Endpoint Protection

Hi all,

Just wondering if anyone has any idea on whats goinig on with our Symantec setup. Details below:

Using:

Symantec System Center ver 10.8.1.8000 - We have this on 3 parent servers
Symantec Antivirus ver 10.8.1.8000  - We have this on our clients

We have it setup where our 3 parent servers pull down the virus definitions and then the clients pull the virus definitions from them. The big BUT is that:

SERVER 1: You can assign any machine to a client group on this server and it will automatically do the updates

SERVER 2: Some machines will automatically update when others wont!

SERVER 3: Some machines will automatically update when others wont!

I have done the below tests on all servers with clients:

Add new GRC.DAT
 - copied from \\servername\VPHOME

Add Cert (for v10 clients only)
 - copied from \\servername\VPHOME\pki\roots

Turn off Simple File Sharing
 - via Tools menu in Explorer, Folder Options -> View -> uncheck Simple File Sharing

Turn on exceptions for File and Print sharing in XP Firewall
 - Open XP Firewall, Exceptions tab, check File and Printer Sharing

Add holes for SAV to XP firewall
 - Used these three command line options to open up UDP and TCP ports so as to cover all versions of SAV
netsh firewall set portopening protocol=tcp port=2967 mode=enable name=SAVtcp2967 scope=custom addresses=10.1.1.1/255.255.255.255
netsh firewall set portopening protocol=udp port=2967 mode=enable name=SAVudp2967 scope=custom addresses=10.1.1.1/255.255.255.255
netsh firewall set portopening protocol=udp port=2968 mode=enable name=SAVudp2968 scope=custom addresses=10.1.1.1/255.255.255.255

 On the server machine.
- open command prompt
- type telnet <client name> 2967 and press enter.
- it should open a blank command prompt window - which it does
- compare the root certificate on the server(\\<server>\vphome\pki\roots) and the cline(c:\program files\Symantec Antivirus\pki\roots.

2. The old virus definition is corrupted.
- stop symantec antivirus services.
- stop symantec antivirus Definition watcher.
- delete old virus defs(yyyymmdd.xxx) from "C:\Program Files\Common Files\Symantec Shared\VirusDefs"
- empty "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads" folder
- delete all <number>.product.inventory and <number>.setting files from "C:\Documents and Settings\All
Users\Application Data\Symantec\LiveUpdate" folder.
- empty "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate
Edition\7.5\I2_LDVP.VDB" folder.
- go to "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\ delete *.vdb or *.xdb files not folders.
- start the symantec service.
- start the symantec antivirus definition watcher.

With all above done I just cant get the machines to update automatically!! Anyone know why???

Kind regards,

Anthony

 

Ports used for communication in Symantec AntiVirus 10.x and Symantec Client Security 3.x
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005033011582148

Specifically Client/server communication ports

General communication
   
 
  Clients

TCP

local ports 
1024–5000

Thanks for the quick reply.

running a netstat -a I can see that the listening port is open 2967 on a machine that I'm testing plus a couple more that have established 1150 and 1202 which is in that range from that link you sent:

Ports used for communication in Symantec AntiVirus 10.x and Symantec Client Security 3.x
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005033011582148

Now here comes the good part:

The windows firewall is disabled on the laptop that I'm testing and currently has old defs. so I can see the phyiscal change of an auto update.

Now if I point the laptop to SERVER 2 or SERVER 3 I know that the machine will NOT update automatically BUT if I point the laptop to SERVER 1 it will update automatically. We have mirrored the config of SERVER 1,2 and 3 so all the same ports are open.

Could there be something else stopping SERVER 2 and 3 from updating?

Cheers,

Anthony

I have just found one machine that is updating correctly to SERVER 2 (one of the parent servers that is not working properly)

I looked into the log of that machine from the SSC and it has:

New virus definition file loaded. Version: 110908r.

I then moved the machine in the SSC to another client group on the same server and now getting:

Download of virus definition file from LiveUpdate server failed.  00000001

What could be causing this?

Cheers,

Anthony

please check this document..

https://www-secure.symantec.com/connect/forums/download-virus-definition-file-liveupdate-server-failed-00000001

look into the log.liveupdate for the failure...

is your 2 and 3 server is up to date? check the firewall setting in the management console if this is enable?

Yup SERVER 2 and 3 are up to date. Firewall is disabled

Rafeeq: I checked the link you sent:

https://www-secure.symantec.com/connect/forums/download-virus-definition-file-liveupdate-server-failed-00000001

Still no joy.

or any client reporting to server 2 or 3 which are 64bit and not updating defs?

The machines are all 32bit XP Pro machines.

Just done another test with another machine and looked at the log and first of all i was getting the below message:

This was at: 15:19 - 11/09/2009

Definition File Download

Username: DOMAIN\username

Cateorgy: Virus Definition File

Description: Download of virus definition file from LiveUpdate server failed.  00000001

Then at 15:41 - 11/09/2009

Definition File Loaded

Username: DOMAIN\username

Caterogy: Virus Definition File

Description: New virus definition file loaded. Version: 110910b.

How can it fail and then load?

Cheers,

Anthony

 Is the 7.5 folder filled with tmp folders and other files.
To me it looks like a Virus Definition corruption.Try running Rx4Defs and see if this resolves your issue.

Are all the 3 parent servers or 1 is parent and other 2 are secondary ?

if all 3 are primary and you have configured the other 2 to take updates from 1st primary.
then the root certificate of primary should be there in both the secondary servers as well..

We have 3 Parent servers but 1 is the primary server

The Primary is one of the servers that is not working correctly

One secondary is working and the other secondary isnt working.

The root certificates should they be copied from primary server from:

c:\Program Files\Symantec\Symantec System Center\pki\roots

or

c:\Program Files\SAV\pki\roots

to the other servers and should these be the certificates that the clients should be using too?

About the tmp folders a client has folders in

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

which are:

APTemp
BadPatts
I2_LDVP.TMP
I2_LDVP.VDB
Logs
Quarantine
xfer_tmp
Fwdstat.log

 

Hi there - where can I get the Rx4Defs tool as I have looked for it but cant find the download page?

Cheers

For the Rx4defs you will have to contact support ...
copy the root cert from c:\Program Files\SAV\pki\roots

Cheers Vikram,

Another thing I have found is that when I install Antivirus onto a client machine it then appears in the SSC but when I right click on that machine and click:

All tasks/ Symantec Antivirus/ Update virus definitions now and click yes to it I get:

"Symantec Antivirus was unable to start definiation download on the following client: machinename. Verify that the clients are working correclty."

So tried clicking on another option:

All tasks/ Symantec Antivirus/ logs/ event log  and get this error message:

"Could not collect all data log, Please verify that Symantec Antivirus is running on these computers"

How comes this is happening? Plus could this be the root cause to everthing else we are getting?

Cheers,

Anthony

Yes Ofcource...if the clients are not able to send the logs to Parent server ..that means there is some communication issue that exists.
IF you call support also make sure you get the Makedrop utility. that will replace grc and root certificates on all the clients..and retore active communication between server and clients.

Vikram,

I think I've worked out whats going on after doing a little digging but just stuck at one bit. This is what I did.

Installed AV on a client then copied the certificates and grc.dat from the primary server restarted the AV services and the client is now talking to the primary server which allows me to look at the event log from the SSC for that machine.

I then clicked on update virus definition on the client via the SSC and then looked at the logs on the SSC and event logs on the client. I can see that when I click update the event log on the client under app log it says 'admin' connected and I see that it has sent a start control under the system log then when I look at the next event under app log it says download of virus definition from LU server failed. 00000001. I also see a couple of success audit entries under security with the username SYSTEM. The machine will not update is there a reason behind this?

Cheers,

Anthony

 Might be some OS hardening issue..Are you  using application proxy...any rules applied on System account ?

You might find this discussion helpful.
https://www-secure.symantec.com/connect/forums/download-virus-definition-file-liveupdate-server-failed-00000001