Endpoint Protection

I am at a point of ripping my hair out.

I am trying to upgrade/migrate few clients from SCS v10 to SEP v11.0.6005.562 , I picked a mix of operating systems on the clients to test this on.

at first I was brave and simply deployed the client by pushing it out to those few XP's and windows 7's. It seemed to went well, all clients upgraded, they are showing in SEPM, but all reported as having outdated definitions.

I have read through 100 forum threads all over the internet and I cannot come up with a plausible explanation as to why

Server is 2008 R2 x64 , brand new virtual machine , brand new install (I even tried reinstalling it using repair and afterwards starting from scratch with uninstall of SEPM and another new install).

IE ESC is OFF

Firewall on the server is OFF

I can run the SECARs test from client to server and get "OK" response

The policy ID's match, policies update, on the clients I can see in the logs that it is communicating with the correct server

there are no network issues preventing any of this from working as far as I can tell.

SEPM shows details on the clients, including the outdated definitions from 3/29/2010

Running LUALL on the client actually reports that all definitions are UP TO DATE!

I have tried uninstalling the SEP on clients, reinstalling it by doing another deploy process

LiveUpdate policy is correct, it's set for clients to hit SEPM , SEPM goes to LiveUpdate server etc.. all default settings (brand new install).

The clients CAN get policy updates, I just changed antivirus weekly scan from 8Pm to 7:59, told one client to update policy and sure enough the change showed immediately.

------------------------------

1) Coincidentally I see 2 interesting quirks , one I cannot see any graphics on the home page of SEPM , I believe this is unrelated to my problem as many have complained of the same issue while having full software functionality as far as clients go.

2) when I run the sym utility SyLinkMonitor I see 0 entries, both on windows 7 and XP machine. This seems strange, especially when the logs of the client install claim the software IS communicating with the SEPM.

3) I tried to figure out where the definitions are stored on one win7 machine, but the folder "virusdef"

-------------------------------

Sorry for the ramblings :) If you have any ideas please let me know, otherwise I plan to spend the entire day in the near future on the phone with symantec support while I continue to go bald.

Check the below article this should help

Title: 'Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009082702000348?Open&seg=ent
 

I was under the impression that GUP is not needed if I simply want the clients to grab defs from the SEPM server. I could be wrong on this though.

but using the client tree, SEPM has latest defs (I confirmed this) and my GUP is not configured, but I will configure and try it.

I picked one client in a group to be the GUP, I manually refreshed its policy, even did a reboot and still nothing. The GUP and all other clients in the group have the same old definitions.

Can you attach a sylink log so that we can check what is happening & get back to you.

thank you, that was helpful. I had no idea I had to modify registry to enable debug mode but once I figured that out I started seeing info.

I will save you from reading the whole thing, but basically after few seconds you start seeing a FLOOD of messages, all mostly repetitive with the highlighted errors below.

Any ideas? I googled the error, it seems to be related to earlier version and also proxy settings, but the SEPM does not use a proxy in its configuration although it does run on Hyper-V and the hypervisor would then sort of act like a proxy?

If you would like I can post the file, but it just kept going & going , so will few minutes of the log file be sufficient?

09/16 15:23:38 [2120] <CSyLink::mfn_DownloadNow()>
09/16 15:23:38 [2120] </CSyLink::mfn_DownloadNow()>
09/16 15:24:40 [2120] <CSyLink::mfn_DownloadNow()>
09/16 15:24:40 [2120] </CSyLink::mfn_DownloadNow()>
09/16 15:25:05 [2128] <LUThreadProc>Starting LU download.
09/16 15:25:05 [2128] SyLinkCreateConfig => Created instance: 06A315C0
09/16 15:25:05 [2128] Importing ConfigObject: 0198E9E0 into: 06A315C0
09/16 15:25:05 [2128] <UpdateGUPList>Setting the session timeout on GlobalItemsSession to 2 min.
09/16 15:25:05 [2128] ************CSN=92
09/16 15:25:05 [2128] <MakeGetGlobalIndexUrl:>Request is: action=310&hostid=EF87340FC0A8010F00E7CB66B278D3D0&chk=4FFF62A3A8EB6DB5BAAD76D4B31F3146&ck=8A98D55D6D2A9DF2318F1CE0FCA1072E&uchk=18238297ADE3DB13E0E24C4F6C29381D&uck=C4180C2AA08A0E64909D4BD53489CBE3&groupid=9E1E30DFC0A8010F00BC3ED6B062D360&as=92&cn=[hex]766D5F6F736C6F&lun=[hex]41646D696E6973747261746F72&udn=[hex]465241454E2E4C4F43414C
09/16 15:25:05 [2128] <GetGlobalIndex:>http://vm_prague:8014/secars/secars.dll?h=82AA45E402C9DDE213B7BA658721B443BF7B1C93175804E7BA582841FFF4DB5414648596B1A1A34B3C520CEF734CA29ACC7ACFFFD718FC927577DCBF2D85705571EAC4A3D4DF9CB5B7EB3C67FD3E5B0EE1C645BFD59E5543EB9A3DE9CF7FEE7FD0DB56FF09DF781411977A6570B267DC85F5B74EDCC66A1167C9D3C35FCC0E01B5601ED5F32FD4C8BF264F4B23F4C7DD887D0C239DD5F4E3DA4F719605C53AA48FE7658B008EEE98AFF817D416D557F3FBADA0907A92F59B6C11986AB0319F0421F5134365B90EEA51727C39546DA648119D357EC45F308A8DCC0C5CE3D314A324A91330F3A6E906A37A8C07F77C841892AD78396C230535DA123280F1FF809CCDFC7897C6AD80271146B78F98290E679E36DB7F14ADF2C474B56BB57410DA32CF6851A83512D21048CBA6311FD18390F5E5262663FF6D92D4DB38A826CC91EE3A224F32999E6BE376EBD23BB837D4E608DF4E2B436CE021938AEE0E80F182FF
09/16 15:25:05 [2128] <GetGlobalIndex:>SMS return=200
09/16 15:25:05 [2128] <ParseHTTPStatusCode:>200=>200 OK
09/16 15:25:05 [2128] <FindHeader>Sem-Signatue:=>7A5E450FDD66BC05CBC3874A13DC04470C7E282855E08CFC809D0DE158117D87C1164410F66780FAF21A45525193AF789845C241282B50BE507BB3BA1F869C1FD3EA2D1F82421F1CFFB540ECA5CD9D82AB57589B6B26B993306E5E71573D8B98255F49ABC9504F5A6E67E1F43262BED7DAC2EA047C211BA54DF7896283A5A843
09/16 15:25:05 [2128] <DoGetGlobalIndex200>Content Lenght => 196
09/16 15:25:05 [2128] <DoGetGlobalIndex200>Got Global Index from server, read bytes=196
09/16 15:25:05 [2128] SignIf::VerifySignature(data, dataLen, sig, sigLen) => Verification Successful..
09/16 15:25:05 [2128] <DoGetGlobalIndex200>completed
09/16 15:25:05 [2128] <GetGlobalIndex:>RECEIVE STAGE COMPLETED
09/16 15:25:05 [2128] <GetGlobalIndex:>COMPLETED
09/16 15:25:05 [2128] ************CSN=93
09/16 15:25:05 [2128] <mfn_MakeGetGupListUrl:>Request is: action=320&hostid=EF87340FC0A8010F00E7CB66B278D3D0&chk=4FFF62A3A8EB6DB5BAAD76D4B31F3146&ck=8A98D55D6D2A9DF2318F1CE0FCA1072E&uchk=18238297ADE3DB13E0E24C4F6C29381D&uck=C4180C2AA08A0E64909D4BD53489CBE3&groupid=9E1E30DFC0A8010F00BC3ED6B062D360&as=93&cn=[hex]766D5F6F736C6F&lun=[hex]41646D696E6973747261746F72&udn=[hex]465241454E2E4C4F43414C
09/16 15:25:05 [2128] <GetGupList:>http://vm_prague:8014/secars/secars.dll?h=504A3F27F177E225EB996AF01C149585BF7B1C93175804E7BA582841FFF4DB5414648596B1A1A34B3C520CEF734CA29ACC7ACFFFD718FC927577DCBF2D85705571EAC4A3D4DF9CB5B7EB3C67FD3E5B0EE1C645BFD59E5543EB9A3DE9CF7FEE7FD0DB56FF09DF781411977A6570B267DC85F5B74EDCC66A1167C9D3C35FCC0E01B5601ED5F32FD4C8BF264F4B23F4C7DD887D0C239DD5F4E3DA4F719605C53AA48FE7658B008EEE98AFF817D416D557F3FBADA0907A92F59B6C11986AB0319F0421F5134365B90EEA51727C39546DA648119D357EC45F308A8DCC0C5CE3D314A324A91330F3A6E906A37A8C07F77C84189214BA712DD21BB067A41B773F0EAE7ECDFC7897C6AD80271146B78F98290E679E36DB7F14ADF2C474B56BB57410DA32CF6851A83512D21048CBA6311FD18390F5E5262663FF6D92D4DB38A826CC91EE3A224F32999E6BE376EBD23BB837D4E608DF4E2B436CE021938AEE0E80F182FF
09/16 15:25:05 [2128] <GetGupList:>SMS return=200
09/16 15:25:05 [2128] <ParseHTTPStatusCode:>200=>200 OK
09/16 15:25:05 [2128] <mfn_DoGetGupList200>Content Lenght => 148
09/16 15:25:05 [2128] <mfn_DoGetGupList200>Got Gup List from server, read bytes=148
09/16 15:25:05 [2128] <mfn_DoGetGupList200>completed
09/16 15:25:05 [2128] <GetGupList:>RECEIVE STAGE COMPLETED
09/16 15:25:05 [2128] <GetGupList:>COMPLETED
09/16 15:25:05 [2128] SyLinkDeleteConfig => Deleting instance: 06A315C0
09/16 15:25:05 [2128] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1009160021.TMP
09/16 15:25:05 [2128] <CHttpFileDownload::CHttpFileDownload()>
09/16 15:25:05 [2128] </CHttpFileDownload::CHttpFileDownload()>
09/16 15:25:05 [2128] <CHttpFileDownload::Do()>
09/16 15:25:05 [2128] <CHttpFileDownload::getRemainingBytesToDownload()>
09/16 15:25:05 [2128] Remaining bytes to download: 93264613
09/16 15:25:05 [2128] </CHttpFileDownload::getRemainingBytesToDownload()>
09/16 15:25:05 [2128] <CHttpConnector::SendRequest()>
09/16 15:25:05 [2128] Request> http://192.168.1.114:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/100916002/Full.zip
09/16 15:25:05 [2128] </CHttpConnector::SendRequest()>
09/16 15:25:05 [2128] <CHttpFileDownload::read()>
09/16 15:25:05 [2128] </CHttpFileDownload::read()>
09/16 15:25:05 [2128] </CHttpFileDownload::Do()>
09/16 15:25:05 [2128] <LUDownloader::GetContentToFile> completed.
09/16 15:25:05 [2128] <CHttpFileDownload::~CHttpFileDownload()>
09/16 15:25:05 [2128] </CHttpFileDownload::~CHttpFileDownload()>
09/16 15:25:05 [2128] <LUThreadProc>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size.
 FileName:C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1009160021.TMP Expected file size: 93264613
09/16 15:25:05 [2128] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1009160021.TMP
09/16 15:25:05 [2128] <CHttpFileDownload::CHttpFileDownload()>
09/16 15:25:05 [2128] </CHttpFileDownload::CHttpFileDownload()>
09/16 15:25:05 [2128] <CHttpFileDownload::Do()>
09/16 15:25:05 [2128] <CHttpFileDownload::getRemainingBytesToDownload()>
09/16 15:25:05 [2128] Remaining bytes to download: 93264613
09/16 15:25:05 [2128] </CHttpFileDownload::getRemainingBytesToDownload()>
09/16 15:25:05 [2128] <CHttpConnector::SendRequest()>
09/16 15:25:05 [2128] Request> http://192.168.1.114:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/100916002/Full.zip
09/16 15:25:05 [2128] </CHttpConnector::SendRequest()>
09/16 15:25:05 [2128] <CHttpFileDownload::read()>
09/16 15:25:05 [2128] </CHttpFileDownload::read()>
09/16 15:25:05 [2128] </CHttpFileDownload::Do()>
09/16 15:25:05 [2128] <LUDownloader::GetContentToFile> completed.
09/16 15:25:05 [2128] <CHttpFileDownload::~CHttpFileDownload()>
09/16 15:25:05 [2128] </CHttpFileDownload::~CHttpFileDownload()>
09/16 15:25:05 [2128] <LUThreadProc>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size.
 FileName:C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1009160021.TMP Expected file size: 93264613
09/16 15:25:05 [2128] <SetupTempLUFilePath:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1009160021.TMP
09/16 15:25:05 [2128] <CHttpFileDownload::CHttpFileDownload()>
 

by the way, the PC is also another virtual machine on the same hyper-v server (XP 32-bit based) and it is the GUP i configured earlier.

So in this case the GUP is trying to get definitions from SEPM and the log is what I get.

Also, this PC is the only GUP listed in SEPM.

This problem is mostly because of the proxy.

You can confirm the proxy by going to below mentioned location.

Go to : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Check if Proxy Enable is 0 also check if the Proxy server is present.

Once you confirmed that client is not using the proxy then follow the below mentione step.

-  Stop Symantec Management Client service by issuing “smc –stop”
-  Check [SEP Install Dir]\LiveUpdate\luinfo.dat which by default is C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\luinfo.dat. If the file is found, please move it out of this folder.

-  Start Symantec Management Client service by issuing “smc –start”. Then monitor to see if the client can now be correctly updated for SEPM.

Hope this helps you

Check the following article

Title: 'Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008040113243148

Will it be possible to bypass the GUP and see if the client can take updates directly from the SEPM?

thank you for the suggestion, but it did not seem to help.

I checked the proxy settings, there are none in registry or in internet options

I went to the folder, there was no luinfo.dat , only 1 other file with 0kb, I moved it out of there and started SMC, but problem remains.

I will follow up tomorrow on this, but actually I would prefer NOT to have GUP. As I initially stated I *thought* GUP is not needed by default and all clients can download updates from SEPM, if this is true I will gladly return to this setup.

Tomorrow I will remove the GUP settings and will see if I get different errors using sylink (which I earlier did not have/know about).

ok I removed ALL GUP entries, there are none now, just 1 client, 1 SEPM server , liveupdate policy is set to update from management server

Here is what sylink shows. Please advise.

Thank you!

Attachment(s)

sylink_5.txt   231 KB 1 version

I believe this is the issue: <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content

but what that means is beyond me, searching this I get few results, none seem too helpful.

Refer this KB

<mfn_DoGetLUFile200>@@@@@@@@@ LU DEBUG ONLY-Download file failed due to wrong file size. 

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/8b915b9656ad7a27882574ad005db635?OpenDocument

This is what the sylink log has

06/18 07:59:18 [9648] </CHttpFileDownload::~CHttpFileDownload()>
06/18 07:59:18 [9648] <LUThreadProc>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size.
FileName:C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF{C60DC234-65F9-4674-94AE-62158EFCA433}1006170511.TMP Expected file size: 80480041

06/18 08:08:15 [9064] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {1CD85198-26C6-4bac-8C72-5D34B025DE35} Seq:100617051
06/18 08:08:15 [9064] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
06/18 08:08:15 [9064] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=1
06/18 08:08:15 [9064] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {42B17E5E-4E9D-4157-88CB-966FB4985928} Seq:100617001
06/18 08:08:15 [9064] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
06/18 08:08:15 [9064] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=1
06/18 08:08:15 [9064] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {D3769926-05B7-4ad1-9DCF-23051EEE78E3} Seq:100617001
06/18 08:08:16 [9064] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
06/18 08:08:16 [9064] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=1
06/18 08:08:16 [9064] <mfn_LiveUpdate> EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN - Ignore LU content. Moniker: {C25CEA47-63E5-447b-8D95-C79CAE13FF79} Seq:80929016

Please upgrade to SEP RU5 and above.the logs say that you have MR4

This problem is fixed in Symantec Endpoint Protection 11.0 RU5. For information on how to obtain the latest build of Symantec Endpoint Protection, read Obtaining an upgrade or update for Symantec Endpoint Protection.
http://service1.symantec.com/SUPPORT/ent-security....

Title: 'Symantec Endpoint Protection (SEP) client cannot update definitions from Symantec Endpoint Protection Manager (SEPM)'
Document ID: 2009020411575148
> Web URL: http://service1.symantec.com/support/ent-security....

For more info refer

https://www-secure.symantec.com/connect/forums/sepm-update-issues#comment-4125571

Any update?

I'm curious on a resolution as I'm having similar issue

Brian81 check 

<mfn_DoGetLUFile200>@@@@@@@@@ LU DEBUG ONLY-Download file failed due to wrong file size. 

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/8b915b9656ad7a27882574ad005db635?OpenDocument

Hi Maheshroja,

I do not see that line but am seeing this:

09/18 12:26:02 [1304] <Start>Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87
09/18 12:26:02 [1304] <Start>Unable to create Session with 'No Proxies' settings - Error Code: 87
09/18 12:26:02 [1304] <CSyLink::LoadLUInfo> Previous LU data was not loaded or found