How to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

Article:TECH97190  |  Created: 2009-01-03  |  Updated: 2011-08-16  |  Article URL
Article Type
Technical Solution



I am concerned that my clients are receiving updates from a source other than their Symantec Endpoint Protection (SEP) Group Update Provider (GUP).



  • Enable Sylink debugging on the client in question.

  SylinkWatcher and SylinkMonitor - tools for real-time debugging of SPA 5.x and SEP 11.x

  How to enable Sylink Debugging for Symantec Endpoint Protection in the registry


  • Search for GUP's IP address embedded in a http command. If the GUP is the source of the update, you will see the following line in the Sylink log:


Note that the port for the GUP is 2967 (unless configured otherwise). This indicates the source is a GUP.

  • Please do not get this confused with the section that indicates which server the client is checking into. A GUP cannot manage a client so you will still see it connecting to the Endpoint Protection Manager.

11/05 08:18:07 [3144] <GetFirstServer> Using server ''

For more detailed information, please refer to the following document:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices