Endpoint Protection

Not been able to work this one out. Symantec Endpoint is playing silly buggers again - as the title says, the Intrusion Prevention Signatures are not pushing out to clients at all. Anti-virus definitions are fine across the board and acting normally, and the SEP Manager shows the Latest Manager Version of the IPS at 2010-02-05 rev. 001, but the most recent IPS actually in use is 2009-12-30 rev. 002.

 Looking through the Symantec site gives me no clues - other than the license may have expired, but I paid that last month and I'd expect AV updates to stop as well if that were the case - and our Lord and Saviour Google hasn't turned much up either. Looking at the dates I'm wondering if it's a similar problem to the Y2K10 bug SEPM had earlier this year, if anyone else has got a problem? I'd guess not from the lack of threads though...

 If not, any clues? I'm a bit stumped here now. Everything else seems fine otherwise, it's just not pushing the IPS update out.

Following this KB works

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3258d8fd2c85689f882576b1006098a2?OpenDocument


Ref:https://www-secure.symantec.com/connect/forums/sep-and-operation-aurora 

license expiration has nothing to do with SEP updates,

Just try by repairing one client from add/remove programs and see the result.. 

I've followed the instructions in that KB article; thanks.

Unfortunately it's made no difference. I know my clients *can* get updates from the server - one box that was running with Dec-09 IPS has now updated to the Dec-30 IPS - they just don't seem to be getting an actual up-to-date version.

LiveUpdate has run successfully, I can paste the status report in if people think it would help - everything returned successfully though, including "Intrusion Prevention signatures Win32 11.0 was successfully updated."

If I look at LiveUpdate Downloads under LocalSite tasks it doesn't show anything particularly up to date - even showing the AV signatures as 2009-12-31 rev 117, even though I'm actually on 2010-02-09 r52 across the site (i.e. up to date). Whether this is just a display issue or something larger, I don't know.

WSUS is also installed on this server although both seem to be playing nicely at the moment, but it's always a possible cause of errors.

Where can I see the list of IPS to check how many I have downloaded (i.e. if I have the full 1821)?

Do you tried by repairing the client from add/remove programs... 

Requested update afterwards as well, and nothing.

Proactive Threat Protection also shows as 14 December 2009 r16 - guessing there has been another release of this as well that isn't being picked up. Just strange that AV updates are working smoothly and automatically.

 For a day let the Clients Grab Updates from Internet.Then switch it back to SEPM for updates then check if the clients gets the updates normally.

Try running luall... 

I switched the LU policy on SEPM to use the default update server (i.e. liveupdate.symantecliveupdate.com); then running luall on my local machine updated the signatures to the correct version. This also worked on another laptop I have setup near me, but didn't seem to work on the SEP client installed on the SEPM DC.

SEPM is also not reflecting that 2 clients are running the 2010-02-05 signatures, strangely. EDIT: It is now starting to pick these up.

So it looks like it should be possible, it's just a case of working out why exactly the server doesn't want to do as I'm asking. Luall always looks like it runs ok, so I don't know what's stopping it.

Found where I can see the list of signatures that are downloaded, and I do only have 1812 rather than the full 1821. I'll look through that other linked thread and see what I can come up with from there.

Well I've come in this morning and around half of my clients have now updated. It's not necessarily ideal as they are all going to the internet for these (as far as I can tell) rather than going via the server, but the end result is that my protection is up to date again, so I'll chalk that up as a victory for now.

My server is still only @ 1812 signatures rather than 1821 though, so the battle continues...

Thank you very much for your help Aravind & Vikram; it is very much appreciated. Kudos.