Endpoint Protection

 View Only
Expand all | Collapse all

Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

  • 1.  Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 26, 2013 01:18 PM

    I need assistance on trying to figure out why my machines are attempting to reach out to the following location.  Our current LiveUpdate policy states that no machines should go to the Internet to pull updates.  They are only suppose to hit the SEPM or GUPs.  Can someone explain what these requests are and what portion of the policy configuration directs these requests?  The list of requests I see repeatedly are below.

    http://liveupdate.symantecliveupdate.com/sepc$20behavior$20and$20security$20heuristics$2012.1$20ru2_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20cids$20signatures$2012.1$20ru2_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20extended$20file$20attributes$20and$20signatures$2012.1$20ru2_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20iron$20revocation$20list$2012.1$20ru2_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20iron$20settings$2012.1$20ru2_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20srtsp$20settings_12.1$20ru2_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20submission$20control$20data_12.1$20ru2_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20virus$20definitions$20win32$2012.1$20ru2$20h_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20virus$20definitions$20win32$2012.1$20ru2$20h_microdefsb.error_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru2$20h_microdefsb.curdefs_symalllanguages_livetri.zip

    http://liveupdate.symantecliveupdate.com/sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru2$20h_microdefsb.error_symalllanguages_livetri.zip



  • 2.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 26, 2013 01:34 PM

    It looks to be downloading defintions for the various components.



  • 3.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 26, 2013 01:56 PM

    Bummer....so I'm not sure why it would be doing this. 

    I've found that the majority of the machines making these requests are on the AnyConnect VPN.  If the machine is on the AnyConnect VPN it should be hitting the VPN location policies which just directs them back to the SEPM to pull their updates.  Although instead of them currently hitting this policy they're hitting the Default location group.  What's interesting about this is that the Default location group has the same LiveUpdate Policy applied to it which states only pull VirusDefs from our SEPMs.



  • 4.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 27, 2013 07:08 AM

    Seems to be a issue with clients applying the correct location where being connected to the VPN - which results in wrong LU policies being assigned and request to symantec servers. Double check the conditions for location change when VPN is being used and try to reproduce it - how long does it take for the client to switch location - or maybe for some clients it does not work at all.



  • 5.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 27, 2013 12:08 PM

    Hi

    Open the case with Symantec Support for the same

    Support number is 0008004401457

    Regards

     



  • 6.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Broadcom Employee
    Posted Apr 27, 2013 02:07 PM

    check the location of the client and the LU policy applied ..



  • 7.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 27, 2013 02:50 PM

     

    Wow! What a great response SameerU. 

    Unfortunately I've found Symantec support to be less than effective when resolving issues.  Luckily there has been several EXTREMELY helpful people who repeatedly assist on the forums(Brian81, SebastianZ, pete4_u2002).  I do appreciate their assistance.



  • 8.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 27, 2013 02:57 PM

    So some additional information to this question.  Something that I noticed yesterday while looking into the VPN location was that machines were defaulting to the Default Location which has no conditions applied to it.  Although it is at the bottom of my location list.  I'm wondering 2 things.  

    1. If you have a machine that does not meet any of the criteria in any of the locations created does it not go to the [Default] location or the one that is configured to be the "Choose this location in case of a conflict"?  I assumed that would be the case but now I'm starting to wonder if that might be my problem. So for instance, say I have a 10.10.10.0/24 range configured for one location and its set as the [Default] also.  If I have a machine with a 10.10.20.1 IP address does it not default to the [Default] location?  I'm thinking this is my issue and I'm currently modifying the criteria for all the groups that currently are experiencing issues. 

    2. Does the order of locations top down actually apply to the process of locating a group that fits the machines criteria?



  • 9.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?
    Best Answer

    Trusted Advisor
    Posted Apr 27, 2013 03:00 PM

    Hello,

    Could you please check the Location Liveupdate Policy is properly configured.

    Secondly, check if the policy serial number on SEPM group is same as the one applied to the SEP client.

    There are several ways you could perform this depending on what the end results are that you desire.

    When users VPN into the network clients should be able to communicate with the SEPM server. This means they should be able to download updates from the SEPM. The drawback here is that as you have seen if they are not connected to the SEPM at all they won't update. Once they do connect if it has been several days since they last updated they will need to download a full definitions package. Full definitions packages can be quite large and thus have a negative impact on your network.

    The following document will provide you with the simplest location switching configuration to allow users to run LiveUpdate when they are not connected to the SEPM server, however this may not completely meet your desires. As such I would recommend to review the other documentation that I have provided below related to location awareness. There is also a good amount of information in the Administrator Guide included with the downloaded installation files.

    Check these Articles: 

    How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console

    http://www.symantec.com/business/support/index?pag...

    Understanding the Default location setting and creating unambiguous location switching criteria

    http://www.symantec.com/business/support/index?pag...

    Best Practices for Symantec Endpoint Protection Location Awareness

    http://www.symantec.com/docs/TECH98211

    Location Awareness Logic 

    http://www.symantec.com/docs/TECH97097

    More about Location Awareness in Symantec Endpoint Protection (SEP)

    http://www.symantec.com/docs/TECH97369

     Hope this helps!!!



  • 10.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 27, 2013 10:23 PM

    1. Yes, it will go to the deault location. As you mentioned, it sounds like you just didn't setup a condition for it to know where to go. Not sure what you currently use but going by subnet might be easiest, at least just for testing purposes.

    2. I believe it will just check the list in whatever order it is setup, usually goes alphabetically. If it can't find the right location, it will go to the default location.



  • 11.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted Apr 28, 2013 05:39 AM

    Exactly as indicated above by Brian as well:

    - "Choose this location in case of a conflict" - if there is a confict between locations the preferred location - the one with the checkmark here is being taken

    - but when there is no conflict and the location conditions does not cover current state of the SEP client - it will switch back to the default one

     



  • 12.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted May 01, 2013 01:56 PM

    So at the moment I'm going to attribute the issue to corrupt policies on the SEP machines.  After modifying the SEP policies to encompass all machines I was still experiencing issues with a handful of machines.  I have attempted to run a CleanWipe and reinstall on these machines and it appears to have resolved the issue with them reaching directly out to the liveupdate.symantecliveupdate.com

    Thanks as always for all of the good suggestions.



  • 13.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted May 29, 2013 09:56 AM

    So as another update to this issue.  It actually appears that working with Symantec we were finally able to identify the actual issue.  While some machines were on the local network it seems that they would momentarily flip to our "Off Network" location which allows them directly to symantecliveupdate.com As soon as this attempt occurs then it repeatedly attempts to reach symantecliveupdate.com until it times out(due to the block on our web filter) then by that point it is back to the proper location and is attempting to establish communication with the local Management Server or GUPs.  I have not been able to determine the deciding factor on why this is occuring just yet but I'm continuing to troubleshoot why this location flip occurs.



  • 14.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted May 29, 2013 12:32 PM

    I am also seeing this problem and the flipping of locations I feel is also the cause.  Seems to be happing mostly to my laptops though.



  • 15.  RE: Why is SEP 12.1 RU2 making requests to symantecliveupdate.com?

    Posted May 29, 2013 12:54 PM

    So I actually disabled "Enable LiveUpdate Scheduling" in my "Off Network" location which did resolve the issue but obviously this makes it so machines do not automatically receive LiveUpdates when not on the network.

    What I found interesting though was that the issue per the debug logs appears to only happen at random time for a split second and then revert back to the proper location.  I figured if this was due to connectivity issues while on the LAN I could eliminate this by changing my Location Awareness check period from every 4 seconds to say every 180 seconds.  This way if there is a really quick blip on my network it should not change location in that short of time.  Unfortunately this did not help.  Which now makes me wonder if this is not actually related to a network connectivity issue but actually some bug in the software.

    In general most people would never even know this is occuring on their network unless they have a block in place to symantecliveupdate.com and actually review their logs for blocked requests to symantecliveupdate.com

    If you figure it out please let me know.