Endpoint Protection

Hi All

Our organisation has recently introduced a new VPN solution which performs a compliance check before allowing you onto the company network.  One of the things it checks is that your symantec endpoint definitions are up to date (within 5 definition revisions).

The problem we run into quite often is that when a user goes on holiday for a week or two then tries to get online, they fail this check - which is correct. However we really struggle to get SEP to update via liveupdate.  The user can get online OK (so proxy settings are correct) however when you run liveupdate from the client it very often says there are no updates applicable.  Aany ideas why this happens?   Clearly there are updates available as the definitions are a week out of date.     Also where has the liveupdate control panel icon gone? Since SEP 12.x i can no longer find liveupdate settings to manage. Do you need to find this manually?

Any advise regarding liveupdate when directly connected to the internet will be greatly appreciated as its really frustrating.  

Thanks

How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console

hi,

Symantec Endpoint Protection Manager - LiveUpdate - Policies explained

Check this one of thread

https://www-secure.symantec.com/connect/forums/update-issue-1#comment-8791511

SEP12.1 runs a cut down version called the LiveUpdate Engine, and is no longer a separate piece of software bundled with SEP, but is now a wholly SEP managed component.

As such, the options for the LUE are now managed from within the SEP LU Policy, where you can control proxy settings and the like.

By default, the SEP12.1 LU policy tells the LUE to use "...my Windows Internet Options proxy settings (default)", which means it's going through the user's proxy.

If your VPN software allow split tunneling, you might want to consider setting this to "I do not want to use a preoxy server..." so that it goes direct?  If not, then you may wish to check out your proxy server to see if it is caching content and disable the caching to see if this helps the clients update.

Hello,

SEP 12.1 Live update is faster than sep 11.x, using latest live update engine.

Liveupdate software is bundled with SEP client & because of that luall.exe won't work on SEP client. But luall.exe is supported on SEPM machine.

Q. The user can get online OK (so proxy settings are correct) however when you run liveupdate from the client it very often says there are no updates applicable.  Any ideas why this happens

--> When does this problem occur? When user is in network or user is out of network?

LU Policy.pdf

Hi,

did you added this in your policy?

Hi - thanks for reply

When connected to the manager it works normally and updates work fine, this problem only happens to users when they are not on the company network and directly connected to the internet.  Our SEPM has been configured using location  awareness so that when they're not on the corporate LAN they are in a profile called "external" and this liveupdate policy is configured to use the liveupdate server. see attached.

hi - please see above - yes we do for this particular location.

Thanks for the reply.

Our VPN client does support split tunnelling however the user cannot connect to the VPN at all because his machine is failing the compliance check.  Therefore he is only left with his direct internet connection (without proxy server setting ticked).

OK I understand that liveupdate is no longer configurable on the client now but instead pulls all setttings from the manager. However our settings look fine. I've checked the "configure proxy settings" button on the SEPM and they're configured to use the clients internet explorer settings.

He can get online because he can view websites etc.

However running liveupdate says no updates are applicable still.

Do you use GUPs?

Have you some Locations configured?

Yes we use GUPS and Locations.

GUPS are only configured for Lcoations which are on the internal network (for local distribution of defs).

The Location for EXTERNAL (where this user is right now, at home) does not have a GUP configured but instead as shown in my screen shot above.  

Check the thread

https://www-secure.symantec.com/connect/forums/update-issue-1

As per my earlier post, I reckon the clients are attempting to access Symanetc LiveUpdate via your proxy server.

If your VPN client is capable of split tunelling, then I'd recommend updating the LU policy to ensure the LUE  goes directly to Symantec.

If split tunnelling is not possible, then ensure your proxy server is not caching content for the Symantec LiveUpdate sites.

#EDIT#

Here's an article on configuring the proxy settings for the LUE from within the LU Policy:
http://www.symantec.com/docs/HOWTO81062

#EDIT2#

Just had a thought.  How are your users connecting to the proxy if the VPN has failed the compliance check and not been established?  This shouldn't make any difference to my link above telling you how to get SEP/LUE to go directly to Symantec, but I'm curious now...

Thanks for the reply

Our organisation is configured as you pointed out in that link.

We have a location setup which clients apply when not connected to our corporate network. This is working and the location is being set correctly.

#EDIT2#

Just had a thought. How are your users connecting to the proxy if the VPN has failed the compliance check and not been established? This shouldn't make any difference to my link above telling you how to get SEP/LUE to go directly to Symantec, but I'm curious now...

Hi, 
Sorry i may have confused matters: If they're not managed to establish a VPN connection due to compliance check then they are then just left connected to their internet connection... and not using a proxy server.  They are going straight out to the internet.   I was only pointing out that the user has his proxy server settings unticked because our liveupdate policy is cofnigured to use internet explorer settings - so i wanted to confirm that the user was setup correctly while at home, and NOT on VPN.
 

Are you able to connect to the computer having this issue?

you can check client logs what are saying?

what happen, if enabled, when the user clin on "live update" on the client?

temporaly, for time needed to troubleshoot it you can ask the user to download up to date virus definition from symantec, and then he should be able to connect to your network

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=savce

OK, so just to summarise:

Client is out of date and so fails compliance checks.  This prevents them from establishing a VPN into the office, so only their local internet connection is available (and working directly according to your testing).

LiveUpdate attempts from SEP report it is already up to date.

At this point, I'd suggest posting the LiveUpdate logs (log.lue) from a client demonstrating this issue, so we can see what it's trying to do when it thinks there's nothing new to download.

Please see the below article for the new location of the LiveUpdate logs in SEP12.1:

http://www.symantec.com/docs/TECH168602

Thank you -

The summary is correct. I have even told the user to download rapid release virus defs from the symantec site but these failed to install. I didnt see the message as i cant gain remote access to his machine but he tells me these failed to install.   Im currently in the process of upgrading his client to 12.1 RU2.

I will extract his logs from the location in your article and post. Thanks for your support

If the manual update failed using the Virus definiton deownloaded from symantec website, it's may be that virus definition are corrupted

ask the user to launch symhelp.exe on his computer and send to you the reports.

if Virus Def corrupted, you should do:

http://www.symantec.com/business/support/index?page=content&id=TECH103176

thanks for your help,

I've finally..... got this one user sorted.   I've upgraded his SEP client to 12.1.2105.2105 (RU2) and during the installation it runs liveupdate and this worked!  

Going back to my original post - I have seen that the client 12.1 (RU2) seems to be more reliable at running liveupdate over an internet connection than earlier versions of SEP.

I guess I will have to do as suggested above, look at the liveupdate logs on a client which will not download and see what the specific issue is.   However, I think 12.1 RU2 seems to be much more reliable.

Hi,

Issue resolved after an upgrade? Could you please reconfirm this?

In this particular case, yes it has resolved the problem.

We installed 12.1 RU2 on this client machine and during installation it runs liveupdate. This sucessfully downloaded latest definitions and the client is up to date.

Further to the subject as a whole ; im convicned our SEPM manager and policies are setup correct and as per best practices. But clients still have trouble downloading updates via liveupdate when not connected to the corporate LAN. 12.1 RU2 seems to be more reliable at this.

But you have to confirm with RU2 as well, right? I mean does it work when not connected to the corporate LAN. As per your last comment it seems you have only tested with single machine?

The answer to your first question is, Yes, it did work. Like I say he has upgraded to SEP12.1 RU2 while at home on his internet connection. During instalation of SEP it kicked in a liveupdate which completed successfully.  (remember liveupdate previously 12.1 RU1 would not work).   So therefore 12.1 RU2 is an improvement in that liveupdate was able to complete.

In answer to your second question, At this stage I'd say that my experience of using 12.1 RU2 is more successful at downloading liveupdates when a user is not connected to corporate LAN and only on a internet connection at home or in a hotel etc. 

Great, Thanks for the clarification !!!