Endpoint Protection

I'm working on a large enterprise network and I seem to be facing problems with SEP clients not getting their updates properly.

Let's say I have 100 workstations configured as SEP clients. Almost everyday, I have around 10 to 15 clients not able to get their updates from the server even though there are no communication problems.

I've been going thru forums here and I understand that there might be corrupted definitions and that it needs to be fixed. But here is the scenario... Even though I have 15 clients not getting updated on a particular day,,, most of the machines get updated automatically after approx. a week or more without troubleshooting the machine. This is not always the case of the clients to get fixed automatically and I dont think that corrupted definitions should also be an issue cause, the clients get updated automaically after some days. And the failure of updates are not always on the same machines.

Like I said,, its a very large network with thousands of machines and it is not easy to go to every machine to fix this problem.

My question is ... What is the exact reason for this issue cause I see many forums regarding this and how can it be prevented from not happening again?

Thanks 

what is the seeting in your LU?

do you have mobile clients?

those who are outof date are they desktops or laptops?

i think the outofdate clients are laptops not able to update when they get disconnected from the network

Make sure you are using Latest version of SEP ( 11.0.6100.xx )

Also is your SEPM machine a Server OS ?

SEPM machine is running on a Windows 2003 Server OS. SEP version is 11.0.6100.x. I also have SEP versions which are below this version. Its kind of mixed which are in the process of getting updated to the latest version

Vikram , Can you tell me if it is because of the SEP version that the updates are having a problem?

The SEP version I have is 11.0.6100.645

The machines that are not receiving the updates are random?

Do you use Static or DHCP addresses in your network?

For the wireless clients are you using "location awarenness"?

And Most Importantly...

Are these machines images/ghosts of one another?

@Jason

Yes, the machines are random.

Network is DHCP

Users are wireless only when they use their laptops outside the office. Otherwise, the laptops are connected to cables.

Neither,, they are fresh installations.

I have EXACTLY same problem...

https://www-secure.symantec.com/connect/forums/some-clients-randomly-stop-receiving-definitions

Seems to be a very long forum. Was it solved finally?

Ive sem so many forums but cant get a clear answer.

For some,, it is corrupted definitions,,,, for some, restarting the service,,,,, for some, its with IE. IE6 works fine but not IE7 and IE8.

If this issue is for a small network,, I can adjust the situation but if its for more than 5000 users in different locations,, it really is very difficult.

Does anyone have a clear answer??

I have not found a clear answer to this. Some clients go 3-4 days without an update and if I reboot the box, then they update. Sylink logs look clean, as well as support tool logs. I really have no idea what to look at next.

Maybe any Symantec employee can give us answer?

Even on Event Viewer, you get Event ID 13 related to Live Update and the solution for that was to uncheck decomposser option. Again,, this worked for some and not for all. Even I keep getting Error 13 but unchecking decomposser option means that zip, compressed files will not be scanned which could also cause a threat to the network.

Ive checked symantec solutions which says to uninstall and reinstall Live update for clients but they still keep getting the same update problem.

Support is a better bet. I currently have a case open.

Are Group Update Providers in use?

sandra

http://www.symantec.com/connect/articles/troubleshooting-liveupdate-issues-symantec-endpoint-protection

http://www.symantec.com/business/support/index?page=content&id=TECH95790&locale=en_US

http://www.symantec.com/business/support/index?page=content&id=TECH98456&locale=en_US

http://www.symantec.com/business/support/index?page=content&id=TECH99909&locale=en_US

http://www.symantec.com/business/support/index?page=content&id=TECH103112

http://www.symantec.com/business/support/index?page=content&id=TECH103176&locale=en_US

http://www.symantec.com/business/support/index?page=content&id=TECH102973&locale=en_US

Links are in the file

Attachment(s)

Attachment.txt   631 B 1 version

no, i dont use any group providers...

Brian, please, let us know when you receive answer from support.

I have to say that there's really no fix for this and this has been happening since the days of SAV.

- Some work after a reboot.

- Some work after fixing "corrupt definition" files KB.

Since we have tamper protection enabled, following  the corrupt definition KB won't work until a reboot since the SEP service can't be stopped. 

Another thing I hate about Symantec, how it writes to multiple locations.

C:\Program Files\Symantec\Symantec Endpoint Protection

C:\Program Files\Common Files\Symantec Shared

C:\Documents and Settings\All Users\Application Data\Symantec 

Trying to troubleshoot things is a wild goose chase...

.

Hope this document helps someone..

Page 57 / 5.10 Live Update Corruption

http://avdop.nic.in/USER%20GUIDE/ANTIVIRUS_USERS_GUIDE.pdf

Did it help you, since you're the original poster? :)

nope ,, it did not,, if it had,, i wouldnt be posting this in the first place.

Whether your GUP PC os is a server os?Approximately a GUP is configured to update how many systems?I mean how may clients receive updates from a single GUP?

@Aravind - OS is Server OS. Im not sure of the number of simultaneous client update.... But..

I had a seperate test environment with 20 machines as SEP clients. On a scheduled upfate time,,, all the 20 machines did not get updated. I had 5 or 6 machines left which were not updated.

If all the clients are not getting update we can say its communication issue..however if its just few that they update after a day or so..that too random machines..then it comes down to bandwidth issue

There doesnt seem to be any communication issue. If its for a few machines,, I understand,, but if its for a network of more than 5000 machines,, it is difficult.

Its not for all machines that it get updated. It has a gap for a week or more it it get updated. And its not for sure either.

Its not a bandwidth issue. Its a state network and there is no bandwidth issue. Everything has been verified. If its a bandwidth issue,, I dont see any reason why even 20 machines shouldnt be getting updated.

Again,, there are so many different solutions of this issue but I dont see a standard solution for this issue to be resolved for everyone having this issue.

Currently, after latest clean restore of my system out of 100 of my PCs have.

70 - latest definitions.

5 - 1 days later definitions

2- 2 days later definitions

23 - 5+ days later definitions..

and all that in 1!!! week after clean installing...

Please note, that sylink log i posted was left without employees comments..and Symantec Support Tool just shows no errors...

Looks like it is the version issue.

I have just upgraded to version 11.0.6100.645 and since doing that any client that is still sitting at 11.0.6000.550 will not update there def's. What ever def they are sitting at on the day of the SEPM upgrade they will stay at that date.

Has anyone found a fix yet?

@Brian81 - Were you able to get a reply from Support?

@Symantec - Can you give us all a solution to prevent this problem from happening rather than a solution to solve this problem? Thanks

 Symantec Endpoint protection 11.0 -Troubleshooting Guide.

 https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-110-troubleshooting-guide

Every time I have personally had this issue, where the machines seem to be random, it is because they arrived in the same bathc of machines.  So hardware was identical.  Being the case, created an image and pushed it out to all the machines. 

Than every now and again, one would act up.  Whenever I have seen this, I have found that the "HARDWARE ID" of the problematic machines were the same as another machine.  Hence, when the second machine reboots, shuts down or decides to stop communicating, the other with the same ID does.  Reports it's status as needing definition updates and the server sends them out. 

Following this article has helped me resolve my issues.

http://www.symantec.com/business/support/index?page=content&id=TECH102815&locale=en_US

Maybe you have the same problem?

Hardware IDs are completely different on all my machines.

http://nissystems.helpserve.com/index.php?_m=knowledgebase&_a=pdfexport&kbarticleid=15

I'll have a look at this also. Thanks

I dont have any result yet. Will update once I have one. Thanks

Installation and Deployment Tour

http://eval.symantec.com/flashdemos/products/endpoint_protection_install/index.html

I m using SEP 11.0.6 MP2, have more than 20,000 thousand client cannected managed by one manager console. I have implemented 19 GUP at diffrent locations. My clients gets defination from the GUP servers. But past ten day's around four thousand clients from different different region not getting updates. I am attaching Sylink logs collected from one of the client.

Please help....

Attachment(s)

SEP LOG10.144.196.12.txt   9.41 MB 1 version

Still no resolution.

Still Im not able to resolve this issue of client updates. Can anyone siggest how to get a workaround for this? Thanks

Open a case with support so they can review.

afs