Endpoint Protection

It was brought to my attention a short time back that several of our workstations are communicating directly with http://liveupdate.symantecliveupdate.com/  Per our LiveUpdate Policy configuration this should not occur. If a SEP client requires an update it will only attempt to connect to our GUP or the SEPMs. In reviewing our Web Filter logs I was able to identify what exactly they were requesting to download.  My problem now is what are these items that some of these machines are attempting to download?  Below is an example of one of the file paths I found. Note how ridiculously long the path is.  Does anyone know what its doing? 

 

http://liveupdate.symantecliveupdate.com/F200%5E$ab$88$d9$ff$b0$1fM$1e_F201%5E$ab$88$d9$ff$b0$1fM$1e_F202%5E$f43$60$d1$60$f2$f9$ad_F203%5E$9b$acv$83$d1$06$1b$f9$04$e7$95z$ea$af$d1$e1_F204%5E$9ey$e5TGM1t$a4$e0T$94$d48f$9b$90lx$89$b7$8b$a2$d81$e6$cd$b0$5bW$a7$0d4$fe$03K_$81$9f$9dL$12$f7o$8c$87%5E$01$22$ad$7dQ$b1$e8$b3f_F205%5Ea4kPqwZLZB+Wfbif9u2tcPWa/xYedoIUQAAAAA_F206%5E$10$9f$bb$00$14$93$c24

In you LU policy, did you uncheck "Use a LiveUpdate server"?

HI,

Did gup policy are applied ?

Check this thread also

https://www-secure.symantec.com/connect/forums/gup-not-providing-update-clients-clients-are-able

 

What version of SEP are you using?  This has been known to happen on some of the older versions (i.e. use LiveUpdate even when it's not mean to):

http://www.symantec.com/docs/TECH95946

Brian -

"Use a LiveUpdate Server" is unchecked.  The only fields checked are GUP and Use Default Management Server.  And within the GUP settings only Use a Single GUP Provider is checked.

Aashish -

According to the SEPM and the SEP Client the machines in question do have the most up to date Policy applied to them.  So they should not be making any attempts to LiveUpdate Servers.

SMLatCST -

We're currently running 12.1 RU2 on all SEPMs and GUPs.  The machines currently exhibiting this issue are running primarily 11 RU6 MP2

Have you tried recreating the LU Policy for this client - looks like if it was corrupted somehow, or clients were not able to properly process it.

also check if there any location awareness set?

It is down to the way the clients process the policy, so upgrading the client should (hopefully) do the trick!  The version of the SEPM or GUP would have no bearing on how the v11 client chooses to (mis)behave

Roughly how many clients affected?

 

Your settings sounds good.... might be bug/issue with LU policy at client end...

Hi,

 

Kindly check the below step

http://www.symantec.com/business/support/index?page=content&id=TECH96419&locale=en_US

 

Maximum time that clients try to download updates from a Group Update Provider before trying the default management server

This option lets clients bypass a Group Update Provider if they try and fail to connect to the Group Update Provider. You can specify a length of time after which clients can bypass the Group Update Provider. When clients bypass the Group Update Provider, they get content updates from the default server. Select one of the following options: Check Never if clients only get updates from the Group Update Provider and never from the server. For example, you might use this option if you do not want client traffic to run over a wide area connection to the server. Check After to specify the time after which clients must bypass the Group Update Provider. Specify the time in minutes, hours, or days.

 

 

Hi, you might be used RU1 before RU2.Is that the problem was with RU1 also? Because if you gone through all the above comments I dont think is there any setting issue with your case. Try to recreate the package and reinstall. otherwise it could be a bug. Thanks, Zafar

After reviewing the link provided I believe this is exactly what I'm experiencing.  It appears that since we're primarily running SEP 11 RU6 MP2 we're experiencing the bug associated with these previous versions.  It sounds like once we move to 12.1 RU2 this will be eliminated.

Thank you for your help.

Hi there,

Below is an example of one of the file paths I found. Note how ridiculously long the path is.  Does anyone know what its doing?

http://liveupdate.symantecliveupdate.com/F200%5E$ab$88$d9$ff$b0$1fM$1e_F201%5E$ab$88$d9$ff$b0$1fM$1e_F202%5E$f43$60$d1$60$f2$f9$ad_F203%5E$9b$acv$83$d1$06$1b$f9$04$e7$95z$ea$af$d1$e1_F204%5E$9ey$e5TGM1t$a4$e0T$94$d48f$9b$90lx$89$b7$8b$a2$d81$e6$cd$b0$5bW$a7$0d4$fe$03K_$81$9f$9dL$12$f7o$8c$87%5E$01$22$ad$7dQ$b1$e8$b3f_F205%5Ea4kPqwZLZB+Wfbif9u2tcPWa/xYedoIUQAAAAA_F206%5E$10$9f$bb$00$14$93$c24
 

That is anonymous telemetry data rather than a request for a file.  These can safely be ignored. This article has some more information:

LiveUpdate Administrator 2.x Distribution Center logs contain "400 - URL" or "404 0 3" Entries
http://www.symantec.com/docs/TECH171531 
 

 

awesome for making this point, Mick :-). Thumbs up !