Endpoint Protection

Hello,

I worked with Symantec technical support on case 13407675 and their solution was to reboot each server that has this issue.  That is not a solution so I'm seeing if anyone can help me on the forums now that we have a few more servers doing this.  The issue started after installing the latest Microsoft critical/security updates and rebooting our servers on 9/17.  We discovered a week later when SEPM started notifying us that 5 servers were stuck on definitions from 9/17 and would not update.  Trying to launch the client from the system tray on each server resulted in nothing.  Trying to "smc -stop" only caused the service to hang indefinitely at "Stopping...".  Ultimately, a reboot was required for each server to get the SEP client to update.  I worked with Symantec technical support and this was their "solution".

Now, as of today, we have two more servers doing this.  Their definitions are 9/26/17 r7.  Same symptoms as before.  A SymDiag report provides no useful information...something about some print drivers waiting to update but that same "issue" shows up on clients that are working just fine.

We can't just reboot servers outside of monthly scheduled maintenance on a regular basis to get them to update their definitions.  And this would be horrible if we had rolled out SEP 14 to our 3,000+ client computers and had this issue.  At least we only have about 150 servers to deal with, but 7 servers out of 150 (and that number will likely continue to grow) is a high failure rate for the SEP client.  If we can't get an actual resolution for this issue soon, rather than this reboot workaround, we will be switching to a competing product and canceling our contract with Symantec.  We never had major issues like this with SEP 12; if we can't rely on SEP 14, a product that's been out about a year now, then we can't rely on Symantec.  We've been putting up with the excessive CPU usage of SEP 14 (compared to 12.1) in hopes that we can get it tweaked with enough exceptions to stop that, but we can't continue rebooting servers to get them to update definitions.  I hope we can get a resolution to this; we have been preparing to switch vendors if not.

Thank you for any help you can provide.

Greg Mackey
Systems Engineer III
University of Central Oklahoma

Some more info (I haven't found the option to edit my original post):

SEPM server
Windows Server 2016
Version 14 (14 MP2) build 2415 (14.0.2415.0200)

SEP clients
Windows Server 2012 R2
Version 14 (14 MP2) build 2415 (14.0.2415.0200)

It sounds like this needs to be escalated to backline. The given "solution" is not a solution.

It seems similar to this:

http://www.symantec.com/docs/TECH246354

Although it was already fixed in the latest version, which you're running.

Thanks, Brian.  Yes, I had seen that a similar issue was resolved in MP2, though we have been on MP2 since we first rolled this product out to our servers a few months ago and our issue isn't resolved with smc -stop since the service hangs.  When this issue occurs, we see event ID 203's for each set of definitions that can't install (all of them, it appears).  We don't see anything about a LiveUpdate lock, though...it just says "Content install failed on the client" and gives the info about the definitions it was trying to install.

Backline support should be able to enable advanced debug logging to see what is going on. However, I imagine the difficulty is going to come in being able to re-produce this. It sounds like this randomly occurs and being able to identify which machine it's going to occur on before it happens, in order to enable logging, is going to be tedious.

In that case, we may need to enable it on every server.  Hopefully there's a somewhat quick way of doing that.  Do you know how I can get in touch with backline support to get this going?

From your existing support case, request the duty manager and tell them you need the case escalated.

Okay, thanks.  I'll give them a call and get the case reopened and escalated.