Endpoint Protection

In Symantec Endpoint Protection, the Proactive Threat Protection is shown as disabled because it is waiting for updates.  

However when I run LiveUpdate Express, the update fails as follows:

Installing Submission Control signatures (1 of 1), failed.
LU1812: A program that was part of this update failed when it ran.  This update was not applied.  

Checking the logs (Log.LiveUpdate file), I notice these related errors:

2010/1/4, 23:02:31 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\1257995028jtun_the_scd.zip.full.zip", Dest Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100"
2010/1/4, 23:02:31 GMT -> 1257995028jtun_the_scd.zip.full.zip is in RAR format.
2010/1/4, 23:02:31 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\1257995028jtun_the_scd.zip.full.zip", Dest Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100", HR: 0x0      
2010/1/4, 23:02:31 GMT -> Added package to cache...
2010/1/4, 23:02:31 GMT -> Before expansion, the commandLine is [SavSubmissionEngineData]\scd.xml
2010/1/4, 23:02:31 GMT -> After expansion, the commandLine is C:\Documents and Settings\All Users\Application Data\Symantec\SAVSUB~1\\scd.xml
2010/1/4, 23:02:31 GMT ->     DIS - UPDATE("C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\scd.xml", "C:\Documents and Settings\All Users\Application Data\Symantec\SAVSUB~1\") <BEGIN>
2010/1/4, 23:02:31 GMT ->     DIS - UPDATE(0x0) <END>
2010/1/4, 23:02:31 GMT ->     DIS - LAUNCHEX2("C:\Program Files\Common Files\Symantec Shared\SAVSubmissionEngine\", "subupdt.exe", "C:\Documents and Settings\All Users\Application Data\Symantec\SAVSUB~1\\scd.xml", 0) <BEGIN>
2010/1/4, 23:02:31 GMT ->         Launching commandline C:\Program Files\Common Files\SYMANT~1\SAVSUB~1\subupdt.exe C:\Documents and Settings\All Users\Application Data\Symantec\SAVSUB~1\\scd.xml.
2010/1/4, 23:02:32 GMT ->         Executable returned error code -2147024773.
2010/1/4, 23:02:32 GMT ->     DIS - LAUNCHEX(0x802A0023) <END>
2010/1/4, 23:02:32 GMT -> Progress Update: PATCH_ERROR: Patch File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\1257995028jtun_the_scd.zip.full.zip", Script File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\SavScd.dis", HR: 0x802A0023
2010/1/4, 23:02:32 GMT -> HR 0x802A0023 DECODE: E_DIS_LAUNCHEX_FAILED_PROCESS_EXIT_CODE
2010/1/4, 23:02:32 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\1257995028jtun_the_scd.zip.full.zip", Script File: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt100\SavScd.dis", HR: 0x802A0023
2010/1/4, 23:02:32 GMT -> HR 0x802A0023 DECODE: E_DIS_LAUNCHEX_FAILED_PROCESS_EXIT_CODE
2010/1/4, 23:02:32 GMT -> EVENT - PRODUCT UPDATE FAILED EVENT - Update available for Submission Control signatures - 11.0 - SymAllLanguages. Update for Submission Control Data takes product from update 0 to 91111048. Server name - liveupdate.symantecliveupdate.com, Update file - 1257995028jtun_the_scd.zip, Signer - cn=Symantec Corporation,ou=Usage - Prod02SigningToken,ou=Locality - Arizona,ou=Product Group - LiveUpdate,ou=SymSignature,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1812, => The install script for this update was unable to launch a file it needed.  LiveUpdate aborted the update install.

All the files referenced are present (scd.xml is there, and of course, the executable subupdt.exe is there too)

So somehow the subupdt.exe application is failing to run properly.  However, I have no idea how to fix it.  Any suggestions would be appreciated thanks!

Hi,

You need to remove the definitions from SEPM, using the following KB:

https://www-secure.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm#new

Then uninstall liveupdate from the server.

Install liveupdate again.

go to command prompt and to the following location:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\

type the command " lucatalog -update " -> It will re-register the liveupdate catalog with SEPM.

If you have a SEP client installed on the server, perform a repair install on the client to make it re-register with liveupdate component.

Now you can run the liveupdate again from SEPM.

Let us know if the issue persists.

Cheers,
Aniket

Is your Antvirus defintions updated???

Title: 'The date of the definitions in Symantec Endpoint Protection clients and Symantec Endpoint Protection Manager remain at Dec 31 2009'
Document ID: 2010010308571348
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010010308571348?Open&seg=ent

Thanks for your replies!

I only have access to SEP on my machines.  SEP is provided by my university for use, so I am not able to access SEPM, if they have SEPM servers running.  Are there any analogous instructions for a fix on my client machine with SEP installed?  Incidentally, I have another machine on which LiveUpdate with SEP appears to be working correctly (I receive no errors and the PTP is shown as enabled).  

Also, I do appear to have the latest virus definitions on both the broken and working machines (December 31, 2009 r114). 

I started experiencing this problem after portions of the filesystem on my machine were reshuffled.  I reinstalled SEP and was presented with this issue.  I have also tried uninstalling SEP and LiveUpdate, and reinstalling to no avail.  

Is there a place on the client machine where some corrupt files or registry keys may still exist?  

Hi Ashyu could you please tell us since when are you expreicing this issue ?

Hi,

Having the definitions of 31'st Dec. is a known issue and symantec is working on it.

Please check the following link:

https://www-secure.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010

You dont need to worry. It will be taken care of automatically when the issue will be resolved, the definitions will update automatically.

About the issue with the submission control, you need to contact the university and check if the definitions on their SEPM are updated for Submission Control.

Aniket

In how many computer you are facing this problem?
Only in one then try this
Go to add remove programs
Remove SEP client
delete following folders if exist
C:\Program Files\Symantec
C:\Program Files\Symantec AntiVirus
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec
Install SEP client once again
Before doing thi spls assure that your problem is not this
Security Content for Symantec Endpoint Protection clients and Symantec Endpoint Protection Managers are dated Dec 31 2009 even when using the latest definitions 
OFFICIAL STATUS: SEPM Definitions stay at 31-12-2009 (LAST UPDATED: 04-JAN-2010)

Hi Prachand,

I started experiencing this issue after reshuffling some of my filesystem.  My guess is that the DOS 8.3 filename for my Program Files directory has been either removed or changed, as at that time I had noticed that one or more Symantec products had created a directory "PROGRA~1" beside my "Program Files" directory, which then contained a new "Common Files" directory along with some other Symantec directories.  

At that point I tried to reinstall SEP to try to correct this.  It appeared to work in the sense that the Symantec products are no longer updating files in the incorrect "PROGRA~1" directory, but in the "Program Files" directory. 

However since then, the Submission Control updates have continually failed. 

I have tried uninstalling SEP and LiveUpdate, followed by deleting any residual Symantec files in:

C:\Program Files\Common Files\Symantec
C:\Program Files\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec

In addition, I searched for Symantec in the registry and deleting any matching keys. 

Upon reinstallation, however, the problem persists. 

From the logs it appears that the sbupdt.exe is failing.  Does this application depend on any other Windows components that maybe I can check if they are broken for some reason?  

Thanks again for your help

I am only experiencing this problem on one computer. 

What kind of problem should I look for in regards to the definition dates staying at Dec 31 2009?  My antivirus definitions are dated as Dec 31 2009, but have revision markers as indicated by the links you provided.  Is that not the expected behaviour for the mean time while Symantec works out the issue of not allowing for dates pas Dec 31 2009?  

know issue, symantec working on it.
date will remain the same
revision update is done as of now, that should take care.

I think that something is wrong with my Proactive Threat Prevention portion of SEP. 

Whether it was a good idea or not, I tried copying the All Users' Symantec directory from the machine where SEP is fully working over the All Users' Symantec directory on the machine where SEP is not fully working (PTP is disabled).  

After doing this, the PTP still shows as off, waiting for updates.  However when I run LiveUpdate, it says that everything is up to date.  My assumption was that by copying the All Users' Symantec directory that I would pull over the definitions onto the machine, which was unable to install the updates itself.  It appears that this has worked, in that LiveUpdate no longer tries to download anything more?  But on the other hand, PTP is still broken. 

I do not think that this is a problem related to the dates not going past Dec 31?  The SEP should still work regardless of the dates?  (And my other machine is working correctly)

Thanks for everyone's help.  I'm not sure what has happened, but the problem seems to have resolved itself now. 

I'm not entirely what happened - perhaps the definitions I copied over from my other machine were finally picked up?  The interface reports that PTP is now on.  

The question still remains what will happen the next time I need to update the PTP definitions.  I don't know if LiveUpdate will still fail at the Submission Control portion.  

If PTP is not having the updates it will show as waiting for the updates.Normally PTP will not have any updates by the time of installation and it will show as waiting for the updates.This will get changed automatically while getting the updates.
Another possibility is there was a bug which is fixed in MR4MP2
Proactive Threat Protection displays the status "Waiting for Update" after a client migration
Fix ID: 1456698
Symptom: Proactive Threat Protection displays the status "Waiting for Update" after a client migration.
Solution: After migration, Proactive Threat Protection should be "on" and should display the latest version.

ref:Release notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x