Endpoint Protection

We're using a liveupdate server and the latest SEP client. An x64 W7SP1 machine is updating the proactive and network threat protection defs but when it comes to AV it fails to install. We've run cleanwipe across the machine twice and it's still failing. Other x64 machines appear to be downloading properly. Any ideas?

 these machines are Windows 7 machines, I would recommend you to:

a. Disable the Windows Firewall or create exceptions for the ports on these machines to communicate to the SEPM http://www.symantec.com/docs/TECH163787

b. Disable the UAC (User Account Control) and restart the machine.

c. If that does not work, please provide us with sylink.log from one of those machine.

http://www.symantec.com/docs/TECH104758

Hello,

Are the clients taking update directly from Symantec Liveupdate Administrator OR are they taking updates from Symantec Endpoint Protection Manager?

Could you let us know what happens if you download and install the Intelligent updater (64 bit) on this client machine? 

How to update definitions for Symantec Endpoint Protection using the Intelligent Updater

http://www.symantec.com/docs/TECH102606

Hope that helps!!

Hi,

Check this article

How to determine if virus definitions of Symantec Endpoint Protection client (SEP) 11 or 12 Small Business Edition, are corrupted

http://www.symantec.com/docs/TECH97677

If definitions are corrupted, check this article

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

OR

How to update definitions for Symantec Endpoint Protection using the Intelligent Updater

http://www.symantec.com/docs/TECH102606

If possible repair SEP client through add/remove program.

 

check this link

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.
Article: TECH166923   |  Created: 2011-08-11   |  Updated: 2012-02-06   | 
Article URL http://www.symantec.com/docs/TECH166923 

Ok we've been playing around and have found the following:

• We currently use an internal liveupdate server and point most clients to it. I know this is generally not best practice but apparently they wanted better scheduling around machines getting defs.
• When these certain machines point to the liveupdate server it seems to download the files but then throws a post session callback failed (208) error.
• We pointed them to the SEPM server and they successfully download and update to the latest AV defs.

So the question is why do they not work when connected to liveupdate but do work when connected to SEPM?

 

The SEPM server is connected to the liveupdate for its defs and other machines can download defs from the liveupdate server without issue. It's not the windows firewall because it is off (using SEP firewall)

Hi,

To troubleshoot it further liveupdate logs are needed.

Every time Liveupdate runs it outputs what it is doing to the Log.Liveupdate.

File Location: C:\Documents and Settings\All Users\Application Data\Symantec\Liveupdate\Log.Liveupdate

Search for the keyword “Start of new LU session” and look at the subsequent messages for errors.

Searching for the keywords “Error” and “Failed” can also yield useful results.

 

Can't find that log as we use W7. I checked under programdata and found the lue.log though:

Symantec LiveUpdate Engine 2.0.3.6   (Release)
OS: Windows 7 Enterprise 64-bit 

VerInfo: 6.1 

ServicePack: 1.0
LanguageID: 00000C09
WinHttp.dll Version: 6.1.7601.17514
----------------------------------------------------------------------------------------------------
Session started at: 2012/08/21 19:59:58.247    (UTC +10:00)
ProcessId: 2272, ThreadId: 676, SessionId: 29
Machine ID: 0B3F0CEF-71C8-A41D-C79C-5B1E4BB48863
Agent Field: LiveUpdateEngine-2.0.3.6
----------------------------------------------------------------------------------------------------
  Component: Moniker: {07B590B3-9282-482f-BBAA-6D515D385869}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {263395A0-D3D8-4be4-80B5-202C94EF4AA0}, P: SEPC Iron Settings v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {31D8C93E-8DB2-4eeb-8D75-87FD92F1C62C}, P: SEPC CIDS Signatures v12.1, V: MicroDefsB.Aug, L: SymAllLanguages.
  Component: Moniker: {55DE35DC-862A-44c9-8A2B-3EF451665D0A}, P: SEPC CIDS Signatures v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {810D5A61-809F-49c2-BD75-177F0647D2BA}, P: SEPC Iron Revocation List v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {A8BA6A8E-8DB4-4575-8C7B-13CAF85B70AB}, P: SESC AntiVirus Client Win64, V: 12.1, L: English.
  Component: Moniker: {B6DC6C8F-46FA-40c7-A806-B669BE1D2D19}, P: SEPC Submission Control Data, V: 12.1, L: SymAllLanguages.
  Component: Moniker: {D6AEBC07-D833-485f-9723-6C908D37F806}, P: SEPC Behavior And Security Heuristics v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}, P: SEPC Iron Whitelist v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages.
  Component: Moniker: {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.Error, L: SymAllLanguages.
  OnNotify() method for callback {73D8F7DB-5990-4EDF-945E-53047F1A8230} returned 0x0
  OnNotify() method for callback {EDBD3BD0-BEEF-4d4d-BAC9-19DD32EF4758} returned 0x0
  OnNotify() method for callback {2F090208-20DC-42f0-BBD8-B68B472F7215} returned 0x0
  OnNotify() method for callback {810D5A61-BEEF-49c2-BD75-177F0647D2BA} returned 0x0
  OnNotify() method for callback {B6DC6C8F-BEEF-40c7-A806-B669BE1D2D19} returned 0x0
  OnNotify() method for callback {263395A0-BEEF-4be4-80B5-202C94EF4AA0} returned 0x0
  OnNotify() method for callback {511C2222-DEFD-22EE-B154-4A6A546B9793} returned 0x0
  Server selection complete. Server is HTTP://server on port 7070.
  OnNotify() method for callback {73D8F7DB-5990-4EDF-945E-53047F1A8230} returned 0x0
  OnNotify() method for callback {73D8F7DB-5990-4EDF-945E-53047F1A8230} returned 0x0
* Inventory SetAbort called on Moniker {07B590B3-9282-482f-BBAA-6D515D385869} (Inventory Module), with abort code 500
* Inventory SetAbort called on Moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D} (Inventory Module), with abort code 500
* Inventory SetAbort called on Moniker {07B590B3-9282-482f-BBAA-6D515D385869} (Inventory Module), with abort code 500
* Inventory SetAbort called on Moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D} (Inventory Module), with abort code 500
* OnNotify() method for callback {73D8F7DB-5990-4EDF-945E-53047F1A8230} failed; err = 0x80004005
* Inventory SetAbort called on Moniker {07B590B3-9282-482f-BBAA-6D515D385869} (Inventory Module), with abort code 517
* Inventory SetAbort called on Moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D} (Inventory Module), with abort code 517
* Inventory SetAbort called on Moniker {07B590B3-9282-482f-BBAA-6D515D385869} (Inventory Module), with abort code 517
* Inventory SetAbort called on Moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D} (Inventory Module), with abort code 517
* Callback {73D8F7DB-5990-4EDF-945E-53047F1A8230} is a PostSession callback. Callback Failed. Result -2147467259
  OnNotify() method for callback {EDBD3BD0-BEEF-4d4d-BAC9-19DD32EF4758} returned 0x0
  OnNotify() method for callback {2F090208-20DC-42f0-BBD8-B68B472F7215} returned 0x0
  OnNotify() method for callback {810D5A61-BEEF-49c2-BD75-177F0647D2BA} returned 0x0
  OnNotify() method for callback {B6DC6C8F-BEEF-40c7-A806-B669BE1D2D19} returned 0x0
  OnNotify() method for callback {263395A0-BEEF-4be4-80B5-202C94EF4AA0} returned 0x0
  OnNotify() method for callback {511C2222-DEFD-22EE-B154-4A6A546B9793} returned 0x0
* Update Failed - PostSession for moniker {07B590B3-9282-482f-BBAA-6D515D385869}
* Update Failed - PostSession for moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D}
  Update for moniker: {07B590B3-9282-482f-BBAA-6D515D385869}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages, package: 1345504791jtun_emt64sep12encful.m26, SeqName: CurDefs, SeqNum: 120820020, has update status code: 208
* Reporting error: 0x80004005 Update failed PVL=SEPC Virus Definitions Win64 (x64) v12.1 MicroDefsB.CurDefs SymAllLanguages
* PostSession Callbacks Failed. Update status code for moniker {07B590B3-9282-482f-BBAA-6D515D385869}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.CurDefs, L: SymAllLanguages is: 0x      D0.
  Update for moniker: {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.Error, L: SymAllLanguages, package: 1342510013jtun_emt64sep12encful.m26, SeqName: HubDefs, SeqNum: 120716018, has update status code: 208
* Reporting error: 0x80004005 Update failed PVL=SEPC Virus Definitions Win64 (x64) v12.1 MicroDefsB.Error SymAllLanguages
* PostSession Callbacks Failed. Update status code for moniker {FC1DE9A6-0007-4f4a-9CDB-BB89A857F51D}, P: SEPC Virus Definitions Win64 (x64) v12.1, V: MicroDefsB.Error, L: SymAllLanguages is: 0x      D0.
  ***** Session Results *****
  Total Updates Available: 2
  Total Updates Succeeded: 0
  Total Updates Succeeded - Reboot Req: 0
  Total Updates Skipped: 0
  Total Updates Failed: 2
  RunLiveUpdate result code: 0x00000000
  Session max recursion count = 6
* Fail to submit error report: 0x80070422

Hello,

Is the client taking updates from Liveupdate Administrator?

I would suggest you to create a Case with the Symantec Technical Support Team.

To create a Case OR call Symantec Technical Support, check below:

How to create a new case in MySupport http://www.symantec.com/docs/TECH58873

Regional Support Telephone Numbers:

United States: https://support.broadcom.com (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Hi,

If using IE7 then upgrade it to IE8 & check.

 

Ok I think we may have figured it out (sort of).

It seems installing straight from the 'SEPx64' folder does not work correctly. I've tested this by exporting a package from the SEPM console and installing that and it appears to work correctly. Copying the SPEx64 folder to the pc, replacing the sylink file and running setup installs successfully but AV defs do not get updated.

Why would this be? The install completes successfully and we've done it this way before without issue. I suppose there could be a corrupt file but that seems unlikely.

 

Hi,

SEPX64 folder contains old definitions, it contains the definitions when you downloaded setup files for the first time.

But when you export the packages from the SEPM it contains the latest definitions within it. Probably new definitions would have cleaned corrupted definitions.

As you said there are chances that definitions were corrupted on the clients machine.

The definitions are whatever comes with the std install set from fileconnect so I'm slightly concerned they would be corrupt from Symantec. The problem is reproducible. If I uninstall the exported version of sepx64 and install the ver from the install set then it fails to update definitions from an internal liveupdate server but if we change the policy and point the client to seem to get the definitions then it works. The sepm server gets the definitions from the same liveupdate server that the client is having issues with. This is a very weird issue.

Hi,

It's not possible that definitions comes with the std install set from fileconnect are corrupted. If they are corrupted it won't get install.

If possible could you please cleanup LUA existing definitions and re-download them again.

 

We cleared out the definitions on our internal liveupdate server and recreated the distribution center. All looks good so far.