Endpoint Protection

HI,

I have an SEPM 12.1 server that stopped receiving a/v definitions after removal of Backup Exec.  After re-registering SEPM with Liveupdate, the server is able to receive upddates, but they are not being pushed out to clients.  System try icon is showing a green dot on client machines.  If I modify the policy to allow manual operation of Liveupdate, clients download the latest defs from liveupdate.symantecliveupdate.com fine.

While the SEPM license did expire 9 days ago, according to this FAQ:

https://www-secure.symantec.com/connect/articles/sep-121-and-license-concept

Clients should still be receiving definitions as we are running the enterprise version of SEPM.  As such, I'm not sure if the issue is due to license expiration or a problem with the server.  Renewal of the licenses is on the agenda, but the defs are a week old at this point and I need to get them updated asap.

Sylog attached, any input would be greatly appreciated.

Thanks..

Attachment(s)

Sylog.txt   240 KB 1 version

Please try this steps and check

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions

http://www.symantec.com/business/support/index?page=content&id=TECH166923

the SEPM is updated till 2012/09/03 rev003, the agent is updated with the same definition. YOu first need to update SEPM. use jdb file for updating AV definition

How to update definitions for Symantec Endpoint Protection Manager using a JDB file
http://symantec.com/docs/TECH102607
 

Thanks for the reply...I should have detailed the troubleshoot steps I've taken so far...

The article you sent was on of the first I tried, it didn't seem to do anything (live update via SEPM's Admin>servers>Local Site>Download LiveUpdate Content) failed with an Error=4.

I also:

Uninstalled/re-installed (from the installation package) LU on the server, was able to download 32/64 bit defs via SEPM's Admin>servers>Local Site>Download LiveUpdate Content, not being pushed out to clients.  Local server client not updating unless I run LU manually (gets defs directly from symantec).

Uninstalled/re-installed (from the installation package) LU on a client, all communication seems OK, not getting updates from manangement server.  Local client not updating unless I run LU manually (gets defs directly from symantec). 

Ran Secars test from client, received status "OK".

Downloaded latest JDB file, placed in "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming" - files picked up by system and numbered folders appear in C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758} which contain full.zip files.

I'm probably forgetting something, but will update the thread as I remember.

Thanks for the reply...I forgot to list the troubleshooting steps that I had performed...the JDB file I downloaded was vd3a6202.jdb, downloaded and installed today around 3pm EST.

Are you seeing the SEPM server updated till 2012/09/03 rev003 via the sylog?  The SEPM interface is showing 2012/09/17 r2.  

See attached screenshots just taken now (around 11pm EST).

Hi,

How is the client communication push/pull? If pull what is the heartbeat?

See attached...I also ran a repair install of SEPM as part of the troubleshooting a day or two ago.  I'm using 3 different client groups (server/private/public), but the communications settings are indentical for all three.

hi,

Try to create one test group and move one or two Client ..

Also Check SEP client Policy serial no and SEPM Group policy no both are same or not ?

can you post the sylink logs?

Checked policy numbers prior to TEST group creation, policy #'s match.

Created a new TEST group, left all settings as default.  Moved client, client's system tray icon's green dot disappeared and troubleshooting tool shows the client as disconnected.  (See screenshots).

Thanks very much for your input on this Ashish, I really appreciate it.  The sylink log is attached to my first post.

Also, the SEPM console is showing the client that was moved to the TEST group as being online, even though from the client end it says it's disconnected.

Hi,

are you able telnet 80,8014 ?

Please Disable Windows firewall and UAC ?

Server is Server 2003, client is XP so no UAC.

Strangely, the secar test that succeeded before now fails w/ a 403 error.  Using URL:

http://192.168.9.8:8014/secars?hello,secars 

On 80 I get:

C:\>telnet egrn-ws 80

Disregard comment about secar failure..was using the wrong URL string...:

http://192.168.9.8:8014/secars/secars.dll?hello,secars

Produces a status "OK".

Also, firewall on the server was alreay disabled.

You can say Port 80 are not able to telnet.

Please Check and open Port..

From what I'm seeing here:

http://www.symantec.com/business/support/index?page=content&id=TECH163787

Port 80 was used prior to SEPM 11.x MR3, and changed to 8014 in later  builds...since we're on 12.1, should port 80 even be responding?  Like I said, the server firewall is disabled and SEPM is using Apache (not IIS) for web services.

Thanks again...

Check SEP 12.1Communication Troubleshooting

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/business/support/index?page=content&id=TECH160964

Troubleshooting Symantec Endpoint Protection

Thanks for the links, Ashish...I'm seeing some troubleshooting steps in them that I haven't tried yet.

Getting late here, so I'm going to try those out in the morning and I'll report back. 

though the dashboard seems to be showing latest def, the logs says different story. I strongly suggest to follow the link

http://www.symantec.com/business/support/index?page=content&id=TECH166923

I ran through the steps in that link, manual run of LUALL.exe in step 4 downloaded and installed 4 items sucessfully (2 of which were 32/64 bit definitions, don't recall the other 2).

Fired up SEPM and ran a Liveupdate from Admin > Server > Local Site > Download LiveUpdate content.

Status of SEPM LU download, screenshot shows installed downloads:

Homepage of SEPM showing installed updates as 09/17/2012 r16, clients still showing 09/03/2012 r3.

Please Clear out Definations

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

Please folow this steps again

http://www.symantec.com/business/support/index?page=content&id=TECH166923

OK, I did this on a client machine...after re-downloading all defs to the SEPM server, all folders in the client's "\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions" received definitions from the server except for the "HIDefs" and "VirusDefs" folders which only contained an empty "newdefs-trigger" folder.

I tried updating the server via JDB file again, same result.  Seems that server communication isn't the issue, given the ability to download the other def types.

After doing this, the client's SEP interface said that there were no virus definitions loaded, so I fully uninstalled SEP from the client and re-installed from a freshly created installer package.  Same result, all defs update except for the virus defs.  The client now shows virus defs from 9/2011, around the time taht the server was originally deployed.  All other def time stamps are from Aug/Sept 2012

Hi,

Please folow this steps again

http://www.symantec.com/business/support/index?page=content&id=TECH166923

or

Please create new installation package and install atleast on SEP Client and check virus defination are update or not ?

In my previous post, after removing the virus defs from the client manually I cleared and redownloaded defs to the SEPM server according to:

http://www.symantec.com/business/support/index?page=content&id=TECH166923

The client downloaded all defs except for the a/v defs...I then reinstalled defs to the SEPM server via JDB file.  Client still wouldn't download the a/v defs.

I then uninstalled SEP from the client and reinstalled using a freshly created installer....again, all defs updated except for the a/v defs which are showing a date around 9/2011...aproximately when the SEPM server was deployed.

Hi,

We have try all of thing but we can't received any solution

You can raised Support ticket

Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

OR 

Technical Support

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Please contact Symantec Technical Support via the support phone numbers listed below

Regional Support Telephone Numbers:
United States: https://support.broadcom.com (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp   India: Toll-Free 000 800 4401 456 directly