Endpoint Protection

Hello Guys!

I need help with this issue in my environment...

I have 2 SEPM servers, like active x active, the priority in the server list is server X and after, server Y..

The SQL server is running in the same network of server X, because the servers in site X is my production ok?

I noticed some problems with updates. I have a schedule update, running at night (dawn) this dawn, the definitions did not update, and I checked the log (I have a syslog server and SEPM send the log to it) and I saw that server Y is who is starting the liveupdate... Both servers, X and Y have internet connection to download and both can talk to SQL server, ok?

Log:

Aug 20 02:22:24 SymantecServer X: Site: COMPANY,Server: Y,LiveUpdate started.
Aug 20 02:22:26 SymantecServer X: Site: COMPANY,Server: Y,LUALL.EXE has been launched.
Aug 20 02:25:25 SymantecServer X: Site: COMPANY,Server: Y,Cleaned up 1 LiveUpdate downloaded content
Aug 20 02:25:40 SymantecServer X: Site: COMPANY,Server: Y,Successfully downloaded the Intrusion Prevention signatures Win32 11.0 security definitions from
LiveUpdate. The security definitions are now available for deployment.
Aug 20 02:59:37 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Power Eraser Definitions 12.1 RU5.
Aug 20 02:59:38 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Extended File Attributes and Signatures 12.1 RU2.
Aug 20 02:59:38 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SONAR scan commercial application engine 11.0.
Aug 20 02:59:38 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SEPM LiveUpdate Database 12.1.
Aug 20 03:03:27 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Symantec Endpoint Protection Manager Content Catalog 12.1 RU2.
Aug 20 03:07:15 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SONAR Heuristics engine 12.1 RU2.
Aug 20 03:11:04 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SONAR scan data 11.0.
Aug 20 03:11:04 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Submission Control signatures 12.1 RU2.
Aug 20 03:11:04 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Submission Control signatures 11.0.
Aug 20 03:11:04 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SONAR scan engine Win64 11.0.
Aug 20 03:34:20 SymantecServer X: Site: COMPANY,Server: Y,No updates found for AP Portal List 12.1 RU2.
Aug 20 03:34:20 SymantecServer X: Site: COMPANY,Server: Y,No updates found for SONAR scan engine Win32 11.0.
Aug 20 03:34:20 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Centralized Reputation Settings 12.1 RU2.
Aug 20 03:34:21 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Symantec Endpoint Protection Win32 12.1 (English).
Aug 20 03:34:22 SymantecServer X: Site: COMPANY,Server: Y,No updates found for Symantec Endpoint Protection Win64 12.1 (English).
Aug 20 03:34:27 SymantecServer X: Site: COMPANY,Server: Y,LUALL.EXE successfully updated the content. Return code = 0.
Aug 20 03:34:27 SymantecServer X: Site: COMPANY,Server: Y,"LiveUpdate will start next on Quinta-feira, 21 de Agosto de 2014 1h0min21s BRT on Y."
Aug 20 03:34:27 SymantecServer X: Site: COMPANY,Server: Y,LUALL.EXE finished running.
Aug 20 03:34:27 SymantecServer X: Site: COMPANY,Server: Y,LiveUpdate succeeded.

I am with the old definition... But, why SEPM is running the liveupdate using server Y and not server X? How can we set it, or, how SEPM defines the server... and, why I can not update?

I am sure that I had updates to do, because I was monitoring it... I should at least running with definitions from day 19. Take a look in the attach!

Thanks!

Run the symhelp tool on the SEPM, see what it returns error-wise.

Hello Brian, Just a ERROR about disk space... (10gb remaining) I fixed it and now I have around 30Gb.

But the same space I had in both servers (10gb remaining) I do not know if the server Y can not update definitions... I guess it can... but why it should that did not have any update? but it did...

Any other suggestion?

Thanks!!

Diego

I will try it tonight:

http://www.symantec.com/business/support/index?page=content&id=TECH166923

The weird situation is when I start the liveupdate mannually it runs fine.. like this issue below:

https://www-secure.symantec.com/connect/forums/sepm-12ru3-not-updating-latest-definitions

and scheduled it is not.

Are you going to attempt to clear out the content defs?

Yes, clear this folder:

C:\ProgramData\Symantec\LiveUpdate\Downloads\*

C:\ProgramData\Symantec\Definitions\SymcData\spcVirDef32 and 64

and other likes the KB suggests

bad idea?

I was hoping the symhelp tool would tell yuo if defs are corrupt, it should have that ability now. But sounds like that isn't the case...

I changed the schedule and it ran normally.... But my GUPs is not updated yet...... The update ran 09:00 pm (yesterday) and now, 10:45 am I have 170 gups waiting for updates... When manager receives a new update, it should be sent to GUPs almost that immediately, right?

Nope, the GUP needs to check in so it's based on heartbeat

oh yeah, sure.... my HB is 15 minutes... so after that... the GUP should be updated... right

Hi,

I tried many things... no success...

So, I tried lucatalog -cleanup and -forcedupdate, no way...

I tried .jdb... I received a file with .err

So, I uninstalled the liveupdate, restarted the server, installed the liveupdate again (I used the update from the last version of SEPM) and it is the version 3.3.100.15, the same version of the liveupdate of the other sepm server..., so, no problems.

I ran the -cleanup and -forcedupdate and it is now working...

After I checked the control panel --> LiveUpdate and the default config is trying "Express Mode"while the other server is Interactive Mode, so, what option should I use?  Any suggestion? No other options is marked in the Express Mode, ok?

And what value in the cache size?

Run it in interactive mode and see what happens, interactive mode will show you the progress and detail.