Endpoint Protection

I've been bashing my head over this one.  My company has about 400 SEP clients in a main site and spread across 13 remote sites which are all defined as groups in SEPM. Each remote site has a server that acts as a GUP.

At one site, I have 2 clients that are not getting virus definition updates.  The other 15 at this location have been getting them.  All clients are Windows 7 x64.

All clients have been running SEP version 12.1.4100.4126. Today I've had access to one of these problem computers to run some troubleshooting.

From SEPM, I send the command to update content, and although the command status monitor says it completes, the virus defs. do not get updated on this computer.

I have uninstalled SEP, rebooted.  Then I ran the CleanWipe utility and rebooted.  I checked C:\Programdata , C:\Program Files , and C:\Program Files (x86), and all of the symantec folders were gone.

Then I installed version 12.1.5337.5000.  The installation was done from a package I exported from SEPM that was configured as a managed client.

After rebooting, the client connects to the central SEPM and updates its policy.  The Proactive Threat Protection and Network Threat Protection definitions did get updated.  Just not the Virus and Spyware definitions.

Something strange through, I tried running SEPLiveUpdate.exe from a command prompt, and I was returned the following error: "LiveUpdate has been disabled. Please contact your System Administrator for more Information."

The policy for this group in SEPM appears to have "Allow the user to manually launch LiveUpdate" CHECKED.

On the client management settings on the client itself however, the LiveUpdate settings tab shows the following box UNCHECKED: "Enable automatic updates".

I tried moving it into a different group and updating the policy.  It still won't update the Virus & spyware definitions.

I downloaded SymHelp.exe and ran a scan. There were no issues.  When trying to open a case with SymHelp on this computer, SymHelp crashes towards the end of collecting data.

Can anyone provide any guidance? This is driving me nuts.

EDIT:  I've also modified the registry:

\\HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\    ---->  AllowManualLiveUpdate  changed from 0 to 1

Is there anything log.lue file?

You can also enable sylink logging to see comms between client/SEPM

Can you post the sylink.log?

I'm unable to find a sylink.log or a lue.log on the drive of the client machine. (ran a search on C:\Programdata\Symantec\*.log)

The only logfiles found are:

JobMgr.dat.log

01142015.log

ShdSettg.dat.log

SPSettg.dat.log

ProfileManagement.dat.log

LueDyn.dat.log  (<----- I get an error that this is being used by another process when trying to open it)

Volatile.dat.log

SET_CUR.dat.log

processlog.log

rawlog.log

seclog.log

syslog.log

ccSettings_12.1.5337.5000.dat.log

tralog.log

SIS_INST.LOG

AtpiMan.log

AVMan.log

BashMan.log

CidsMan.log

CommonMan.log

DevMan.log

GUP.log

LocalRep.log

LUMan.log   (<------ 0 bytes)

NacMan.log

NetSecMan.log

RebootMgrMan.log

RepMgtMan.log

SfMan.log

SubmissionsMan.log

SISCustomActoinExe-0x0EE8.log

EFASIInst-0x0448.log

Located here:

On Windows XP and Windows server 2003:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs

On Windows Vista, Windows 7, and Windows Server 2008:
C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs

You need to enable it, 

check this document

http://www.symantec.com/business/support/index?page=content&id=TECH104758

In C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Lue\

there is only a LueDyn.dat file and a LueDyn.dat.log file.

No subdirectories.

Thanks!  I've attached it.

Attachment(s)

Sylink_23.zip   13 KB 1 version

Bigger version after running for a while...

Attachment(s)

Sylink_24.zip   109 KB 1 version

How is your client configured for liveupdate?

from the log the client is trying to reach GUP ( i belive the content is not available in GUP)

can you check the setting on your SEPM LU policy where it says connect to SEPM after XX, whats the XX is configured to?

can you configure the client to get udpate from SEPM and not from GUP?

Another thing, from the log the client is requesting 579739672 bytes with is around 552 MB, however the default cache size of GUP is 500 MB, I belive the GUP is flushing itself before sending full udpate and its all stuck in a loop.Update it from SEPM as of now, the next delta will be less than 500 and should be udpated easily

We have all of our site policies set to never connect to SEPM after GUP.  We only have T1 lines connecting our remote sites to our central site, so whenever a client tries to download from the SEPM, it hogs their bandwidth.

Overall content size has grown to 550MB or so. You need to increase your GUP cache size.

Good find!  Thanks, I'll let you know what happens.

its pulling arround 550 MB no wonder why its stallign your Network, for the time being 

update these machiens with Intelligent updater for today, monitor the status for tomorrow it should be updating from GUP, here is the link to update them using IU

http://www.symantec.com/business/support/index?page=content&id=TECH102391

So I changed the cache size to 700 MB last night.  I was relieved to see that one of the 2 problem computers finally updated the definitions overnight!

Unfortunately, the one that I had been working on all day yesterday still is not updated.  I will be robocopying the manual update over to that computer today and we'll see how it behaves after that.

Thanks for all of your help!

You may want to consider going higher than 700MB. With the rate defs are growing, you'll see this again.

Thanks Brian.  Good thinking.