Endpoint Protection

Lately, users get this message whenever they turn the machines on after being off  2 days for the weekend.  It should not be appearing until the machines are 4 days out of date. 
Regardless, the mesage stays for hours unless the user opens the GUI and clicks on FIX.
We also get this message when a new machine is built and Endpoint installed through Group Policy for the first time.  It will not update definitions in a timely manner unless we take manual steps to make it update.

I want the client software to just automatically update and not pop up a message unless communication with both our internal update server and Live Update is failing.

There is no reason to make the users manually open the interface and request definition updates if the software already knows it needs updates and has access to updates.
This is stupid and just increases calls to the help desk.
SEPM and clients are both MR4 MP1.

Is there some way to change this behavior?

There has been as issue with this that has been reported to Symantec Tech Support. You should call in and open a case and they will provide you with a workaround. If any one else has experienced this issue please post in case this issue ends up being different than the one that was submitted before.

Thanks,

Grant

I just tried changing communication settings to "Push Method" instead of Pull Method and the machines updated within a minute, but I'm concerned that the Push method will add too much network traffic if we leave that on 24/7.
Tech Support has a different workaround?

Well tech support has a workaround for your listed error message. That error message might be caused from a bug in the console. I am not sure if it is your same problem however, but I thought you might want to give it a try. How many clients are you planning to push out definitions to?

There are about 400 clients in the office and many of those are laptops or desktops that are powered off, or go into sleep mode over the weekend.
Monday morning when they log in, the users are greated with this warning box and a need to update manually to get the definitions caught up.

When we build a new machine the definitions installed are out of date and they do not update unless we do it manually by opening the client and clicking on FIX.
I tried just right clicking on the Endpoint shield and selecting Update Policy, but it doesn't update the definitions.

What was your heartbeat interval for pull mode? Also do you have a firewall on your server?

My thoughts thus far is that your network might be slow so the first 200 clients or so are still obtaining their definitions from the weekend and the other 400 are still in the queue saying "my definitions are out of date". This is most likely the case since over the weekend you would have to push out a full definition set. According to another in our support staff for this many clients it would be over 2 gigs of information so it would take a while before all 600 clients would be fully updated.

Another thought is that maybe your heartbeat intervals are not catching up on monday morning when you are trying to update. For instance if you have your heartbeat to every 30min then your clients are getting those definitions until 30min after startup (although this does not make sense because the first thing that the machine should do on startup it talk to the SEPM).

My last thought which could be the case since Push works better than Pull is that you have a firewall on your server that is restricting your client updates. If you do have a firewall on the server please post and we can look into what we need to do to resolve this issue.

Thanks,
Grant

I have changed it to Push today, but the Pull interval was every 4 hours.  I would think that when the machine is brought out of sleep mode on Monday, it should then update immediately since much more than 4 hours had passed since the last communication with the server on Friday.
All of the clients do not go into sleep mode, many are workstations and servers that stay powered up all the time, so maybe 200 are brought out of standby on Monday morning and those are the ones that have the problem (besides newly created machines).

There is no firewall on the SEPM server.

No you are exactly right it should update immediately when it comes out of sleepmode. One thing to consider, if it really is just a network load of 200+ machines updating at once, is to randomize the time of your updates. You can set this up to 8 hrs. So instead of all the machines updating right when they wake up, they would update randomly over those next 8 hrs. If the network load is the case then I think this would help dramatically.

Grant

Please review your liveupdate settings, please check the link below;

http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2008032011064948?Open&dtype=corp&src=&seg=&om=1&om_out=prod

Btw, is this happening on all clients?

I don't think it's network load because this is a new problem and all the machines are not turned on simultaneously at the exact same instant.  People come in in the morning and wake up their PC at different times and the updates are already set to radomize 5 minutes.  When I set it to Push Mode today, the machine I was looking at updated right away and if it was network traffic, that would't have worked because Push Mode probably causes even more network traffic.
If we radomize it to 8 hours, then that means the users would be looking at that error message for up to 8 hours on Monday and calling the help desk asking about it.

The virus definitition out of date criterior was changed from 4 days to 2 days several weeks ago and we started getting the warning message, so I changed it back to 4 days, but the warning message after 2 days never went away.

There 2 problems:

First problem:  PCs take a very long time to update definitions after waking up from sleep mode.
Second problem:  "Old Virus Definition File" message pops up on user's desktops even through it should not until 4 days.  These machines have 2-3 day old Friday definitions on Monday morning and should not be displaying this virus definition warning until at least Tuesday.

You could set it to keep trying for 4 hours, set Randomization intervals could work if set between 1 and 2 hours.
And maybe change the frequency. I've observered that if set to check for updates every hour that some machines do get left out. Maybe make it 4.

I think the update of settings if in push mode doesn't reach all the clients the same way your definitions haven't.

Have you though of setting up a 2nd server for update purposes? It would only contain the definition files and maybe share the load of the primary server. The OS could also dictate the maximum number of connections per unit time.

Mon might have an idea, setting up a separate LU or GUP, How many client are talking about here?

Just wondering how things were coming NetUser. Also to answer Pauls question he has about 400 clients some of which gets shut off or put into sleep mode over the weekend.

Grant-

Are these clients in the same building? There could be problems if they are on a different location. Bandwidth could be an issue.

Hi grant, thanks for the reply. For 400 users I think there's no need for GUP if it's on only on the same building or office. Best thing to do would be to check your liveupdate settings, check if these policies are applied to the clients. Make sure that you assign them properly. 

What is the status of the clients, does it have a green dot on the SEP icon on the system tray?

I changed the setting of "Display a warning message when definitions are outdated" from 4 days to 5 days and I will see what happens next Monday.
Maybe machines that received updates on Thursday and didn't get a definition update during the day on Friday are reporting out of date definitions on Monday morning.
Maybe with a 5 day leeway, that will be enough to prevent the warning message from popping up on Monday.
I won't know if this work until next Monday.

On the under hand, even if this works to prevent the warning message pop up, I'm not sure I would be satisfied with a 5 day leeway.  It is not 5 days between Friday and Monday and 4-5 days old definitions may not be adequate protection.
I would think that there should be little reason that all 400 machines that are online during working hours on Friday to not have Friday definitions before the end of the day on Friday.  The server checks for updates every 4 hours and I have set the clients to pull mode with a 20 minute heartbeat interval.

Hi netuser, you could also check the System Log, under Client Management. Check when are the updates being loaded, you might have an idea when to schedule the updates.

@Paul: ". For 400 users I think there's no need for GUP if it's on only on the same building or office". I think that would depend on how the network was implemented.

@NetUser: What is the current schedule and leeways set for the update?

I changed the notification to wait for the definitions to be 5 days old before warning and that cured the problem of the pop up notifications on Monday mornings, but it seems like more of a workaround than fix, because there are not even 3 days between Friday afternoon and Monday morning.
4 days should have been enough even to take into account for occasional 3 day weekends.

Have you monitored the network traffic during Mondays? Check also the reports to get a statistic on the virus definitions during Tuesday or Wednesday to see if there is a trend on the frequency of updates for certain workstations. We do find that some workstations in our office is updated at least every hour while the others are a few days old.

Please review your liveupdate settings, please check the link below;

http://service1.symantec.com/SUPPORT/ent-security....

Please review your liveupdate settings, please check the link below;

http://service1.symantec.com/SUPPORT/ent-security....