Endpoint Protection

Hi,

First time post on Symantec forums and looking for a little help....

We have a number of systems behind a boundary firewall, this obviously stops our servers communicating anything outside of the internal network.

We recently built a internal SAV 10.2 server to manage  and allow 10.1.6 and 10.2 servers to receive virus defintion updates, which, works great on 32bit systems.

After reading about, I discovered that 64bit systems cannot recieve Virus Definitons Updates from the internal server. I've seen the workaround is that to create a client group that updates from Symantec LiveUpdate server. Again, I don't think this will work for our situation as the clients servers try to connect to liveupdate.symantecliveupdate.com.

Is there any solution to this? Can I create an internal live update server that will connect symantec and act like a bridge between the clients and external liveupdate?

Regards

yes, install liveupdate administrator on one of your servers
let this liveupdate server have internet access
let all other servers ; get update from this liveupdate server....only one access and all update.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101913262648

Managing 64 bit

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006010609164848

Rafeeq us correct Liveupdate Administrator looks to be only solution in this scenario.

Thank you for the responses. I've now run into another problem. The 64bit systems update from the internal server only when I initally move over the"Settings.Hosts.LiveUpdate" config file.

They dont autoupdate from the internal Liveupdate server...

I'm running symantec system center and LUA on the Liveupdate server.

Is there something obvious I'm missing? The LUA is downloading and distrubuting correctly but it just seems that systems behind the Boundary Firewall are not receiving the daily updates....

Any ideas appreciated!!

Symantec system center wil not update 64 bit machines;
make sure your LU settings for 64 bit machines are pointing to LU server check the group again and see what policy you  have applied

Hi Sjparker,

Can you provide a little more info--- it sounds like those 64-bit SAV 10.1 clients are being configured by dropping the exported Settings.Hosts.LiveUpdate file into their LiveUpdate folder, and initially work (update from the LUA 2.x Distribution Center).... why do they fail after that?  What appears on-screen?

The log.liveupdate file would probably reveal why the subsequent downloads are failing.  Could that file be attached to the forum thread?

Unrelated note: I strngly recommend that you upgrade to 10.1 MR9 (or to SEP).  SAV 10.1 MR6 was not designed to process AV definition files as large as the ones that are in use today.  SAv 10.1 will deal with these large sizes much more reliably, keeping the computer's defences raised.  Please view this as an important and necessary step- upgrade time spent now will be much shorter than isolating and removing an infection later. &: )

Thanks and best regards,

Mick

Thanks for the reply.

Nothing appears on the screen, there is no error. Just the fact that I check the symantec virus definitions date and it initally only works on that date the settings are dropped in. It does not receive definitions after that date, even though I believe my LUA server is set correctly as machines that are not behind the boundary firewall receive the latest definitons fine.

What is the location of log.liveupdate? Is it on the LUA server or client?

I've run a test on a 32Bit machine behind the firewall to see if the problem exists as well as 64Bit.

I believe that because of our internal corporate standards, SAV 10.1 MR6 is the latest release that we are supported to use. I'd have to chase this up though.

The log.liveupdate file is located on the client.  It will be in C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate -- a look at that will show for sure what is happening.

Thanks and best regards,

Mick

This is on a 2008 machine.... So this is 10.2 client.

That location doesnt exist but "C:\Users\Administrator\AppData\Local\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs" does.

Only... It's empty! :-(

Any other ideas?

Regards

Perform a search: if LiveUpdate is installed on that server, log.liveupdate is definitely present.  &: )

Mick

Mick, Log file is attached... LiveUpdate Server is called huritsav where referenced in the log.

Thanks :-)

it says unable to reach the server

ftp://update.symantec.com/opt/content/onramp/liveupdate_3.2.0.26_english_livetri.zip", Full Download Path: "(null)" HR: 0x802A0045
20/08/2010, 10:33:50 GMT -> HR 0x802A0045 DECODE: E_UNABLE_TO_REACH_SERVER


can you check this document to make sure your firewall is not blocking it; can you open the ftp.symantec.com in a browser on that machine

to check firewall blocking

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2003090514252213

The client machine wont be able to access that location because it's behind the boundary firewall but it is allowed to talk to the internal symantec live update server(huritsav).

Is something not set up correctly on the server side to push definitons out from the server to the client, rather than the client to ftp.symantec.com?

Many thanks, SJ! 

I have had a look at that 64-bit Win2008 server's log.  Some notable entries:

>20/08/2010, 10:31:34 GMT -> LuComServer version: 3.2.0.26

That's a very old version of LiveUpdate.  It's the one that shipped with 10.2's very first release.  Windows 2008 support was introduced in 10.2 MR1 and 10.2 MR2 had a later version of LU (3.3.061) so you are definitely not running the latest release of 10.2. 

You can't go wrong by ensuring that you have the latest available 3.3.0.96 LU client installed.  (You can get it from http://www.symantec.com/techsupp/home_homeoffice/products/lu/lu/files.html, but may need to re-register SAV afterwards.... you're really best off upgrading to SAV 10.2 MR4.)

At the moment, this server is attempting to contact Internet LiveUpdate servers, and failing every time:

>20/08/2010, 10:32:20 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server liveupdate.symantecliveupdate.com at path  via a HTTP connection. The server connection attempt failed with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.
>20/08/2010, 10:33:05 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server liveupdate.symantec.com at path  via a HTTP connection. The server connection attempt failed with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.
>20/08/2010, 10:33:50 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server update.symantec.com at path /opt/content/onramp via a FTP connection. The server connection attempt failed with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.
>20/08/2010, 10:33:50 GMT -> EVENT - SESSION END FAILED EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 0 updates available, of which 0 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.

A few weeks ago they were happily connecting to your LUA 2.x server's default Distribution Center, clu-prod.  The final success:

>03/08/2010, 06:24:36 GMT -> EVENT - SERVER SELECTION SUCCESSFUL EVENT - LiveUpdate connected to server huritsav[**********] at path /clu-prod via a HTTP connection. The server connection connected with a return code of 200, Successfully download TRI file
>03/08/2010, 06:24:36 GMT -> EVENT - SESSION END SUCCESSFUL EVENT - The LiveUpdate session ran in Silent Mode. LiveUpdate found 1 updates available, of which 1 were installed and 0 failed to install.  The LiveUpdate session exited with a return code of 1800, Success

Something changed at that time- any idea what it may have been-? Was something updated on the server?  Was the server rebooted that day after something new was installed, maybe? 

For the moment: place the Settings.Hosts.LiveUpdate file (exported from huritsav's LUA 2.x GUI) into the Win2008 server's LiveUpdate folder.  Run "luall.exe" and it will go back to retrieving materials from huritsav.

Please let the forum know of your progress!

Thanks and best regards,

Mick

Hi Mick,

First and foremost, thank you very much for the time spent helping... I believe I'm pretty close to fixing it now.

I took your advice and upgraded our systems to 10.1.9 and to 10.2.4 for the Vista/2008 systems.

The silent installer script I had written now pulls across the Settings.Hosts.LiveUpdate and sticks in the Liveupdate folder after the client install has finished. I'm doing this for both 32bit and 64bit for all machines regardless if they are behind our Boundary Firewall or not.

This seems to be working, right now but I'm not sure if that when I'm changing anything in the Symantec System Center, that's what is causing clients to revert back to liveupdate.symantec.com?

Can you confirm what my settings should be in SSC?

Thanks again.

Hi SJ,

Glad to assist, and glad to hear it's going well.  The settings to choose in "Managing 64-bit clients with Symantec System Center" (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006010609164848) are accurate to the best of my memory.

Thanks and best regards,

Mick