Endpoint Protection

This is an issue I've been working on for a while now, both on my own and with a Symantec support technician.

Problem

• There are about 20 clients, out of about 2500, with out of date Virus and Spyware Protection definitions in our network

Details

• The out of date clients are in the same group
• The clients are scattered location-wise and not using the same GUP
• The clients that have this issue are keeping their Proactive Threat Protection and Network Threat Protection definitions up to date.
• The SEPM is version 12.1.4104.4130
• The Clients are version 12.1.4112.4156

Steps taken (each step an individual attempt at a fix, not tried all at once)

• Tried clicking the fix button in the client
• Verified the clients are communicating with the server
• Tried uninstalling and reinstalling through Windows control panel
• Tried the Repair option through Windows control panel
• Tried manually removing virus definitions in the registry as detailed here: http://www.symantec.com/docs/HOWTO59193
• Tried uninstalling via Clean Wipe and reinstalling with a fresh installation package from SEPM
• Verified GUPs maximum disk cache size matches Best Practices detailed here http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH228043
•  Tried running Rapid Release
• Created a test group with its own policy composed of half healthy clients, half unhealthy clients.  Designated a healthy client inside the test group as GUP for the test group.

Results

• After an uninstall via Clean Wipe and reinstallation, the clients fell out of date again after a couple days
• Rapid release will update the client definitions, but the client will not pull more updates itself.
• Manually removing the virus definitions in the registry did not cause the client to start updating
• Unhealthy clients in the test group still not updating; healthy clients continue receiving updates from the new GUP.

What else can I try to resolve this issue?

Can you enable sylink debugging and let it run thru a few heartbeats?

Have you run the symhelp tool to check for errors?

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

Enable sylink debugging for Endpoint Protection clients

http://www.symantec.com/docs/TECH104758

Brian,

Here are the requested files.  The sylink log and the screenshot of the Sym Help tool are from the same client.

Attachment(s)

Sylink_15.txt   6.98 MB 1 version

Do you have different cache sizes configured on the GUPs? Default is 500MB. But it looks like the client is trying to pull down a 650MB file. The GUP may not have enough space allocated to keep a file that size.

.

From the log it says that its using Multple GUP.

[Content]<LUThreadProc---->Retrived GUP for content download.. GUP type: Multiple Group Update Providers last GUP type: Multiple Group Update Providers
03/23 13:55:03.473 [3416] <CHttpFileDownload::CHttpFileDownload()>

But I see only one selection 172.21.22.250

Can you make it to get from Single GUP and update the policy, the problem seems to be with GUP selection , I belive you have also selected the option not to bypass GUP and get from SEPM.

I have the same exact problem. Did you fix the GUP error from the Symhelp? Or is that not necessary to fix?

I made another group and set them all to use a specific GUP and the majority of the group became up to date over the weekend.  I will try Rapid Release on the few that did not update and see if they stay that way.

I did not fix the error the Sym Help indicated.  AutoRun doesn't seem related to the issue.

The GUPs are set to a 2GB cache.

Somehow the issue was in GUP selection not sure if you have mutliple GUPs listed... Intelligent updater will fix those who did  not update. So all good now?

Yes, we had multiple GUPs listed.  We will be segregating the clients by location and designating a single GUP per location in the future.This looks like it is solved. Thank you!