Endpoint Protection

 View Only

  • 1.  Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 12, 2010 07:00 PM

    I have been running SEPM and SEP clients rather smoothly for a while, but every now and then I notice a few clients stop updating for whatever reason. For instance, today I noticed the usually green dot on the SEP shield in the system tray was a showing as a small exclamation point. Turns out all my SEP clients stopped updating over the weekend. I rebooted the SEPM server and then forced an update on all clients and slowly they all started getting the latest defitions.

    While in the middle of trouble shooting this issue, I went in to the Monitors, Logs screen to look at the Computer status. I did a sort on "Definitions Date" and noticed a handful that were REALLY outdated, like from Feb and March.  Once I did the reboot and client updates, they started getting updated, but I am wondering what causes these clients to not update seemingly randomly at times. I am running 11.0.4202.75 on majority of these with 11.0.3001.2224 on a handful (will update soon).  As we speak I still have one client PC that is showing with a definition date of 04/01/2010 rev.2.  SEP is running on this PC. It reports as last checked in just a few minutes ago, but it still won't update.  Live Update policy is set to have clients "Use the default managment server" and "Use a LiveUpdate server".   Clients are in pull mode and heartbeat interval is 3 minutes.

    So I'm trying to figure out what is causing this and possibly a way for me to quickly fix it.  Also, is there a way to get email alerted when clients go out of date or stop communicating with the SEPM server?


  • 2.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 12, 2010 09:22 PM

    You can set up notifications that will email you based on certain client criteria.  I have one that emails me when a risk found is Left Alone by SEP.

    Creating and viewing administrator notifications in SEPM
    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/d28e5621b64d9ddb88257543007672ff?OpenDocument

    In regards to the random clients sometimes not updating definitions, it is probably advisable to upgrade like you already stated you would work towards, but it is to be expected that you'll most likely have to remediate a small percentage of your clients from time to time.  SEP is very good, but with any environment, there will always be some one-offs that might need a little extra attention.



  • 3.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 13, 2010 09:47 AM

    The clients initiate the heart beat interval and you mentioned that they are in pull mode and the time interval is 3 minutes. This means that most of the clients would contact the SEPM for definitions. Generally if they are updated regularly the download size of the definitions is in KB's however if some of the client/clients have received  corrupted definitions then the SEPM would give them the full.zip file for the definition updates. Now this file is big in size and the chances are that the bandwidth is choked. When the client requests for the definitions and the SEPM starts preparing it those clients go in to a accelerated heart beat interval till the time they get the definitions, thereby putting other clients on a sort of standby.

    This could also happen if some of the clients have switched off the machines and when they reconnect they do add to the bandwidth consumption.


    You may try considering the option of a GUP in your environment which would help the clients update fast.

    You can check the GUP videos on the connect forum site as well.




  • 4.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 14, 2010 05:21 PM

    Thanks guys, good information.

    sandip - what is the likelihood of receiving corrupted definitions? is there a way I can see if this has happened?


  • 5.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 14, 2010 07:27 PM

    I have had issues in the past with clients and corrupt defs. This KB article got me thru it:

    http://service1.symantec.com/support/ent-security.nsf/docid/2007123111551948

    Also, some clients simply ran out of space on the hard drive. I have seen that before as well.

    As mentioned above, setting up a GUP may help.


  • 6.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 15, 2010 11:27 PM

    Thanks Brian. How did you know the definitions were corrupted?


  • 7.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 15, 2010 11:38 PM

    Would this qualify as a corrupted definition:

    I have a server acting as a GUP at a remote site for the PCs located there. When I do a log check of all my machines, this one shows a file defintion date of 3/31/2010. However, when I log onto the machine remotely and open SEP, it says it has the definitions are dated Thursady April 15, 2010 r.19,  which is the most current one. The SEP is flagging me with the yellow exclamation point saying my defintions are out of date, but they clearly aren't according to the date shown. I ran LiveUpdate on the machine and even that tells me everything is up to date. So would this be an example of a corrupted defintion?


  • 8.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 16, 2010 09:37 AM
    Possibly.  You can designate another as the GUP for a a short while and follwo Brian's link to rule it out.  Can't hurt.


  • 9.  RE: Clients seem to randomly stop getting definitions updates from SEP server

    Posted Apr 16, 2010 10:35 PM

    I was more of just a hunch. In the defs folder there were so many versions in there, something just didn't seem right so I followed the KB and it was fixed. So I chalked it up to that smiley