Endpoint Protection

It appears that nearly 200 of my clients havent received definition updates sine June.  They are communicating with the SEP server and other computers in the same group/subnet are receiving definitions just fine.

http://service1.symantec.com/support/ent-security.nsf/docid/2009082702000348?Open&seg=ent

If the SEPM is updated then

https://www-secure.symantec.com/connect/articles/troubleshooting-liveupdate-issues-symantec-endpoint-protection

Repair one client from add/remove programs and see.........

Check the following article and try this on one of the computer

Title: 'How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually.'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007123111551948?Open&seg=ent
 

Check the logs on the non-updated clients and compare that to the ones that are frequently updated. How often they connect and you may also want to check the reports or monitors > logs page to get the list of PCs that hasn't checked in for a certain number of days.

Adjust the check-in frequency, scheduling and randomization.

I dont see an option that will show a list of PCs that hasnt checked in under my Monitors>Logs section.

Monitors>Logs>computer status.This log will give you all information including last check in time.Check whether the problematic clients are appearing in this list and if present what is the last check in time?

What you  need to do is to look at the  policy settings for the  computers that are not updating. Are there any other  computers, in the  same group, that are updating?

Are the  clients that are not updating , REALLY communicating with SEPM? That is, if you make a policy change, does  it get reflected o the  client?

If it does not , then the  clients are not  communicating, and we would need to look at that

I did the repair option and the definitions did not update.

try restarting the symantec services on the client machine; check if that updates with latest definitions

The computer said its last check was toaday at 9:59AM.  However, its definitions still date back to july. 

Yes, the clients that are not updating show they are communicating with SEPM according to the Computer Status logs.  Other computers in the same group are updating fine. 

Arent the services stopped and restarted when doing the repair option from the control panel?

try restarting the symantec services on the client machine; check if that updates with latest definitions

Are the  clients that are not updating , REALLY communicating with SEPM? That is, if you make a policy change, does  it get reflected o the  client?

If it does not , then the  clients are not  communicating, and we would need to look at that

Restarting the services on the client did not work.

How can i make a policy change that will only effect those computers?  I do not want to start enforcing policy changes on every computer throughout my company.

he meant to put one computer in a test group

for that change one small policy; like enabling liveupdate button and things like that;

check if thats getting reflected on the client machine

You  could move one  of the computers in a test group, and then make a change  to a non-shared  policy, and then see, if it gets reflected on the  clients???

Or just  move  one  of the clietns to sa different  group.

Then one the actual  client, go to help and  support  -troubleshooting, and  check if the  griup name  is updated or not???

he meant to put one computer in a test group

for that change one small policy; like enabling liveupdate button and things like that;

check if thats getting reflected on the client machine

I have created a test group and put that computer in the group.  Can you tell me how to enable the live update button?

Thanks

No need to enable that. Just go to the  client, SEP, help and  support, and  click troubleshooting.

Then see the group name. Does  it show the  new  group or not?

Yes, the new group is displayed.

I tried this but i get access denied when trying to the delete the subfolder under the virus defs folder.  I even disabled tamper protection.

ok. That means the clients are communicating with SEPM.

What is the policy set for the liveupdate (The original policy, for all clients, before you moved it  to test group) for these clients to update from? Is it only  SEPM, or internet liveupdate server?

The policy for all clients is set to update from SEPM.

Hi all,

This thread has officially been included in the Security Solutions Contest!  Be "King for a week" by solving this or any other thread included in the contest and you can win the weekly prize.  See here for additional info!  Good luck!

https://www-secure.symantec.com/connect/blogs/security-solutions-contest-be-king-week

Best,

Eric

Do you have any GUP set up for these clients/subnet ?

If not then try setting up a GUP for this Subnet. Disable and it should then work once it's up and running again.

I do have a GUP setup, but it is for a different subnet on my network and is within a different group in SEPM.

I dont think setting up a GUP for this subnet is the answer since my endpoint server is already in this subnet though.  Other computers within the same subnet/group are receiving updates just fine. 

Can you try posting Sylinkmonitor logs from 1 of these clients

https://www-secure.symantec.com/connect/articles/how-capture-sep-sepm-communication-logs-sylinkmonitor-mr3-onwards-troubleshooting-communica

If you also did what was written below by AravindKM and export that to a text/csv file, you will see all the information pertaining to the selection.

Just to recap, clients are communicating with the server. Their policies are definitely being updated. But the virus definitions aren't.

Could you try manually updating one of the clients - just to keep it up to speed. Then back in troubleshooting, update the policy.

What is the version of your SEP ?If it is RU5 or below upgrade to RU6a.There was a bug.Remember to upgrade both server and clients to get all bugs fixed. 

Migrating to Symantec Endpoint Protection 11.0 RU6 

Please paste the sylink logs from the client that is not updating

https://www-secure.symantec.com/connect/downloads/sylink-toggle

From the client i have tried to manually update and it did not work.

Then I think some defs got corrupted.Clear it.Refer this KB

How to clear out corrupted definitions for a Symantec Endpoint Protection Client

Attached is a .doc with the sylink log.

Attachment(s)

sylink.docx   31 KB 1 version

I have SEP 11.0.4202.75

Do you tried by clearing the virus defs as per that KB?

If Windows 2008 try this

https://www-secure.symantec.com/connect/forums/sep-client-sepm-does-not-get-updates#comment-4454201

Do you have Proxy on the server? Try this on 1 client

http://service1.symantec.com/support/ent-security.nsf/docid/2008051309225748

I have exactly this same issue. The problem for me is compounded by the fact I have so many not getting virus defs, and due to the fact these clients are scattered all across the country. The number of clients I work with is also large, so manually deleting virus definitions is out of the question.

Right now my Home page shows the following:

2010-09-13 rev. 048 2800

2010-09-13 rev. 024 1722

2010-09-13 rev. 004 295

2010-09-12 rev. 005 151

all others 4623

Now before you say "Well, the rest are maybe a day or two out", let me assure you this is not the case. Looking through the list, I see 175 clients on 09/02/2010 rev. 50.  If I go farther back, I hvae 37 clients on 07/26/2010 rev. 41. And then I have still 28 clients on 04/15/2009 rev. 33.

As the person above has done, I do know these clients are checking in. They are in groups where other clients are updating. Many are in the same store where other clients are properly updating, but maybe one client in the store doesn't update. The policies within a store of course are exactly the same, same GUP, etc.

This has been an ongoing issue for us, I just haven't had the time to research it until today.

09/14 10:17:44 [5212] Physical: Local Area Connection::00-24-81-4a-3b-6f::broadcomnetlink (tm) gigabit ethernet

09/14 10:17:44 [5212] MAC=00-21-6b-c8-cd-1a#00-24-81-4a-3b-6f# Wireless=

09/14 10:17:44 [5212] Hardwire String=00-21-6b-c8-cd-1a#00-24-81-4a-3b-6f#

09/14 10:17:44 [5212] <Start>Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87

09/14 10:17:44 [5212] <Start>Unable to create Session with 'No Proxies' settings - Error Code: 87

Its throwing a proxy error in the logs

Just Export the Sylink file from the server and replace in the any one of client and see.

I suggested for removing the defs just for testing.This you can try in one or two PC.This will narrow down the problem.Why as suggested is because as per one of your earlier comment "From the client i have tried to manually update and it did not work.".What I understand from this is even if you try to update the client using intelligent updater also it is not getting updates.Is it a wrong reading?Or I am right?The manual update usually fails if the installation corrupt/definition corrupt.In your case you already tried for repairing the client and it came success.SO installation corruption having less possibility.Only left out is defs corruption.Can you try to remove defs in one or two PC and try to update manually...?

I tried removing the defs earlier, when i go to remove them i get an access denied error when i try to delete the sub folders inside the Virus Defs folder.  I was logged in as an administrator when trying this as well. 

My problem is not with the client that SEPM is installed on. 

I will try clearing the defs on another computer that is not updating.  However, i cannot afford to do this on over 200 clients that are spread across the state. 

Yesterday, i disabled my GUP, I am not sure if this fixed my issue, but my home page in SEPM is now reporting the following:

298 Computers are now on 2010-09-14 rev. 052

30 Computers are now on 2010-09-14 rev. 016

3 Computers are now on 2010-09-13 rev. 048

1 Computer is now on 2010-09-10 rev. 003

5 computers have different defs. 

This is good news, i just hope i dont get nearly 200 computers out of date again.  I will now work on upgrading from SEPM 11.4 to 11.6.

It is really a good news.Whether your GUP PC was having a client os like win xp.if that is the case it was may not be able to handle this much connections .Anyway upgrading to RU6 is a good idea.A lot of new fixes are present . 

You have to stop all symantec services first for doing this....

My GUP is a server 2003 box, and its only function is to be a GUP. 

Where can i get my serial number so that i can download RU6 and the latest client install package?

Refer this KB

How to Contact Customer Care and Technical Support

Serial number is normally on the Paper Work(pdf file) that you get when you purchase Symantec Endpoint Protection. If you cannot locate that then best would be the call Customer Care and ask them for the Serial Number.

Let's ensure we focus on the original poster's question / issue, and resolve that before moving onto other's questions.  Since this thread is included in the Security Solutions Contest, let's try and solve the original question first.  Thanks for understanding!

Eric

I just had this same issue on one of my laptops where it wouldnt go past a certain date of about 2 weeks ago. So i logged a job and they gave me access to download the program called rx4defs which wipes out all the def's and then just makes it work again not sure exactly what happens but it works ;)

The reason I posted my issue is because it is exactly the same as the issue JGlass is having.

Now, this issue has been going on for weeks, if not months. With no change to anything at all, suddenly last night all the updates went out. I have no idea why this happens. This is the second time in a year or so that this bulk fix has occurred.

I would request you to Open a new discussion and give reference of this Discussion on your discussion