 :     Update-Desc:             Virus Definitions
Wed Apr 01 14:31:41 2015 :     Auth DLL Name:             SSEIUAuth
Wed Apr 01 14:31:41 2015 :     Auth DLL Location:         local
Wed Apr 01 14:31:41 2015 :     Auth Content-Type:         virus definitions x32
Wed Apr 01 14:31:41 2015 :     Deploy Content-Type:         virus definitions x32
Wed Apr 01 14:31:41 2015 :     Deploy DLL Name:         SSEIUDeploy
Wed Apr 01 14:31:41 2015 :     Deploy DLL Location:         local
Wed Apr 01 14:31:41 2015 : AUTH DLL LOCATION: IU will read the DLL location from registry - SSEIUAuth
Wed Apr 01 14:31:41 2015 : REG SUCCESS: Success while opening key 
Wed Apr 01 14:31:41 2015 : REG FAILURE: Failed while fetching the path from registry.
Wed Apr 01 14:31:41 2015 : DEPLOY DLL LOCATION: IU will read the DLL location from registry - SSEIUDeploy
Wed Apr 01 14:31:41 2015 : REG SUCCESS: Success while opening key 
Wed Apr 01 14:31:41 2015 : REG FAILURE: Failed while fetching the path from registry.
Wed Apr 01 14:31:41 2015 : IGNORE ENTRY: Ignoring entry for VIRSCAN.zip because of registry read failure. Error occurred while reading the path for the Authorization DLL from the registry.
Wed Apr 01 14:31:41 2015 : The product corresponding to this entry in iuconfig.xml is not installed on the system.

checked the log its still failing at spcVirDef32 SesmLu Failed to notify SESM servlet of new LiveUpdate package.at SesmLu.cpp[1480]

can you repair SEPM from add/remove progams,

are you sure that no other process is listening at 9090?

open a cmd prompt

netstat -ano | find "9090"

what process do you see?

http://www.symantec.com/business/support/index?page=content&id=TECH208803

there's multiple connections on 9090, only one process owns it - SemSvc.exe

Could you please check ConfigSever-0 or ConfigServer-1 logs and check if you see the entry as

LoadDefInfo Returned:- 2113667073

I always saw only one instance of 9090, can you do a reboot and try the liveupdate?

What I eneded up doing was wiping SEPM off the server + delete the SQL DB. Performed DR process, recreated DB, and now all works fine.