Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Windows 2000 no Antivirus definition update with SEPM 12.1

Created: 20 Nov 2012 • Updated: 21 Nov 2012 | 15 comments
This issue has been solved. See solution.

Hi,

 

I've instaled SEP in some windows 2000 clients and servers after importing the version 11 package to the endpoint manager.

The problem is that the AV definition is not being updated on these computers. One has stayed with the update of 04/18/2011 R18 and other a update from last 15 of November. 

I've tryed to send an update contect command, but the AV definition doesn't update.

 

Just to share that the instalation on these servers was not by push by a save package, and manual executed the package on these clients.

Also, both of them are online on the manager and with update status changed of today. 

 

what is missing? How can I troubleshoot the problem?

 

Regards

Comments 15 CommentsJump to latest comment

.Brian's picture

The problem may be that SEP 12.1 does not support Windows 2000.

You can download and run the SEP Support Tool for verification:

https://www.symantec.com/business/support/index?pa...

But I've not seen it supported in 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PedroT's picture

Maybe I've missunderstood, but I thought that installing SEP 11, the manager will see the clients and update the virus.

In fact, the manager (SEPM 12.1) see and monitors, but doesn't update the virus definitions.

.Brian's picture

So the client is still on 11.x? Only the SEPM is at 12.1?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Does C: have enough free space?

Have you tried running LiveUpdate locally on the client itself?

It's possible the defs are corrupt, you can try clearing them manually:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PedroT's picture

Strange, I've runned LU on the client, and updated the definitions... but on the manager the definitions that appear are from the 15th of november, and on the client appear that is from 19 of november. But the client is online on the manager.

 

.Brian's picture

So which is out of date, SEPM or SEP clients?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PedroT's picture

In SEP client, it is up to date, with the latest Virus definitions. But in the list of clients in SEPM, it displays an old virus definition for that same client, and it seems that doesn't update.

In fact the problem seems to be in SEPM, as it doesn't update to the correct info of definitions that the client has.

.Brian's picture

Ok, so it seems to be more of a cosmetic issue.

If you force the client to check in with the SEPM by right clicking the icon and selecting "update policy" it still doesn't show up to date?

Follow the directions in this article:

http://www.symantec.com/business/support/index?pag...

It's not the exxact issue but slighly similar, perhaps the DB needs to be cleaned up

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

Sorry, I wrote this up while a whole other conversation was taking place--take it or leave it  smiley

---

Which version of 12.1 are you using, and which version of 11.x?

When you did the manual installation of 11.x, was it while physically present at the server, or over a terminal connection (just curious)?

One has stayed with the update of 04/18/2011 R18 and other a update from last 15 of November.

If I had to guess, the only reason the second one updates is that it was able to run LiveUpdate and connect to the Symantec LiveUpdate servers.

You haven't made any changes to the LiveUpdate Content policy for the group these clients are in, have you, to exclude content? (Policies > LiveUpdate > LiveUpdate Content tab)

Are your 12.1 clients updating correctly? Is your SEPM fully updated (Admin > Servers > Local Site > under Tasks, click Show LiveUpdate Downloads and look to see what the revision is; I believe that the Virus and Spyware definitions entry are designed to be backwards-compatible with 11.x).

If all looks up to date on the SEPM side, it's either communication problems or possibly definition corruption. Before trying the steps in the above document, it's often just as effective to apply the Intelligent Updater, which can usually handily replace any definition component that might be corrupted. You can download the file from this page--you will want the one that applies to 32-bit systems (should be the first link).

Beyond this, troubleshooting this is probably going to take an examination of sylink debug logging or the LiveUpdate log to determine why the update's failing.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

PedroT's picture

 

Which version of 12.1 are you using, and which version of 11.x?

12.1.1101.401

11.0.7000.975

 

When you did the manual installation of 11.x, was it while physically present at the server, or over a terminal connection (just curious)?

One of them was through VNC (this one is appearing in SEPM with definitions from 2011), and the other in the console of hyper-v (and in SEPM with definitions of the last 15, but locally on the client in fact with the 19th). But both using a package created by the SEPM (client deployement->option save package when adding client; created the exe and executed it in the client)

 

One has stayed with the update of 04/18/2011 R18 and other a update from last 15 of November.

If I had to guess, the only reason the second one updates is that it was able to run LiveUpdate and connect to the Symantec LiveUpdate servers.

You haven't made any changes to the LiveUpdate Content policy for the group these clients are in, have you, to exclude content? (Policies > LiveUpdate > LiveUpdate Content tab)

I've enabled the possibility to use the management server and liveupdate (an exception for the Windows 2000 servers, as the other clients don't have this option enabled)

 

Are your 12.1 clients updating correctly? Is your SEPM fully updated (Admin > Servers > Local Site > under Tasks, click Show LiveUpdate Downloads and look to see what the revision is; I believe that the Virus and Spyware definitions entry are designed to be backwards-compatible with 11.x).

 

The clients with 12.1 are updated to the last one on the server, that is from today (20-11-2012 r17)

 

If all looks up to date on the SEPM side, it's either communication problems or possibly definition corruption. Before trying the steps in the above document, it's often just as effective to apply the Intelligent Updater, which can usually handily replace any definition component that might be corrupted. You can download the file from this page--you will want the one that applies to 32-bit systems (should be the first link).

Beyond this, troubleshooting this is probably going to take an examination of sylink debug logging or the LiveUpdate log to determine why the update's failing.

How to check these logs on the clients?

.Brian's picture

 

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PedroT's picture

I've activated the log, but I can't understand anything that is wrong.

I've also found that a client in windows 2000 that is not connected to the internet can't update, because it doesn't get the information from the server manager, but connects to it.

sandra.g's picture

Thanks for the info. So it sounds like both are connected (green dot), one can update but the reporting information isn't making it back to the SEPM, and another is not able to update from the SEPM. Does that sound about right? (VNC and Hyper-V console for installation should be just fine.)

The sylink debug logging is typically reviewed by Support, who know how to interpret what's written there. If you have the logging on during a heartbeat (right-click SEP client shield > click Update Policy) then attach the resulting log file to this thread, I'm sure someone would take a look at it. If the issues are as I described them above, make sure you indicate which problem is happening on which log.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

PedroT's picture

Ok,

 

so, after some tests, using some tools used here, but with no success I've made a re-install using the push solution.

So in resume.

Made the .exe file using the third option when adding the clients, and executed the package on the clients with windows 2000. The AV installed correctly, but didn't updated the AV definitions.

So, next step was to add the client, but now, through push option, and the AV was re-installed ok, and definitions are being updated.

Also, I couldn't install through push the first time for w2000 computers. But after installing the package manually, it was possible to use the push.

Problem solved.

SOLUTION