Some more information, there is no proxy, if I use a rapid response download and manually update, the clients get updated, but otherwise the server shows that the W32 Antivirus defs are current  with 11/1/2007 as the signature date.  Liveupdate says it's working correctly.  Is there any way to reset the Liveupdate settings?

Hi Ned

 

Sigunature Updates:

AMOSS described a fix for this in this thread and it seems to have worked for others as well https://forums.symantec.com/syment/board/message?board.id=endpointcust&thread.id=1885

 

Remote Console:

I have seen this behavior when a wrong Java version is installed on the client. Since you donwloaded and installed the Java version from your management server you should have the correct version. Did you update your Java version after you downloaded the engine from the management server? Can you access the remote console from you management server?

 

Carsten

The remote management problem was due to the Java version.  I uninstalled Java 1.6 and it works fine.  I was part of the thread AMOSS wrote and tried his solution, but the signatures still don't update from the server unless I install them from the rapid release download.  Liveupdate runs and completes saying everything is up to date, but if I look at the Liveupdate content, the downloads are from the last rapid release file I manually downloaded.  I can post some log information if that would help.  I just need to know which log to post.  There seems to be many of them.

 

Thank you for the reply.

Hi Ned,

 

OK so we fixed the first problem. Can you do me a favor and try the following to isolate the problem number 2:

 

Go to Policies - LiveUpdate

Select the LiveUpdate Settings Policy

Click Edit the Policy link in the Task list

Make some change to the policy (i.e. enable Third Party Management on the Server Setting Tab)

Click OK

Edit again and undo the change you made.

Click OK

 

On the bottom of the screen in the Recent changes window you should now have to entries "Upated shared policies ..."

 

The management server will now rebuild the policy file and push it to the clients. . You can verify that the new policy is downloaded and applied in the System - Client Activity Log on the Monitor page.  If the signatures of the client are not up to date you should see an entry Definition File downloaded a few minutes after New Policy applied event.

 

Please let me know if this changed the behaviour. Please also open a support case if you haven't done so

 

Thank you

 

Carsten

I changed the settings as you instructed.  The problem isn't that the clients don't upgrade from the server, it's that the server doesn't download the latest updates.  It is set to check every 4 hours, and I know for instance right now http://definitions.symantec.com/defs/rapidrelease/vd26d009.jdb (Nov. 8) is available on the rapid response page, but my server logs :

 

November 8, 2007 6:24:55 AM EST:  LiveUpdate succeeded.  [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:55 AM EST:  LUALL.EXE finished running.  [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:55 AM EST:  LiveUpdate will start next at Thursday, November 8, 2007 10:24:55 AM EST on svr-septest  [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:55 AM EST:  LUALL.EXE successfully updated the content. Return code = 0;  [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:47 AM EST:  Symantec Network Access Control Win64 11.0 (English) is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:46 AM EST:  Symantec Network Access Control Win32 11.0 (English) is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:45 AM EST:  Symantec Endpoint Protection Win64 11.0 (English) is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:45 AM EST:  Symantec Endpoint Protection Win32 11.0 (English) is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:45 AM EST:  Proactive Threat Scan engine Win32 11.0 is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest]
November 8, 2007 6:24:44 AM EST:  Proactive Threat Scan commercial application list Win32 11.0 is up-to-date.    [Site: Legere SEP Test]  [Server: svr-septest] 

 

It looks like it's not even checking for AV updates.  I have gone and checked the livupdate settings under Admin>Local Site>Edit Site Properties, and everything is checked along with English, and Default source servers.

You are correct.  I know our production 10.1 server checks once per day, and that's fine.  The only reason I have the 11/7 r18 definitions is rapid release.  Before that I had 11/5.  I would assume that the 11/8 release would be installed by tomorrow 11/9.  I won't touch it until tomorrow morning if that's the case, and I changed it to update at 3:00am daily as well.

 

Is there a way of checking what definition is the current def through SEPM other than the SEPM home page?  That information doesn't seem to update reliably.  I've seen it say that my PC client has no definition installed, and wheree the installeddef is newer than the latest Symantec def.

 

SEP is a little wacky IMHO.

 

Thanks for the reply.

I'm not sure if I understand the question completely...but let me give it a shot and maybe I'll get it somewhere :)

It's important to remember that the SEP client installed  on the SEPM server OS is a client to the SEPM server...with that in mind....

On the console, you can see the latest defs downloaded via LU by selecting 'Admin', then 'Servers', then 'Local Site', then 'Show Live Update Downloads'.

While still on the 'Admin', 'Servers' page, select a specific server and you'll see when it last updated, but it doesn't tell you with what version here....just when it checked in and processed defs/content/etc

The first time I was trying to find which client was the one slice in that defintion pie chart that wasn't updating...I got a little frustrated.  Then I remembered '...go to the logs...'  If you've never used SAV reporter, you won't exactly know what I'm talking about...but you'll soon become familiar.  The home page and reports are GREAT for high level information, but they're not going to give you the detail you need when you run into an issue.  Remember, reports are for trending and exposing a potential issue...the logs are where you actually trace them down.

To find defs on individual clients (including server clients)...
In the SEPM console, select 'Monitors', then the 'Logs' tab.  Under 'Log Type', select 'Computer Status'.  If you select 'Advanced', you'll see many options for narrowing your search (so..you could search for clients whos defs were older than 30 day, as opposed to seeing all clients and having to sort through them). Then click on 'View Log'  Now you'll see all your machines and their individual def dates.


We can go deeper into the system logs...but I'm hoping this answers your question...

Thank you for the information.  I am concerned about the server being updated from Symantec.  The clients including the server get updates, when they are available, from the SEPM server.  That isn't the problem. 

 

I wanted to know how to determine what should be the current definition so I can determine if the server is up to date.  The logs I have seen show that the definitions are up to date, but when I installed the server on 11/1, the definitions would not update from 11/1, until I manually updated them from rapid release on 11/5.  On 11/7, I ran a manual update from the SEPM>Servers> Admin>Local Site>Download Liveupdate Content and it downloaded the current defs 11/7 r18.  The server was set to automatically check every 4 hours, and it never downloaded those definitions.

I see now that 11/8 r16 is the latest according to the SEPM home screen.  I have set the server to update overnight at 3am.  I will check the logs in the morning to see if it downloaded the new defs.

That is what I was looking for and it was staring me in the face the whole time.  How embarrassing.  Hopefully the server updates tonight.

 

Thanks!

The definitions updated correctly and were distributed to the clients.  Great!  Let the testing continue.

 

Thank you for your help AMoss.

 

Ned

Apparently the W32 defs don't want to update during the scheduled 3am update.  I manually had to run a Liveupdate this AM.  I hope this is a 1 time occurrence.