Endpoint Protection

After upgrade from 14MP1 to 14MP2, my both SEPM servers can't download/update IPS signatures automatically. There are warnings ID 7201 in event log with "Size(in bytes):-1" in the event text. Any other definitions are updated correctly.

If I download JBD file for IPS manually, update works OK.

Do you think what could I do with it?

Thanks.

 

Does liveupdate log shows up any error with respect to download of definition?

Check if firewall is blocking any downloads as per this document

 

https://support.symantec.com/en_US/article.TECH102059.html

I can't see any error in log file.

Except this one: ProductRegCom/luProductReg(PID=12292/TID=10104): Setting property for Moniker = {C8C42A08-0AB4-F6D4-00BE-1539101AB358}, PropertyName = LASTPATCH.STATUS, Value = FAIL

Any other signatures are downloaded properly.

Download and run the SymDiag tool on it for additional error checking

it looks similar to issue reported in this article, except the SEPM version is different . can you follow workaround as suggested in the solution section and update on the result

https://support.symantec.com/en_US/article.TECH197844.html

 

Also run the dbvalidator to ensure there is no broken link.

This workaround didn't help me, dbvalidator finished succesfull.

Symdiag has finished without relevant errors.

I'm seeing the same behavior (IPS downloads stopped a week ago) and found something quite confusing in the LiveUpdate log of our SEPM:

 

21.06.2017, 12:26:39 GMT -> Available Update for Product: SEPM CIDS Signatures 14.0 MP2, Version: MicroDefsB.CurDefs, Language: SymAllLanguages, ItemSeqName: CurDefs.  Current Sequence Number: 170613021, New Sequence Number 170620022, Update filename 1497995922jtun_ips_sep170613021-170620022.x03
21.06.2017, 12:26:39 GMT -> Evaluating the following PreCondition for Product: SEPM CIDS Signatures 14.0 MP2, Version: MicroDefsB.CurDefs, Language: SymAllLanguages, ItemSeqName: CurDefs
            bSelect = (  ( RegValExists("HKLM", "SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SEPM", "Version") && ( CompareFileVersions( GetRegValue("HKLM", "SOFTWARE\\Symantec\\Symantec Endpoint Protection\\SEPM", "Version"), "14.0.2332.0100") == 0 ) ) ||  ( RegValExists("HKLM", "SOFTWARE\\Wow6432Node\\Symantec\\Symantec Endpoint Protection\\SEPM", "Version") && ( CompareFileVersions( GetRegValue("HKLM", "SOFTWARE\\Wow6432Node\\Symantec\\Symantec Endpoint Protection\\SEPM", "Version"), "14.0.2332.0100") == 0 ) ));
21.06.2017, 12:26:39 GMT ->     Calling RegValExists ()
21.06.2017, 12:26:39 GMT ->     The regvalue "Version" in "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM" exists = true.
21.06.2017, 12:26:39 GMT ->     Calling GetRegValue ().
21.06.2017, 12:26:39 GMT ->     The registry value "Version" in "SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM" at "HKLM" was "14.0.2415.0200".
21.06.2017, 12:26:39 GMT ->     Calling CompareFileVersions ()
21.06.2017, 12:26:39 GMT ->     Comparing version string 14.0.2415.0200 to 14.0.2332.0100.
21.06.2017, 12:26:39 GMT ->     CompareFileVersions returned 1
21.06.2017, 12:26:39 GMT ->     1 == 0 evaluated to false.
21.06.2017, 12:26:39 GMT ->     true && false evaluated to false.
21.06.2017, 12:26:39 GMT ->     Calling RegValExists ()
21.06.2017, 12:26:39 GMT ->     The regvalue "Version" in "HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM" exists = true.
21.06.2017, 12:26:39 GMT ->     Calling GetRegValue ().
21.06.2017, 12:26:39 GMT ->     The registry value "Version" in "SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM" at "HKLM" was "14.0.2415.0200".
21.06.2017, 12:26:39 GMT ->     Calling CompareFileVersions ()
21.06.2017, 12:26:39 GMT ->     Comparing version string 14.0.2415.0200 to 14.0.2332.0100.
21.06.2017, 12:26:39 GMT ->     CompareFileVersions returned 1
21.06.2017, 12:26:39 GMT ->     1 == 0 evaluated to false.
21.06.2017, 12:26:39 GMT ->     true && false evaluated to false.
21.06.2017, 12:26:39 GMT ->     false || false evaluated to false.
21.06.2017, 12:26:39 GMT ->     bSelect was set to false.
21.06.2017, 12:26:39 GMT -> PreCondition evaluated to false, update will not be retrieved.

 

To me this looks like LiveUpdate is expecting version 14.0.2332.0100 (which is MP1) to deliver this content for MP2 which makes absolutely no sense to me. And exactly the same evaluation happens (and also fails) for "SEPM CIDS Signatures 14.0" which we would need for clients that are not on MP2 yet. We're not using a LiveUpdate Server so we're connecting to Symantec LiveUpdate directly.

I am having the same issue and spent an hour on the phone with support with no luck. My IPS stopped updating a week ago on my SEPM.

Same issue for me also,  I updated our SEPM servers to MP2 last week and IPS updates started having issues the next day.  I thought is was something to do with the MP2 update, even though it went smoothly with no issues.  I have been changing content revision numbers, manually downloading IPS updates, etc..  At least I now know that it is not just our SEPM servers with the issue.

 

Same here, I upgraded SEPM servers to MP2 on 6/13 and having issues downloading IPS signatures still.  Everytime liveupdate refreshes, I get the following notification.

I rebuilt the management SEPM multiple times, tried different LiveUpdate versions, still the same. Manual downloads work.

LiveUpdate content failed to update

Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0 MP2.

Is this occurring only on MP2? Has anyone opened a case and gotten feedback from Symantec as to what's going on?

Same issue here.  I updated to MP2 on 6/9, and the last IPS update was on 6/13.  Our Live Update log looks identical to Neo's.  All other definitions/signatures are updating without issue. 

We have the same problem since 6/13.

I did a test install of a SEPM Server with MP1 and all is working well with MP1. After upgrading the test installation to MP2 the problems started immediately.

 

-------

Another interesting thing is that in SEPM when i look at the LiveUpdate Downloads i can see the following:

We have a German SEPM Server installation, so it looks like there is missing a translation... :)

Has anyone had any feedback on this issue from Symantec?  I am seeing the same issue on my SEPM 14 MP2.  June 13, 2017 seems to be a common date.  By chance are you all running SEPM on Server 2008 or 2008 R2?  I was involved in a Live Update MP2 install issue on those Windows platforms.

Thanks

Same problem here after upgrading SEPM from 14.0 MP1 to MP2. Server is Server 2012 R2 and no issues were encountered during the upgrade of SEPM server.

LiveUpdate.log has similar entries as Neo44

Manual downloaf of JDB file containing IPS definitions on the SEPM server does not solve the problem because it seems you can only manually download the non MP2 version of the IPS definitions (20170621-021-IPS_IU_SEP_14.jdb).

If you run a manual live update on the MP2 clients the IPS defintions are updated to the latest version (sequence 170612021 = 21 june 2017 r21) while the server is stuck on version 13 june 2017 r21

@ETHO

Exactly what I am seeing.  Manual download and install does not touch MP2 IPS definitions.

Same here ETH0.  Any clients running MP1 or below will update when you drop in the latest IPS signatures via .JDB, but MP2 clients do not update unless done manually.  It looks like SEPM is looking for two different versions of the IPS signautres, one for 14 MP2, one for 14.  No other security definitions are defined this way, they're all simply 14.0.    

 

Same problem here. I've opened a case for this issue... I'll update you when Symantec reply

On our 3 SEPM servers that have been upgraded from 12.1 RU6 MP7 to 14 MP1, and then later to 14 MP2,  I am seeing the same IPS content as listed by darcon above. The IPS 14.0 updates fine, but the IPS 14.0 MP2 does not and has the 06/13/2017 r21 revision. 

However, on a freshly installed SEPM 14 MP2 in the lab, the IPS 14.0 MP2 content is not even listed, just the 14.0.

Looks like the fresh SEPM 14 MP2 may not list the IPS 14 MP2 content, but in the log of liveupdate, it is showing 'Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0 MP2.'  So it looks like it still wants to download it, whether the SEPM is a fresh install or has been upgraded.

By the way, our SEPM servers are 2012 R2.

My guess is that this is related to the staged release of the new IPS engine. If the signatures them self are not updating maybe someone in Symantec by mistake also delayed the IPS signatures for 14 mp2? Current CIDS 16.1.3 release schedule: 2017/06/06 - Early Adopter Server (EAS) Release Refresh for SEP 14.0 or higher 2017/06/14 - Staged release for SEP 14 MP1 (original 2332 build only, not the 2349 Refresh Build) To be determined - Full release for SEP 12.1 and 14.0 or higher https://support.symantec.com/en_US/article.TECH239793.html

The date for staged release of new IPS engine for MP1 (June 14th) is very close to the day people starting have problems.. june 13..

Thank you guys for your experiences and investigation.

The day D is certainly 13/6.

 

Thanks for the reports everyone. This will be addressed in the next IPS definition update, which will go out a little later this evening.

@David Was it related to the new CIDS engine?

@David Was it related to the new CIDS engine?

Live Update successfully downloaded the latest IPS definitions this evening.  All seems well on my end.  

Thanks David, it looks OK now.

Thanks David-Z, it looks OK now.

Same here. Looks good now. The case we opened (Essential Support) started with the usual process (basically: checking if our installation is fine and trying out a few things...). But through some new findings and the general feedback in this thread I was pretty sure that they had to fix something in their LiveUpdate content. I was not able to convince Essential Support but had the chance to speak to a Technical Account Manager on Friday. He understood my findings and was able to confirm that this problem was already being investigated through another case (Premium Support). I guess that's where the solution came from. But it's a bit frustrating to see that Essential Support is basically wasting precious time and resources because they either won't or can't check back with Premium Support to see if a similar case is already open. At least that's the impression I got.

 

@David-Z:

Are you able to shed some light on the reason behind this new/additional IPS signature for MP2? As already mentioned in this thread, one is not able to update those manually with the .jdb-File from here:

 

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=ips14

Thanks David. Everything is OK now

@David / Symantec,

 

One of the site I support for does not have internet access and is running SEPM 14 MP2.  I am having the same issue on new IPS definiton not updating to the clients as mentioned above by other posters.  Tried SymDiag on server and clients return no error, and even clean reinstall but still failed to update IPS definiton.  The Live Update Content revision is showing 2 items for IPS definitons (14 and 14 MP2) where the "14 MP2" is showing "none" in the revision selection.

Anyone successfully update IPS definitons via jdb in 14 MP2?

@Edwin123

 

I've tested it again this week and there is no way to update the SEP14 MP2 IPS content via .jdb-File. It still only updates the SEP14 IPS content. So you would have to find a way to connect the SEPM in that site to the internet so it can use LiveUpdate. May I ask how you managed to update that site without internet access so far? Manually adding the content to the SEPM every day?

@Neo44,

Thanks for the information.  We update definition files to SEPM manually and now have to use the exe updater on the clients to update IPS since the issue after upgrade...hope Symantec will notice this issue still exists.

@Edwin123

 

I'm afraid nothing will happen since the issue has been fixed through LiveUpdate. Still leaves the question why this separate IPS content for SEP14 MP2 even exists and what admins can do if they have to update it manually like you. The fact that the available .jdb-File only works for the IPS content for SEP14 gets even stranger if you take a look at the LiveUpdate log of a SEPM and how those two IPS contents get updated now. Basically only one file is used to update both IPS contents which leaves the impression that they are the same. What you can see below is a part of our LiveUpdate log. Only one IPS file is downloaded and then used to update both IPS contents with the same files. "Lamborghini" is the codename for SEP14 and "Constance" is the codename for SEP14 MP2.

 

30.06.2017, 00:05:21 GMT -> Progress Update: PATCH_DOWNLOADING_START: Number of patches: 2
30.06.2017, 00:05:21 GMT -> GetUpdates: SEPM CIDS Signatures 14.0, MicroDefsB.CurDefs, SymAllLanguages ==> 1498778042jtun_ips_sep170628021-170629021.x03
30.06.2017, 00:05:21 GMT -> GetUpdates: SEPM CIDS Signatures 14.0 MP2, MicroDefsB.CurDefs, SymAllLanguages ==> 1498778042jtun_ips_sep170628021-170629021.x03
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 2, Estimated total size: 2803344
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "1498778042jtun_ips_sep170628021-170629021.x03", Estimated Size: 1401672, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"
30.06.2017, 00:05:21 GMT -> HttpSendRequest (status 200): Request succeeded
30.06.2017, 00:05:21 GMT -> Download complete: Original estimated file size: 1401672; Actual bytes downloaded: 1401672
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: URL: "1498778042jtun_ips_sep170628021-170629021.x03", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\1498778042jtun_ips_sep170628021-170629021.x03" HR: 0x0       
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "1498778042jtun_ips_sep170628021-170629021.x03", Estimated Size: 1401672, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"
30.06.2017, 00:05:21 GMT -> HttpSendRequest (status 304): Request succeeded - File up to date so download is not required
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_FILE_NOT_MODIFIED: URL: "http://liveupdate.symantecliveupdate.com/1498778042jtun_ips_sep170628021-170629021.x03", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\1498778042jtun_ips_sep170628021-170629021.x03"
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: URL: "1498778042jtun_ips_sep170628021-170629021.x03", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\1498778042jtun_ips_sep170628021-170629021.x03" HR: 0x0       
30.06.2017, 00:05:21 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x0       , Num Successful: 2
30.06.2017, 00:05:21 GMT -> ********* Finished Downloading Product Updates *********

30.06.2017, 00:05:21 GMT -> Progress Update: PATCH_PROCESSING_START: Number of patches: 2
30.06.2017, 00:05:21 GMT -> Querying Symantec Location1 key value.
30.06.2017, 00:05:21 GMT -> Query liveupdatedir location.
30.06.2017, 00:05:21 GMT -> Storing liveupdatedir into standard variable map with value: C:\Program Files (x86)\Symantec\LiveUpdate.
30.06.2017, 00:05:21 GMT -> Progress Update: PATCH_START: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\1498778042jtun_ips_sep170628021-170629021.x03", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\spclCIDSdefHP.dis"
30.06.2017, 00:05:21 GMT -> Progress Update: SECURITY_PACKAGE_TRUSTED: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\1498778042jtun_ips_sep170628021-170629021.x03"
30.06.2017, 00:05:21 GMT -> Signer: cn=Symantec Corporation,ou=Locality - CulverCity - P03,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation
30.06.2017, 00:05:21 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\1498778042jtun_ips_sep170628021-170629021.x03", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976"
30.06.2017, 00:05:21 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\1498778042jtun_ips_sep170628021-170629021.x03", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976", HR: 0x0       
30.06.2017, 00:05:21 GMT -> Added package to cache...
30.06.2017, 00:05:21 GMT ->     DIS - UPDATE("C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976", "C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp") <BEGIN>
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\CATALOG.999 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\cur.scr at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\idsdata.995 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\idspep.994 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\Metadata.997 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\MetaData.998 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\Metadata3.996 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\NISIDSHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\scrx64ff.993 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\scrx64ie.992 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\scrx86ff.991 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\scrx86ie.990 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\sigs.989 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\spclCIDSdefHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\spcmCIDSdefHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\v.987 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\v.988 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\virscan1.986 at C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp.
30.06.2017, 00:05:22 GMT ->     DIS - UPDATE(0x0) <END>
30.06.2017, 00:05:22 GMT ->     DIS - DELETE("C:\ProgramData\Symantec\Definitions\SymcData\spcLamborghiniCIDSdef\tmp5c07.tmp\spclCIDSdefHP.dis") <BEGIN>
30.06.2017, 00:05:22 GMT ->     DIS - DELETE(0x0) <END>
30.06.2017, 00:05:22 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\1498778042jtun_ips_sep170628021-170629021.x03", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt976\spclCIDSdefHP.dis", HR: 0x0       
30.06.2017, 00:05:22 GMT -> Progress Update: PATCH_START: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\1498778042jtun_ips_sep170628021-170629021.x03", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\spcmCIDSdefHP.dis"
30.06.2017, 00:05:22 GMT -> Progress Update: SECURITY_PACKAGE_TRUSTED: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\1498778042jtun_ips_sep170628021-170629021.x03"
30.06.2017, 00:05:22 GMT -> Signer: cn=Symantec Corporation,ou=Locality - CulverCity - P03,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation
30.06.2017, 00:05:22 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\1498778042jtun_ips_sep170628021-170629021.x03", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979"
30.06.2017, 00:05:22 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\1498778042jtun_ips_sep170628021-170629021.x03", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979", HR: 0x0       
30.06.2017, 00:05:22 GMT -> Added package to cache...
30.06.2017, 00:05:22 GMT ->     DIS - UPDATE("C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979", "C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp") <BEGIN>
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\CATALOG.999 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\cur.scr at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\idsdata.995 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\idspep.994 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\Metadata.997 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\MetaData.998 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\Metadata3.996 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\NISIDSHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\scrx64ff.993 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\scrx64ie.992 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\scrx86ff.991 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\scrx86ie.990 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\sigs.989 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\spclCIDSdefHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\spcmCIDSdefHP.dis at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\v.987 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\v.988 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->         Updating C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\virscan1.986 at C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp.
30.06.2017, 00:05:22 GMT ->     DIS - UPDATE(0x0) <END>
30.06.2017, 00:05:22 GMT ->     DIS - DELETE("C:\ProgramData\Symantec\Definitions\SymcData\spcConstanceCIDSdef\tmp603.tmp\spcmCIDSdefHP.dis") <BEGIN>
30.06.2017, 00:05:22 GMT ->     DIS - DELETE(0x0) <END>
30.06.2017, 00:05:22 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\1498778042jtun_ips_sep170628021-170629021.x03", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt979\spcmCIDSdefHP.dis", HR: 0x0       
30.06.2017, 00:05:22 GMT -> LiveUpdate is about to execute a PostSession callback for product SEPM Content Catalog.
30.06.2017, 00:05:23 GMT -> ProductRegCom/luProductReg(PID=5896/TID=21276): Deleting Property for Moniker = {C8C42A08-0AB4-F6D4-00BE-1539101AB358}, PropertyName = LASTPATCH.STATUS
30.06.2017, 00:05:27 GMT -> ProductRegCom/luProductReg(PID=5896/TID=21276): Deleting Property for Moniker = {FD03AEA1-B630-43F8-828E-F10E80A68B99}, PropertyName = LASTPATCH.STATUS
30.06.2017, 00:08:38 GMT -> ProductRegCom/luProductReg(PID=5896/TID=21276): Destroyed luProductReg object.
30.06.2017, 00:08:38 GMT -> The callback proxy finished executing the callback with a result code of 0x0
30.06.2017, 00:08:38 GMT -> The PostSession callback for product SEPM Content Catalog completed with a result of 0x0       
30.06.2017, 00:08:38 GMT -> Successfully released callback {530DF3AD-6936-3214-A83B-27B63C7997C4}
30.06.2017, 00:08:38 GMT -> ProductRegCom/luProductReg(PID=5896/TID=21276): Destroyed luProductReg object.
30.06.2017, 00:08:38 GMT -> LiveUpdate has called the last callback for product SEPM Content Catalog, so LiveUpdate is informing the callback proxy that it can exit.
30.06.2017, 00:08:38 GMT -> Progress Update: PATCH_PROCESSING_FINISH: Number of patches: 2, Num successful: 2
30.06.2017, 00:08:38 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for SEPM CIDS Signatures 14.0 - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 170628021 to 170629021. Server name - liveupdate.symantecliveupdate.com, Update file - 1498778042jtun_ips_sep170628021-170629021.x03, Signer - cn=Symantec Corporation,ou=Locality - CulverCity - P03,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success
30.06.2017, 00:08:38 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for SEPM CIDS Signatures 14.0 MP2 - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 170628021 to 170629021. Server name - liveupdate.symantecliveupdate.com, Update file - 1498778042jtun_ips_sep170628021-170629021.x03, Signer - cn=Symantec Corporation,ou=Locality - CulverCity - P03,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success
30.06.2017, 00:08:38 GMT -> EVENT - SESSION END SUCCESSFUL EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 2 updates available, of which 2 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1800, Success
30.06.2017, 00:08:38 GMT -> IE11 support. 
30.06.2017, 00:08:38 GMT -> The callback proxy executable for product {FEFE68E7-0A93-1A98-2647-DB8261242A06} is exiting with no errors
30.06.2017, 00:08:38 GMT -> ***********************           End of LU Session           ***********************

Hello,
I have similar issue... I upload new IPS defenitions .JDB file to SEPM 14MP2.
All my 14MP2 clients are not download it, while 12.1.6, 14MP0 and 14MP1 are download it as usual... 

@Denis Basov

 

It should work if your SEPM has internet access and can use LiveUpdate. Or is there a reason why you're using the .jdb-File?

@Neo44
Unfortunately yes. There is no internet access from my site. I update all defs using .jdb

@Denis Basov @Edwin123

 

I suggest both of you open a case with Symantec to ask how SEP14 MP2 IPS content can be updated manually. This would make sense since both of you have a scenario where the manual update is necessary. The initial problem in this thread was solved through the LiveUpdate channel. But it would be interesting to hear back from you if Symantec is able to provide a solution.

@Neo44
Thank you for advice. Will do. As I quite new here, can you please let me know how to open case with Symantec without phone call? cannot find it... 

@Denis Basov

 

That's usually done through here: https://mysymantec.force.com/customer/s/

Mine was magically fixed after I got an update from support to use the DB validator tool. I ran this and the following day my IPS signatures started to update could be a coincidence but thought I should share

https://support.symantec.com/en_US/article.HOWTO39461.html

 

@Rob95

 

Thanks for sharing. Do you happen to know when it started to work again? Because this was fixed by Symantec on June 23rd through the LiveUpdate channel. Unfortunately all of that is of no help for users Edwin123 and Denis Basov who have to update their SEPM manually.

@Rob95, Neo44,

I ran the db validator and the checking result is showing no issue.  Tried yesterday and today's IPS definitions but clients still not getting updated via jdb.  Also noticed some issue on the download page where the release page is showing:

Definitions Released: 7/11/2017
Extended Version: 7/10/2017 rev. 11

but the download page is showing released date as 7/7/2017 and the files are also the previously released files.  Maybe symantec didn't noticed something went wrong with the IPS files.

Now the IPS download page are showing the correct files but still the issue exists with the latest definitions.

Furthermore, I tried SEPM 14 MP2 with both SEP 14 MP2 and SEP 12.1.6 MP8 clients, and notice the following:

1) the jdb for virus definitions are successfullly loaded into SEPM with separated liveupdate entries for 14 MP2 and 12.1.6 MP8;

2) the virus definitions are successfully updated to the clients of their respective versions;

3) the jdb for IPS are loaded into the liveupdate entry of 14 (the original, not the one with MP2), regardless of the SEP versions of the jdb file.

4) new client package created using the "No definition included" option regardless of SEP 12 or SEP 14 are getting the same initial definition update, as there is only one entry in the liveupdate content of IPS.

I tried 10-Jul-2017 r21 (SEP14) and 11-Jul-2017 r11 (SEP12), and clean client installation of both versions are getting the 11-Jul-2017 r11 for IPS definitions.  Running SymDiag on the SEP 14 client will not get a "definition corruption" result for IPS even when the definiton is intented for SEP 12.

This may not be an issue if running liveupdate via internet, however, it seems SEP 14 MP2 really has a critical bug in the IPS definiton component.

Hello,
I've open case with Symantec and right now under investigation. Will keep you up-to-date regarding this