Endpoint Protection

Hello,

I have been seeing the following message at all of my clients running SEPM 12.1.6 since August 9th.  We are talking multiple sites and multiple installations.  There appears to be something wrong with the defintiion download set.  All sites are still on August 8, 2017 r11 deitintions for Network Threat Protection.  I was hoping this would be fixed on its own, but we are going over two days now.  When will this be fixed?  Thanks for your help!

Error Message From System Event Email

Symantec Endpoint Protection Manager could not update Client Intrusion Detection System signatures 12.1 RU6. 

Error in Log.Live Update

8/11/2017, 13:09:46 GMT -> EVENT - PRODUCT UPDATE FAILED EVENT - Update available for SEPM CIDS Signatures 12.1 RU6 - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 170808011 to 170810011. Server name - , Update file - 1502401714jtun_ips_sep170808011-170810011.x01, Signer - , package install code 0. The Update executed with a result code of 1849, => LiveUpdate could not process the PreCondition for this update because it contained a syntax error.  LiveUpdate aborted this update.

Hello,

FYI - I have a similar situation at my location too.  I get this error ~ every 4 hours since 2017-08-10:

Error in Log.Live Update

8/10/2017, 0:07:17 GMT -> Evaluating the following PreCondition for Product: SEPM CIDS Signatures 12.1 RU6, Version: MicroDefsB.CurDefs, Language: SymAllLanguages, ItemSeqName: CurDefs
   bSelect = !( RegValExists("HKU", ".DEFAULT\Control Panel\International\Geo", "Nation") &&  CompareFileVersions( GetRegValue("HKU", ".DEFAULT\Control Panel\International\Geo", "Nation"), "244") == 0 );
8/10/2017, 0:07:17 GMT ->  Syntax Error: \C unrecognized character escape sequence.
8/10/2017, 0:07:17 GMT ->  Line: 1  Col: 99:  Syntax error
8/10/2017, 0:07:17 GMT -> PreCondition evaluation aborted with error code 6
8/10/2017, 0:07:17 GMT -> Aborted patch with EES code: LU1849; Product: SEPM CIDS Signatures 12.1 RU6, Version: MicroDefsB.CurDefs, Language: SymAllLanguages, ItemSeqName: CurDefs, Reason: LiveUpdate has encountered an internal error while evaluating the available updates for this computer.
8/10/2017, 0:07:17 GMT -> The following update was aborted:  Product: SEPM CIDS Signatures 12.1 RU6, Version: MicroDefsB.CurDefs, Language: SymAllLanguages, ItemSeqName: CurDefs.  Current Sequence Number: 170808011, Update filename 1502318157jtun_ips_sep170808011-170809011.x01

Same here.
I even did the uninstall/clean/reinstall live update. Thought it worked for a while as I didn't get any system even e-mails for nearly 12 hours. Then it came back @ the 4 AM MDT update. Still on August 8th .

I created a case w/ Symantec.

We are also having the exact same problem. Issue started on Aug 9th and all of my SEPM management servers are generating the same alerts. I have opened a case with Symantec to no avail. To mitigate the impact, I have manually updated the IDS signatures from the definitions downlaod site. Pending response from Symantec.

And no I will not be running the diag tool as there is nothing wrong with ALL of my management servers.

SymDiag won't show any issues if this is on the Symantec side. The problem is this has not been acknowledged yet that I've seen. 

My "Case" submission is a "Severity 3" level and "under investigaion".

Howa bout yours?

lol

Hello, same issue here, SEPM has been giving me the below warring since Wed. Aug. 8, at 7:49 PM EDT, about 4 warnings per day.  

"Symantec Endpoint Protection Manager could not update Client Intrusion Detection System signatures 12.1 RU6"

Tried rebooting the system that hosts SEPM this morning, no change / warnings keep coming.

Will await further word and glad to see it's a Symantec issue (even if they don't realize it yet).

Take care,

Hello,

We also had the same issue in one of our environments and restart of the SEPM services and then manual LU didn't help. So I updated the SEPM with IPS JDB and now it is fine.

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=ips

Since many people had this issue, can someone from Symantec update on this, what has happened?

Regards

I believe this issue has now been resolved.  Errors seemed to have stopped as of today.  I am now seeing Network Threat Protection definitions August 14, 2017 R11.  Any information on what was wrong?

Suggestion for Symantec - Create a global community email service for your customers that adds transparency between us and your operations so when issues like these occur, we are not waiting for days on end waiting for a callback from support (which I would say needs improvement, but that would be an understatement). There is nothing like calling support for this issue only to talk to someone on the other end that doesn't understand a word you are saying, much less vice versa. And almost a day later when you do get a response, you get this -

'Hi William,"

http://www.symantec.com/docs/TECH247190

A link to an article that has nothing to do with the issue at hand. Not even the correct version......

Likewise,

I had the issue for the update occurring every 4 hours. The last time I saw the error was  8/13/2017 22:44:00. This morning's 3 update cycles were successful for the first time since the 1st occurrence 8/9/2017 20:08:00.

It seems to now be resolved but I see no official statement from Symantec.

I noted the lack of ERROR e-mails also.
We're updating OK also.

There seems to be a big disconnect between departments at Symantec.
Even when I've repeatedly included links to this thread.

This arrived this morning.

Clueless.

"Hi Bill,

Thanks for the email response, We understand that there seems to be live update issue happening on same and i will have my engineer call you back to assist you further on the issue.

Regards,

Abishek Haran

Supervisor - Symantec Technical Support

Symantec Corporation .

If my previous post didn't go through...

Recap.  Problem resolved itself here too.
Just got a call from Support (India?) checking to see if the problem was resolved.
No explanation.