Good Morning\Afternoon,

I have installed SEP 12.1 across our production fleet, everything is going well........apart from a dozen machines. I get a report saying that I have 13 machines that have out of date content for Sonar. I logon to those machines and open the SEP Client, the client shows a green tick saying that all definitions are up to date, yet the SONAR content is showing 2nd May 2013 instead of 21st May 2013 as all my other clients are. I have had issues in the past where the client recognises that it is out of date and I have had to do the whole BASH Defs update, stop\start smc service etc.

All configuration is correct, machines in the same domain are configured exactly the same way and had the same client pushed. Sylink file is correct and up to date. All other definitions, anti virus etc are current, so the client is talking to the management server.

What I am not sure about is the fact that the client is showing no problems, when it is obvious that is using an old SONAR def.

Is the resetting of the BASH Defs method the best way of cleaning this up, or is there another way? I would really like a solution that doesn't require a reboot, these are 24\7 production servers.

As always all information or guidance from the community is greatly appreciated.

You can clean the virus defintion one system and check wheter it help or not

https://www-secure.symantec.com/connect/forums/sonar-definitions-do-not-get-updated#comment-7420971

If work then try on all pending system

SONAR Definitions are not updated on SEP 12.1 Clients.

does the client gets the update from SEPM or Symantec LU?

have you lloked into the logs?

These machine are having connectivity with Server?

What is the status of AVS defintion of these systems?

Try to clean the defintion

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually
http://www.symantec.com/docs/HOWTO59193

Symantec Endpoint Protection 12.1: How to roll back the BASH definitions to a known good version
http://www.symantec.com/docs/HOWTO53366

whats the sonar definition on your SEPM? you can view that under sepm-servers-liveupdate tab

is your sepm getting updates from Luadmin or from internet, if from Luadmin check if you have select SONAR.

Hi,

Could you please confirm SEPM version details.

There was a known issue.

SONAR definitions display as "out of date"
Fix ID: 2522692
Symptom: When SONAR definitions are up-to-date, they display as “out-of-date” on the SEPM server.
Solution: The SONAR definition version was not formatted correctly in the database. The formatting was resolved to prevent this issue

Reference: New fixes and features in Symantec Endpoint Protection 12.1 Release Update 1

http://www.symantec.com/docs/TECH174565 

#virus012 -: Thanks I have fixed SONAR using this method before. Problem is production machines and I just can't reboot.

#Pete4u2002 -: Getting updates from the Management Console, not live update

#Ambesh_444 -: Yes all other definitions are getting updated, only SONAR is not updating correctly.

#Sumit G -: Thanks but unfortunately I cannot reboot.

#Rafeeq -: I installed the updated client to approximately 300 machines only 13 have not received the correct SONAR Defs.

#Chetan Savade -: Version 12.1, I don't think that what you highlighted is my problem.

Is there a way I can fix this without a reboot??????

is it possible to post the sylink log?

There has been a new SONAR update released and all my machines now have the correct content and my site is green........Happy days. Makes me wonder why they would not pick up the correct definition when the client was installed. All good now though with no need to intervene or reboot. Thanks to all.

Hi,

That's a good news.

SEP 12.1 does automatically cleanup of corruption definitions if there are any.

Hi Matt,

Great your issue issue resolved.

What is the exact version you are running in 12.1 ?

#sumit G -: We are running 12.1.2015.2015

when you get a chance upgrade to 12.1.3

Virus definitions don't update

Fix ID: 3075004

Symptom: The virus definitions do not update, but this issue does not appear to be related to a specific update. Restarting the computer may resolve this issue.

Solution: Changed a pre-cleanup process to prevent potential deadlocks.

http://www.symantec.com/business/support/index?page=content&id=TECH206828

Hi

Please upgrade to SEP 12.1.3

Regards

Hello,

There was a known issue about this - have a look at this article:

SONAR Definitions are not updated on SEP 12.1 Clients.

http://www.symantec.com/docs/TECH178125

I would suggest you to Migrate the SEPM and SEP clients to the Latest version of SEP 12.1 RU3 as 

SONAR and IPS Intelligent updater (IU) are now available on :

http://www.symantec.com/security_response/definitions.jsp

NOTE: These SONAR and IPS Intelligent updater are only for SEP 12.1 RU3.

Hope that helps!!