?
Solved

Virus Definitions Distribution - Not Updating

Posted on 2010-01-13
17
Medium Priority
?
12,512 Views
Last Modified: 2013-12-09
Good day Experts

I am currently running Symantec Endpoint Protection v11.0.4202. The server is running fine with out any problems. I have noticed the last couples of days that my Virus Definition Distribution is not actually distribution any updates. I have made no changed to any internet/firewall settings.

The latest virus definition is: "2010-01-12 rev. 053"

As per my screenshot, my console is showing the following:  
   2010-01-11 rev. 024  1
   2010-01-04 rev. 017  23  
   2009-12-31 rev. 123 14

I have managed to find this atricle online and have been able to test all that is suggested and I am still not having any luck.
http://www.symantec.com/connect/articles/troubleshooting-liveupdate-issues-symantec-endpoint-protection

As per above mentioned link, I have done the test with the below results:
-------------------------------------------------------------------------------------------------------
Troubleshoot Communication issue:
PASSED - 1. Make sure that you are able to browse to the websites below:
a. Liveupdate.symantecliveupdate.com
b. Liveupdate.symantec.com
c. Symantec.com
2. Make sure that the perimeter firewall has exceptions for the websites above
3. Run a packet capture and contact support for analysis
Check Connectivity between SEP & SEPM:
PASSED - 1. Do a Secars test to Test Connectivity between SEP and SEPM
Testing Communication from an Endpoint Protection client to the Endpoint Protection Manager

In Progress - 2. Get the sylinkmonitor logs to check the communication for any errors
SylinkWatcher and SylinkMonitor - tools for real-time debugging of SPA 5.x and SEP 11.x

DONE - Remove corrupt definitions
1. How to clear out corrupted definitions for a Symantec Endpoint
Check if SEPM has Latest Definitions:
DONE - 1. Open SEPM->Admin->Servers->Local Site
2. Show Liveupdate Downloads
3. Make sure that the date for 32 bit and 64 Definitions for Virus & Spyware Definitions is up-to-date.
-------------------------------------------------------------------------------------------------------

Could I please ask for assistance into how I can get my Symantec Endpoint Proctection server to distribute the definitions again.

Kind regards,
mustekkzn

Symantec-Endpoint-Protection.JPG
0
Comment
Question by:mustekkzn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 7

Expert Comment

by:jhalapradeep
ID: 26304296
Hi,

First of all try to do liveupdate from SEPM console: Admin->local site-> download liveupdate content
->If this process displays any errors like return code 4 or the liveupdate does not complete then follow this document to uninstall liveupdate and reinstall liveupdate and re-register SEPM with liveupdate:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100907303548

Regards,

Pradeep Jhala
0
 

Author Comment

by:mustekkzn
ID: 26305095
Hi Pradeep

Thank you for your post. As per my screenshot, I have done as you suggested.
How long does it normally take to distribute the updates to all the workstations?

As you can see, I didnt receive any errors. I will take this as good news....
Is it safe to presume that I dont do the uninstall and reinstall of liveupdate then?

Thank you once again for your assistance. Hopefully I will be able to get to the bottom of this quickly with your help.

Kind regards,
mustekkzn
Symantec-Endpoint---Update.JPG
0
 

Author Comment

by:mustekkzn
ID: 26305855
Hi Pradeep

Its been about an hour + now since the update and I am still not having any luck what so ever. I
The status of the definition updates are still the same.

Any other suggestions please?

Kind regards,
mustekkzn
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Accepted Solution

by:
josh2780 earned 400 total points
ID: 26306091
Symantec apparently ran into a Y2K10 and any updates beyond 12/31/2009 23:59:59 are being interpreted by SEPM as old.

See this article:
http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010

Based on your first screenshot, it looks like you are receiving the latest virus definitions (the most current I believe is rev 124).  Symantec's work-around for right now is to leave the date on the file as 12/31/2009 and increment the rev #.
0
 

Author Comment

by:mustekkzn
ID: 26306354
Hi josh2780

Thank you for your post.

It seems like it is describing my error to the T. Just a quick question, will this "error" show the " yellow" icon, instead of the normal green icon on users workstations? I presume it would as this is how I noticed that there is a problem? (Please see attached screenshot)
I just find it strange that not all my workstations are affected. I only have the 14 workstations that seems be an issue.

Also, according to the below link, there is a patch out for this problem. How/where do I have to look to see if I have it installed?
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348

Thank you once again for your post...I am relieved to find out that the problem is in Symantec's side of things.

Kind regards,
mustekkzn


Symantec---Showing-Yellow-Icon.JPG
0
 
LVL 1

Expert Comment

by:josh2780
ID: 26306424
I'm experiencing the same issue with the back dated virus definitions.  However, my clients show the green ball on the shield...  which I believe just means that the client is communicating with SEPM.  I'm not sure of the meaning of the yellow ball... but I would suspect that there is something wrong between the client and SEPM server.

I think the patch for the 12/31/2009 problem is only available for MR3.  Click on your "about" link in the upper right to know what maintenance release you are on.  I'm on 5, which does not have the patch as of yet.
0
 

Author Comment

by:mustekkzn
ID: 26306477
Hi Josh2780

I pressume you are talking about the version number? Please see attached screenshot, the area maerked in red to confirm.

Kind regards,
mustekzn
Symantec---About.JPG
0
 
LVL 1

Expert Comment

by:josh2780
ID: 26306577
Yup - looks like you are running MR4... which according to the link I sent (which seems to be updated on a regular basis with the latest information regarding the bug) does not yet have a patch.  Keeping watching that page for updates.
0
 

Author Comment

by:mustekkzn
ID: 26312123
Hi josh2780

Just had a look again at my list of updates.

Have you also find that only some of your workstations are showing the status of being out of date?
I am still experiencing the issue of these workstations showing a yellow icon, instead of the normal green one.
Have you perhaps come across of any issues relating to the distribution updating issue that Symantec is facing at the moment as per your given link below?
http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010

Kind regards,
mustekkzn
0
 

Author Comment

by:mustekkzn
ID: 26313032
Hi experts

Just want to see if I am the only person that experienced the following with Symantec Endpoint Protection. Please see attached screenshot.
Is this related to their current problem?

Please inform me if I should be concerned.

Kind regards,
mustekkzn



Symatec---Error.JPG
0
 
LVL 20

Expert Comment

by:jimmymcp02
ID: 26316394
the issue that you are describing in your question appaers to be the following bug.
 
Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager
Fix ID: 1543985
Symptom: Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager.
Solution: Added a dependency relationship for SMC service and System Event Notification service at startup.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648?Open&docid=2009072315130848&nsf=ent-security.nsf&view=docid
 
It looks like you have a combination of a bug and a defect for the sep version that you are running
0
 

Author Comment

by:mustekkzn
ID: 26316418
Hi josh2780

Just want to see if you have managed to get to resolve your issue as yet? Also, have you perhaps seen the above error occur on your workstations lately?

Any response would be greatly appreciated.

Kind regards,
mustekkzn
0
 
LVL 1

Expert Comment

by:josh2780
ID: 26316448
I've seen that on some managed workstations, however, it's due to a network issue and they are unable to reach the SEPM server.  As for resolving the issue, Symantect has not yet released a patch for my version of SEPM... so I'm still waiting.
0
 

Author Comment

by:mustekkzn
ID: 26316539
Hi josh2780

Thank you for getting back to me on this. So it is basically a waiting game from here onwards then?

Can I please ask; are you also experiencing that only some of your workstations are experiencing this issue? Where as others are not? Or is it your whole network?
It just concerns me the fact that some of our users are still getting the yellow icon.

Kind regards,
mustekkzn
0
 
LVL 1

Expert Comment

by:josh2780
ID: 26316588
All of the workstations that were previsouly managed in 2009 and are now getting updates with 12/31/09 rev 126 are not throwing any errors.  They show a green icon on the shield.  I'm not sure why you get the yellow icon on the others.  I'd check to see if they are at least getting the latest 12/31/09 rev ### that your SEPM server shows is the latest.  If not, you likely have an issue with clients connecting to SEPM.  If they have the latest, I'd just wait until Symantec patches SEPM...  but that's up to you.
0
 

Expert Comment

by:barb007
ID: 26333572
I have experienced the issue you discussed . . .if the client logged on and received the box that indicated that they did not have the latest definitions, and they checked the box that said "remind me after the next update"  then their shield will show the green instead of the yellow.
0
 

Author Comment

by:mustekkzn
ID: 26339483
Good day Experts

I am very happy to report back this morning that it seems like my problem has been resolved. As per attached screenshot, my Symantec Endpoint Protection server status is back to normal again.

In this case all the points has to go to josh2780 as he had it spot on. Thanks so much for that!

Thank you once again for all your comments.

Kind regards,
mustekkzn
Symantec--Status-Correct.JPG
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question