Endpoint Protection

needing some help here.    virus defs are 14 days out of date on close to 75% of the clients in my domain, SEP Manager and GUP SEP clients are up to date on defs.  SEPM is on 12.1.5 and most of the 90% clients are on 12.1.4112.4156.       I've been on 12.1.5 with no issues for a bout a month or more, so I dont think there is an issue there.  

All of the defs seem to be stuck on  11-27/2014 r17, and from what I have seen is the machines out of date are still communicating with the server from the system logs.

Please post the sylink log

Try to clear old virus defination may be Corrupt virus defination cause.

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Run the symhelp tool on one affected client to see what errors come up:

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

Have any changes been made to the GUP policy-wise? Sounds like clients are not grabbing the defs from them.

You can also enable sylink logging on one client to see the communication.

the SYM help gives me an error about turning the autorun feature off , (which I need to look into. but not the issue)

 also Sonar is not optimally confiugred and the 12.1.5 is the latest version.

  going to reinstall the client on this machine to see if that will fix the issue for one machine.  clearing the virus defs on every machine unless there is an automated way to do so via SCCM or something is not going feasable option for over 5000 machines.   working on turning debugging on to get the sylink log but its giving me troubles too.  

This sounds more policy related than anything. Let's check out the sylink logs first.

I'm with Brian on this one, but I think it would be far faster to look at the LiveUpdate Content policies on your SEPM, than waiting for sylink logs.

Sooooo, do you have any LiveUpdate Content policies set to this specific def revision?  These can be found under POLICIES -> LiveUpdate -> LiveUpdate Content tab...

uner the live update Content tab I have the live update content policy and within that I have Windows/Mac  security definitions with everything check marked and to "use latest availabe"

Test this... 

Change the LU policy in any one group that the clients will contact the sepm for updates.. Not the GUPS

Check if the def;s are getting updated..

Sylink log.. would definitely help a lot in this case..

I can see in the system log that the clients are getting whitelist updates from the GUP so I dont think the communication is problems and  for client to pull the SEPM would kill our network, I cant make that change currently. I did download todays updates from Symantec's website and install on a few machines and that worked just fine. may just have to roll that out to the clients and see if they will update going forward.

I can tell from the system log that the clients are communicating with th GUP's and getting whitelist updates. soso dont think the communication is the issue.   I did download todays defs from Symantec and installed it manually with no issue.  its like the GUP's have lost their mind and dont have the defs to update. but they antivirus software on the GUP's are up to date.

  I agree that using SEPM to distribute the definitions might fix the issue but that would kill my network at the GUP servers are not at the same physical site.

Can you verify on the GUP itself it's still acting as a GUP. Should show in the System log, sometimes they act funny and quit acting as a GUP

As the others have mentioned, Sylink logs please!

These should ideally come from the GUP and from one of the problem clients (so we can see both sides of the conversation).