Endpoint Protection

Trying to trouble shoot an issue I am having with the client virus definitions not updating. SEP is running on a Windows 2008 Standard Server. The Windows Firewall is disabled and I can telnet into port 8014, but when I run the secars test (http://<SEPM_Server_IP_or_Machine_Name:Port>/secars?hello,secars) I get this error:

You don't have permission to access /secars on this server

The clients do appear to be communicating and it appears the management consule is pulling updates.

What would be the next step in trying to find the issue?

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions

http://www.symantec.com/business/support/index?page=content&id=TECH166923

In this case, check if the clients are connecting to the SEPM properly, check these Articles:

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/docs/TECH160964

Troubleshooting communication problems between the management server and the client

http://www.symantec.com/docs/HOWTO55017

Then, Troubleshoot the Liveupdate Issue, check this Article:

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

What version of SEP? 11.x or 12.1?

Do the client have the green dot on the icon in the system tray?

Can the clients ping the server and vice versa?

See this:

Symantec Endpoint Protection: Troubleshooting Client/Server Connectivity

https://www.symantec.com/business/support/index?page=content&id=TECH105894

Please post sylink logs for one of client

Connection tests check out fine. I can ping both ways, can telnet to the server on port 8014, viewed the apache logs and saw the connections, and even redid the secars test and got the OK.

We are using 12.1

How do you generate a sylink log? I followed the instructions for changing the registry, but so far no report. Not sure if it will take some time or not.

Thanks for  the replies!

it depends on what your heartbeat is set to.

You can force a check in by right clicking the SEP icon and "Update Policy"

Sylink file attached. Thanks for the help.

Attachment(s)

sylink1.zip   25 KB 1 version

Check the System log on your client.

Open the GUI >> View Logs >> Client Management >> View Logs >> System Log

Are there errors in here about content updates failing?

How many clients is this happening on?

client is downloading full definition around 208 MB

There is. Doesn't say much, just: Downloaded new content update from Group Update Provider Failed.

There is also a remote file path listed that is not accessible.

Check your LiveUpdate policy to ensure its still correct. Make sure the GUP is valid and online. You're using a GUP, right?

That is my understanding, but I am new to this product. Just took over about 2 months ago and I am not too familiar with the interface. I have been looking through SEP Manager to try and understand all of the settings.

To check your LU policy in SEPM go to,

Policies page

Select LiveUpdate

On the right side, select the applicable LU policy for whichever group these clients belong in.

Open it up and select Server Settings

On this tab, right in the middle is the Group Update Provider button, select it.

Your GUP settings are in here. Make sure it is still a valid GUP. You can also set the option to bypass the GUP after "x" amount of time and get updates directly from the SEPM.

You definitely need to validate these settings to make sure they are still relevant.

Okay, we are not using a GUP. Our current LiveUpdate server settings are:

Use the default management server

Use a LiveUpdate Server > Use the default Symantec LiveUpdate server

To answer your previous question this is happening on about 34 clients and the rest are either up to date or offline. This is also happening on a second server at a different location with about 17 users.

As a test, would it be possible to move one of the out of date clients to a group that has the up to date clients in it?

I suspected corrupt definitions but 34 seems a bit high to me.

What happens if you try to update via LiveUpdate?

looks to be same issue

https://www-secure.symantec.com/connect/forums/updating-endpoint-clients#comment-6960041

Try this:

http://www.symantec.com/business/support/index?page=content&id=TECH94322

Technically they are all out of date, just some not past the out of date threshold. Which doesn't make much sense to me. They are all also part of the same group.

Running LiveUpdate from the client works just fine.

Currently the windows firewall is off, but I did put the rule in place just to make sure. Also tried restarting the services with no luck.

which service that you restarted ?

Adding the GUP settings seems to have fixed the issue. Currently Houston is getting updates and now I will apply the same settings to Austin. Thanks for all the help!

So Austin is still not working. I have mirrored the settings between the two locations. I did ask someone to manually update (right click > Update Policy) and see what happens. They are still out of date. When I try to do a Secars test I get a 403 error, page cannot be displayed.  Running the SEP Support tool produces no errors.

Woot woot..!

thanks for the share rBieBer.