Endpoint Protection

Hi All,

I got problem when I tried to download LiveUpdate Content from Symantec Endpoint Protection Manager. The LUALL.EXE has been launched then error message "LiveUpdate encountered one or more errors. Return code = 4." is prompted.

In the Log.LiveUpdate file, there is a message "Account launching LiveUpdate is not a logged in user's account". I am not sure it's caused the problem or not.

The Enpoint version is 11.0.4202.75 and I am using Proxy for update.

Would you like to suggest what I can do next to trouble shooting? Thanks.


Cheers,
TLI

Have you configured Proxy, If not

Open SEPM
Goto Admin -> servers
Expand Local site and then select the server name or right click the server name and click Properties.
You can configure the Proxy here and then try using live update

Open a command prompt browse to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin
Then Type lucatalog -update
Hit enter or Return, this will re-register SEPM with live  update

 I had a few problems with configuring Live Update when I got started - so here are a few things to check:

1. Under Admin > Servers right click your site and choose "Edit Properties". Go to the Proxy Server tab and make sure the fields are filled out.
I used "Use custom proxy settings", typed in the FQDN "server01.domain.com" and the port. 
Then check the "Authentication needed to connect..." and enter the credentials as domain\username. I haven't selected the "Use Windows Authentication" because I don't want it using my logged in credentials.

Try running a Live Update session after that and see if it works.

If not:
2. Open secpol.msc (Local Security Policy). Go to Local Policies > User Rights Assignment and check that your account for launching Live Update is in the "Log on as a service" rights.

Let us know how you get on after that....I spent a few hours trying to get it right.

Regards,

Chris Bulovic

The following articles might be useful to resolve this. How to setup the Symantec Endpoint Protection Manager to use specific proxy settings for LiveUpdate http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5a8f40b6478675438825733e007163dd?OpenDocument "Error: LiveUpdate encountered one or more errors. Return code = 4" in LiveUpdate status in Symantec Endpoint Protection Manager http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3b09d4f329acc39fc12573b400341977?OpenDocument Thanks :-)

Dear All,

Thanks for your kindly help. As Chris suggested, I turn on the "Use Windows Authentication". Then the
"LiveUpdate encountered one or more errors. Return code = 4." error gone. The LiveUpdate seem to be connected to Symantec but don't know why all the update failed (Attached as follow). Any idea?

Thanks again.


September 1, 2009 5:01:53 PM CST:  LiveUpdate succeeded.   [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:53 PM CST:  LUALL.EXE finished running.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:53 PM CST:  LUALL.EXE successfully updated the content. Return code = 0.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:37 PM CST:  Symantec Endpoint Protection Win64 11.0.4202.75 (English) is up-to-date.    [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:36 PM CST:  Symantec Endpoint Protection Win32 11.0.4202.75 (English) is up-to-date.    [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:34 PM CST:  TruScan proactive threat scan engine Win32 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:34 PM CST:  TruScan proactive threat scan commercial application list Win32 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:34 PM CST:  TruScan proactive threat scan whitelist Win64 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:34 PM CST:  Intrusion Prevention signatures Win64 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:34 PM CST:  TruScan proactive threat scan engine Win64 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:33 PM CST:  Submission Control signatures 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:33 PM CST:  TruScan proactive threat scan data 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:33 PM CST:  TruScan proactive threat scan whitelist Win32 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:32 PM CST:  TruScan proactive threat scan commercial application list Win64 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:32 PM CST:  Virus and spyware definitions Win32 11.0 MicroDefsB.CurDefs failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:32 PM CST:  Decomposer Win32 and Win64 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:32 PM CST:  Symantec Protection Center Content Catalog 11.0 is up-to-date.    [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:32 PM CST:  TruScan proactive threat scan commercial application engine 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:31 PM CST:  Virus and spyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 5:01:31 PM CST:  Intrusion Prevention signatures Win32 11.0 failed to update.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 4:59:43 PM CST:  LUALL.EXE has been launched.  [Site: HKENDPOINT]  [Server: HKEP01]
September 1, 2009 4:59:43 PM CST:  Download started.  [Site: HKENDPOINT]  [Server: HKEP01]


Best regards,
TLI

lets see if someone is blcoking the liveupdate.

How to determine whether your firewall is blocking LiveUpdate

http://service1.symantec.com/SUPPORT/sharedtech.nsf/d3c44a1678bd8f45852566aa005902cb/c0aeb869920b38b688256d980074e389?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=sav_ce_10

the problem is with proxy, make sure that you put correct, id and password..in the proxy configuration of liveudpate.

not sure id this is relevant, but, when we got the error message that there is insufficient disk space to download definitions, the cause turned out to be the HTTP proxy not allowing the content to download from the Symantec LiveUpdate servers.
Whitelisting http://liveupdate.symantecliveupdate.com and http://liveupdate.symantec.com solved the problem.

Dear Rafeeq,

Thanks. I can download the zip file without problem. Hence, the problem seems not caused by firewall.

Dear Serengiti,

Do you mean I need to whitelist http://liveupdate.symantecliveupdate.com and http://liveupdate.symantec.com in the proxy server? I am not quit understand as the update file seem to be in a amount of small zip files. Hence do you mean the proxy count all files as a single download?

Thanks both of you.

Best regards,
TLI

Hello TLI,

Serengiti, mentioned to whitelist the two sites in your proxy, lets give it a try.

 http://liveupdate.symantecliveupdate.com and http://liveupdate.symantec.com