Endpoint Protection

 View Only

  • 1.  SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 01:27 PM

    I have deployed SEP 12.1 RU2 to three test clients.  On two clients (both Server 2008) the Proactive Threat Protection is up-to-date..

     

    But on one Win7 client the PTP definitions are stuck at November 30, 2012...

     

    All other definitions are current.   This client is managed by SEPM when on the internal network and can use LiveUpdate when working remotely.   I verified the client is able to communicate with SEPM. I have manually performed "Update Policy" numerous times.  Also took the client off the network and then used LiveUpdate.  Several reboots.  Still the PTP definitions are old.

    I have two SEPM servers.  I believe (but not sure) that on the SEPM the item named "SONAR Heuristics engine 12.1 RU2" is the equivelant of PTP definitions on the client.   On both SEPM servers this shows revision 1/7/13 r11 which matches what two of the clients have for PTP definitions.   What troubleshooting can I do on the Win7 client to determine why it won't update?

     

     



  • 2.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 01:31 PM

    I assume you've already rebooted?

    Did you try a repair on the client?



  • 3.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 01:40 PM

    I believe we would need to have a look at the lue.log from this SEP client - you will find it in

    C:\Program Data\Symantec\Symantec Endpoint Protection\[version ID]\Data\Lue\Logs

    ...this may show some errors about the updates from internet liveupdate servers.



  • 4.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 03:10 PM

    Here are some lines from Log.Lue that seem to be related to the PTP definitions (note that due to the lack of naming consistency I make the assumption that "Behavior And Security Heuristics 12.1 RU2" in this log is the same thing as "SONAR Heuristics" a.k.a "PTP definitions")

     

    Session started at: 2013/01/14 18:07:40.894    (UTC -05:00)

    Adding an update to potentially available list by catalogue parser: SEPC Behavior And Security Heuristics 12.1 RU2, MicroDefsB.CurDefs, SymAllLanguages,CurDefs,130107011.

    Update for moniker: {D6AEBC07-D833-485f-9723-6C908D37F806}, P: SEPC Behavior And Security Heuristics 12.1 RU2, V: MicroDefsB.CurDefs, L: SymAllLanguages, package: 1357692847jtun_bashsepc121130011-130107011.x01, SeqName: CurDefs, SeqNum: 130107011, has update status code: 100

     ***** Session Results *****
      Total Updates Available: 6
      Total Updates Succeeded: 6
      Total Updates Succeeded - Reboot Req: 0
      Total Updates Skipped: 0
      Total Updates Failed: 0
      Session result code: 0x00000000
    Session ended at: 2013/01/14 18:08:38.721    (UTC -05:00)

     

    On the Win7 client in C:\ProgramData\Symantec\Symantec Endpoint Protection\[version]\Data\Definitions\BASHDefs
    (I believe that BASH = Behavior And Security Heuristics which equals "SONAR Heuristics")
    there is a folder for 20121130.011 and for 20130107.011.  So it seems that definitions for the current version are on the workstation.

    The file definfo.dat shows
    [DefDates]
    CurDefs=20130107.011

    The file usage.dat shows
    [20121130.011]
    BASH=1

    Just to double-check I also reviewed the SEPM --> LiveUpdate Content Policy and all of the items are checked with 'use latest available'.

    I also noticed on the SEPM --> Clients that this Win7 client shows "Not available" in the field for Current SONAR Definitions.



  • 5.  RE: SEP 12.1 - PTP definitions won't update for one client
    Best Answer

    Posted Jan 15, 2013 03:22 PM

    you can try removing ptp from add/remove programs, reboot and put it back, sometimes this works :)



  • 6.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 04:15 PM

    This is resolved.  In Control Panel --> Programs and Features I did a Repair on the SEP client and after that was finished the client GUI shows the latest PTP definitions.    Also in SEPM the client properties shows the current version of SONAR definitions.

    Thanks to everyone on the forum for your help.



  • 7.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 04:16 PM

    SEPC Behavior And Security Heuristics are indeed PTP/Sonar or most accurate name would be BASH Definitions - but it is the same.

    So according to the log they are being downloaded and as we see the update packages is from old version to the new one:

    1357692847jtun_bashsepc121130011-130107011.x01

    Apparently the client has issues applying that package afterwards.

    - Can you check the Event Viewer -> Application Section if you find any errors related to Sonar or Bash?

    - please have a look at the KB: http://www.symantec.com/docs/TECH178125 and try with reverting to an older version of the defs

    - SEP client repair from Control Panel

     



  • 8.  RE: SEP 12.1 - PTP definitions won't update for one client

    Posted Jan 15, 2013 04:18 PM

    So a repair fixed it, not a removal?