Endpoint SWAT: Protect the Endpoint Community

Since 2 days ago, the SEPM's have not updated with the current definitions. Yet, when you run luall.exe, everything is fine. Under the Admin tab - servers >> the liveupdate is launched, download started and finishes without any updates . I have tried the following

1. Restarting the SEPM services, the SEPM servers and SQL database server.

2. Ran a repair on the SEPM and everything is connecting and ports are connecting.

3. Checked that the SEPM has internet access and ran the luall.exe successfully.

4. Downloaded the JDB file and the logs show that the rapid response content installed successfully but still no updates added to the SEPM.

What else can I do or check to get the SEPM updated with the latest definitions?

PLease help..

Running SEP 12 RU3, seperate SQL 2012 database server...

can you post the liveupdate log?

Hi,

Please check this article.

https://www-secure.symantec.com/connect/articles/sep-121-ru2-and-reset-client-communication#comment-8511141

How many definition revisions are you keeping on the SEPM? Check on the side of SQL database if the FG_CONTENT table did not reach its maximum value - if this happens SEPM won't be able to process any downloaded definitions.

Could not allocate space for object 'dbo.BINARY_FILE' in database 'SEM5' because the 'FG_CONTENT' filegroup is full.

Where would I find the liveupdate log?

We have about 80 revisions...have asked the SQL dba to check this out and will let you know.

Thanks.

hi

Please follow the document given by SebastianZ

Regards

hi,

please let me know what is SQL version is it an express addition or standerd or enterprice.?

if SQL version is standerd or enterprice.

then go ahead with following steps;

1) Stop SEPM manages serverices 

2) delete the contents from folder {535CB6A4-441F-4e8a-A897-804CD859100E} and {07B590B3-9282-482f-BBAA-6D515D385869} ( note:  do not delete the these folder only delete the what is inside of these folders)

3) clean lucatolog  

4) start SEPM servevices

5) wait for 20 min then run lull from run.

if your SQL is express addition then see for datatbase size, SQL express will support only 10 GB of database limit.

Hi

Reinstall the liveupdate

Regards

SQL 2012 Enterprise, reinstalled liveupdate and will check...

DBA has set it to unlimited.Restarted the SQL server and still the same issue.

Hi All,

still having the same issue, done all the recommended and still nothing.

What other fields , tables can the SQL DBA check for the definitions not getting update. When I run the liveupdate , it goes through and updates everything and is successful but yet no updates.

Please help.....

and this:

Anyone know why this error comes up in the log:

Another:

Is it possible to reset the FG_Content field (delete all contents) and then start the database...anyone know what will happen? The SQL DBA's have confirmed enough space available for table and server.

80 revisions is extremely high- most companies need 35-40, maximum.  I recommend setting this lower!!

Ok, will set it to 40 and will monitor. The recommendations to set to 80 were from Business Critical support.

We have been running it like this for almost 1 yr now.

fg_content if its full it will be seen in the scm-server log. do not delete the content unless it is required.

check the scm-server-0.log for any error related to db.

Have you tried already the most basic step - reinstall of LU on the SEPM?:

http://www.symantec.com/docs/TECH102609

1. Remove Live update from "Add/ Remove Programs"
2. Reboot the machine
3. In Windows Explorer, if they are present delete the following folders, without saving the existing content:
- C:\ProgramData\Symantec\LiveUpdate
- C:\ProgramData\Application Data\Symantec\LiveUpdate
- C:\Program Files (x86)\Symantec\LiveUpdate
4. Install LU using lusetup.exe (execute with local admin rights - build in administrator)
5. in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin:
- Type lucatalog -cleanup and press Enter.
- Type lucatalog -forcedupdate and press Enter.
6. in  C:\Program Files (x86)\Symantec\LiveUpdate start luall.exe (execute with local admin rights)
7. Please let the Live update express session run till the end and check if any errors are occuring
8. If the session was successfull check the path: "D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content" to see if there is any content downloaded - you should see here several folders

There are usually 15-17 releases of certified defeinitions per week for SEP.  If a SEPM keeps 35 past revsiions, that means that even a SEP client managed by that SEPM will be able to connect in and get a delta rather than the full monthly set, even after being offline for two weeks.  Keeping 70 to 80 revisions pushes that date back to a full month.  

I doubt that such a number would really be worthwhile: those oldest deltas would be about the size of a full.zip anyway, and how often would a SEP client machine be offline for more than two weeks?  Only in very, very large organizations would there be enough clients doing that frequently enought to justify the additional costs in resources on the SEPM.   

See how you get on with 40.  That really should do a fine job of keeping all clients up-to-date with deltas.  &: )

Hi all ,

Thanks for all the feedback and suggestions. We have tried this fix and will let you all know.

Symantec Endpoint Protection Manager 12.1 is not updating 32-bit or 64-bit virus definitions due to corrupt content

http://www.symantec.com/business/support/index?page=content&id=TECH166923

The only issue is now that even though the DBA has now made that change - it does not change the fact that if it was not set before, the data in the FG_Content table is already corrupt.

That being said, at this stage - your only choice now is to dump ALL the revisions from the database and start loading definitions.

The way you do that is to set the content revisions to keep down to one (this will purge everything but the last set [which is more than likely corrupted]), drop a JDB file into the SEPM then let that install - once that is installed you may restore 80 revisions [although I would recommend that you set that to 40 at most]. 

Here is the major downside though - this will cause massive traffic between the SEPM and the clients. One thing you may want to consider is to help spread out the damage and that would be to implement GUPs throughout the organization -- the more the better (I would designate every machine that is a server OS as one temporarly).

Either that - perhaps create a backup of the DB and open a ticket with tech and see if the backline teams will take the DB and analyse the DB itself, perform repairs and send it back (hopefully they can keep most of the content).