Endpoint Protection

Hi,

I installed over the past week the SEPM (MR4) on a new server and perform a silent remote install to my clients with the 32bit version of SEP MR3 mp1. The clients used to have the Corporate edition 10.1 so basically SEP uninstalled the client and installed the new version. Every client connects perfectly with the server and all of them have the green dot on their icons and i can see the clients from the "client groups" on the server

My problem is that none of the clients seems to update the new definitions from the server. I even issued the run command "update content" and as you can see from the screenshot it completed successfully but still the clients stuck with the 23/03/09 definitions file.
I've attached several screenshots from my settings and i have the new definitions on the server (29/03/09 version) but nothing is pushed to the clients.
Notice on screenshot31 that proactive threat protection definition is updated (26/03/09)

I checked on the client the "help and support=>troubleshooting" menu and they all point correctly to the managed server.

Any help will be greatly appreciated.

Screenshots are here: http://www.imagebam.com/image/305e3231315870/

Thank you

Hi

None of our SEP clients will update from the server. I've checked the clients are pointing to the correct server.

If you manually run Liveupdate they update fine, but if you leave them to update automatically then they will not update. The policy they inherit is telling them to update from the default Symantec Liveupdate server.

I manage 2 other SEP Management servers and neither of these have a problem updating clients. Theyare all set up the same way as much as I can see.

Thanks

SH

I saw your screenshots.
Your settings are OK, LiveUpdate is working properly and your clients are able to download the new contents.
Your SEPM is not able to "eat" only the 32-bit AV definitions from the LiveUpdate.
It could means:
1) the definitions are corrupted for an unknown reason but you can fix them:
service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008041516215948
2) you already applied the previous document but you made some mistakes or you cleaned by yourself the definitions with an unsupported procedure. In this case it is better to call the Support to check the severity of the damage.

Suggestion: increase the number of content revisions to keep (from 3 to 6) just to improve the performance of the content deployment. Never less than 2.

Usually the suggested document is really useful in this situation.

Regards,

Sh35 ,

Proxy settings ? when they fail to update automatically is anyone logged onto the machine ?

If no , then it's probably proxy settings that's the issue.

C:\Program Files\Symantec\LiveUpdate\LuConfig.exe under http tab manually enter proxy details and test.


Vassilis,

Go to \Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\ delete , the log file & any files with settings in the title , then go into the downloads folder and delete ALL content from here. Run live update and test.

Giuseppe.Axia,

thanks for the reply. I followed the instructions from the article and the system updated the definition on the server and today i checked the clients and all of them have new definitions!!!

Do we know why the corrupted definitions ? it was a fresh installation...is there anything i can do to avoid these on the future ?

Thank you again for your help.

SEP is a complex product and some procedures can rarerly fail for example due to a bad Internet connection, hard disk failures, etc. There some automatic recovery procedures already implemented in the product but the perfection does not exist. I don't have specific suggestions for you.

Regards,

I'm sorry to have to post this again but the same thing is happening.
I'm positive there is something wrong, basically after the installation i havent had a single good download of definitions...its too strange to have again corrupted definitions...the updates on the 32bit version are stuck on 30-03-09 even though the 64bit version show 2-04-09 as new definitions.

On the machine i have symantec corporate 10.01 as client antivirus (unmanaged, shows 1-04-09 as definitions) i havent updated in on the Endpoint protection...maybe the liveupdate version is still the old one or something like that ?

I'm sure that if i follow again the instructions the SEPM will download the new definitions but i'm also sure that it will never again download new ones for the 32bit version...

any new ideas ?? :)

thank you

Do you still have SAV 10.01 on the SEPM server for server protection?

I am wondering what you mean by this sentence:

On the machine i have symantec corporate 10.01 as client antivirus (unmanaged, shows 1-04-09 as definitions) i havent updated in on the Endpoint protection...maybe the liveupdate version is still the old one or something like that ?

If you run SAV 10.01 on the server I would recommend you to begin with upgrading that to SEP.

Open regedit and verify that "sesmvirdef32InstallDir" and "sesmvirdef64InstallDir" are pointing to separate valid folder names.

I have:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SymcData-sesmvirdef32
"C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SESMVI~2"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SymcData-sesmvirdef64
"C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SESMVI~1"

Eventually fix them with the full path for example:
"C:\Program Files\Common Files\Symantec Shared\SymcData\sesmvirdef32"
"C:\Program Files\Common Files\Symantec Shared\SymcData\sesmvirdef64"

Don't touch keys or folder not mentioned above!

@Maximilian, Sorry for the confusion...yes i still had the 10.01 client installed on the server so i uninstalled it completely and i installed the SEP

@Giuseppe.Axia, checked the registry and i have these entries and they both point to the correct path on the server.

I followed again the instructions to clean up the definitions on Friday, and the SEPM downloaded correctly the 02/04/09 definition files for both 32bit and 64bit but as i predicted the system fails to download any new 32bit updates afterwards. I now have for the 64bit definitions of 06/04/09 and the 32bit are stuck on 02/04 .

I don't know why but the SEPM fails to download any new 32bit definitions...the only solution so far is always to follow the article and cleanup the folders manually every day...

please help :(

Hi,
it is clear that there is still something damaged related only to the 32 bit.
Actually it is not easy to help you via the forum.
I think it is time to call the support to evaluate the damage of your installation.

Regards,

There is a tool called Sep_SupportTool.exe that is usefull to collect data from the SEP client (and perhaps the SEP Manager, I don't know).

Perhaps you can get some usefull information from running this tool

Download path below:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008071709480648 

I just opened a case with my account on symantec site...
I will keep you updated.

Hi there Vassilis,

did you find a solution to this? I have had the same problems as you. I did the fixes suggested, afterawhile they didnt make any differnce, i have rebuilt server, moved to new servers, multiple install and uninstalls etc. Each time when I have this fixed, it comes back again. ie. moved recently to a brand new server. Fresh install and problems pop up again :( 

Any suggestions would be extremely handy as i would prefer not to set up SEPM again every 3 months.... :(

@Giuseppe

Thank you for the link that you give I will try it on our office if this can be resolve the same probelm encountered.

 

1. Run luall.exe from Start>Run on the SEP server.
2. Take a screenshot of where the process fails, and post it back here.

There are several reasons why Live Update might be failing on you. First, you might not be using the latest service pack of SEP. MR4 fixed an issue that former releases had when the automatic updates were applied to the product.  Second, your server may not be licensed properly....yes, unlikely, but possible. Third, your firewall is blocking the connection. Fourth, we have another problem on hand. Let's get you back up peterpan!

Patireland32, yes my problem is now solved thanks to the efforts from the customer support.

Do you have IE7 installed on the server ? if yes then there is a weird timeout issue that need to be addressed. I think this is fixed with the lateste MR release but if you have a previous one then there is an article that says the following:

* Workaround: only applies if Internet Explorer 7 is installed on the Symantec Endpoint Protection Manager computer.
- Find registry key: HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- Add a DWORD value: ReceiveTimeout
- Edit this value. Select Decimal. Enter the number 600000.
- Reboot the computer for these changes to take effect
This workaround increases the timeout value of processes running under the SYSTEM account (semsvc.exe for SEPM) that respect IE settings from 30 seconds (IE7 default) to 10 minutes (600,000 milliseconds).
NOTE:
- We are supposing that a Registry Backup will be performed before making any changes to the registry.


I hope this works for you!

Regards,
Vassilis
 

 

I have IE8 installed on my machine. I am going to remove that and then also do as you tried before. I have the most up to date SEPM installed aswell. I will give it a go, will cross my fingers,toes and anything else that will work. I update my SEPM through the JDB files, so not sure where the IE part comes in, but will give it a shot.

I uninstalled IE8, rebooted and ran the following.......ounce again !!!! service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008041516215948

All working fine. I have been pulling my hair out this last week trying to get it to work......Thanks very much Vassilis, ill buy ya a pint when in dublin.

Please Symantec, you really have to improve your QA if this is the cause. And of course, release an update that  fixes this problem. We're seeing it as well on 1/3rd of our SEP clients. Haven't had time to test Vassilis solution yet though.

And, further, if Symantec support knows of this - why aren't there a knowledgebase document reducing the time wasted on troubleshooting lousy QA?

Kudos to Vassilis for finding this and publishing it.

hi fnordgen. Just to let you know I tried the following on a test system and still had problems.

* Workaround: only applies if Internet Explorer 7 is installed on the Symantec Endpoint Protection Manager computer.
- Find registry key: HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- Add a DWORD value: ReceiveTimeout
- Edit this value. Select Decimal. Enter the number 600000.
- Reboot the computer for these changes to take effect
This workaround increases the timeout value of processes running under the SYSTEM account (semsvc.exe for SEPM) that respect IE settings from 30 seconds (IE7 default) to 10 minutes (600,000 milliseconds).

My Production SAV server is therefore still on IE 6 and working fine and am not going to upgrade as of yet to IE7