Endpoint Protection

Hello,

We have a few different domains that we manage using SEPM and have recently upgraded to 14 from 12.

Since then, a few of our Endpoints are not being updated to the latest virus definitions.

In one domain, we have 4 machines that are running Server 2012 R2 and they all have different virus definitions. One is up to date and the others are about 4/5 days out. They all connect to the SEPM server fine and are all reporting that they are up to date but they're not, based on the dates given.

The download protection defintitions are all the same and up to date, but the virus definitions are not.

Is it likely that the definitions installed on each of the machines are corrupt and will need removing?

Are they supposed to get updates from the SEPM or another source?

Download and run the SymDiag tool on one affected client to see what ti shows:

http://www.symantec.com/docs/TECH170752

They get their updates from the SEPM server.

None of the machines have internet access apart from SEPM so rely on the SEPM server for updates.

I'd still run the SymDiag tool on one affected client for an initial diagnosis.

Aside from that you can enable sylink logging on one affected  client to see the communication between client and SEPM to see if any errors are present in the log.

How to enable Sylink debugging for Endpoint Protection clients

I've ran the tool and it's reporting that the definitions are corrupted with a few additional warning states.
Thanks Brian.

Am I too assume that following the guide for v12 is still applicable for v14 to clear the corrupt defs?
https://support.symantec.com/en_US/article.HOWTO59193.html

Thanks again

Yes, it should still be relevant.

If I remember, the SymDiag tool has a "Fix" button that you can select to have them autmatically cleared out. It's been awhile since I've used this within SymDiag but I remember it being present.

You are correct!
It does have a fix button but it seems to be failing at a certain point for me and is reverting me to the document to do it manually.

Do you have a password in place to stop the SEP's smc service? If so, I've seen this behavior happen. SymDiag doesn't prompt for the password and just seems to hang for a period until it eventually times out. May be a bug but I can't say as I don't have a machine to reproduce this with.

It does seem to pause on that part but then does progress through and check it off. But it's after it re-aquires the defs that it fails, as shown below.

I wonder what would happen if you ran the fix again. Not ideal, but, mostly out of curiosity as to what would take place and if it can correct this after a second try.

I tried running it again and it returned the same results.
I've now removed them manually and all servers are now running the most up to date version of virus defs. I will keep an eye on them to ensure that they continue to update though.

One thing I did notice when removing the def's manually though is the location of the definitions.

The guide says the location is:
 C:\ProgramData\Symantec\Definitions\VirusDefs\ 

However, in Version 14, they are located here:
 C:\ProgramData\Symantec\SymantecEndpointProtection\14.X\Data\Definitions