Symantec Endpoint Protection (SEP) clients are not updating content (virus definitions, IPS signature or Proactive Threat Protection updates) from Symantec Endpoint Protection Manager (SEPM). In addition, there are many large files in the \Program Files\Symantec Endpoint Protection\LiveUpdate folder, and these files appear to be growing in size.

In the \Program Files\Symantec Endpoint Protection\LiveUpdate folder you see files named LUF.tmp. Some of these files are 4 to 5 GB in size, and they appear to be continuing to grow over time.

The following entries are seen in the Sylink.log:

08/14 16:20:30 [4052] @@@@@@@@@ LU DEBUG ONLY-Download file failed due to wrong file size. 
FileName:C:\Program Files\Symantec Endpoint Protection\LiveUpdate\LUF9D.tmpExpected file size: 0Actual file size: 412252

The headers of the content update files are getting compressed or corrupted. These headers contain information about the size of the file that is being downloaded. Since this information is stripped, the client does not know the files size ahead of time and therefore "expects" the file size to be 0. When the file transfer ends, the reported file size does not match the "expected" size of 0, and the client believes the update failed. At the next check in, the client re-requests the same file update from Symantec Endpoint Protection Manager and the same temp file is used to store the data, so that file continues to get larger.

This problem is fixed in Symantec Endpoint Protection 11.0.4 Maintenance Release 4. For information on how to obtain the latest build of Symantec Endpoint Protection, read Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x.

If you are unable to migrate to the latest maintenance release, use one of the following workarounds:

If the clients are configured to obtain content from Symantec Endpoint Protection Manager:

1. Configure the forwarding proxies to not route traffic from Symantec Endpoint Protection Manager traffic over a proxy with AV scanning enabled. Alternatively you can exclude Symantec Endpoint Protection/Symantec Endpoint Protection Manager traffic from being scanned at the AV proxy. It may also be possible to disabled compressed file scanning on AV scanners, but this has not been confirmed as a possible workaround.

2. In some environments, proxy settings are set via GPO into the registry rather than through Internet Explorer. Setting the proxy values in the registry effects all accounts on including the SYSTEM account. The process that handles the content updates is SMC.EXE and is run under the SYSTEM account. Therefore these GPO proxy settings will impact SMC.EXE and force it to use the proxy.

To see if proxy settings are set in the registry, examine the following registry keys:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

The values to examine are:

ProxyEnable (0 means no proxy, 1 means use the proxy listed in ProxyServer)
ProxyServer (the IP address and port assigned to the proxy server)

To disable the proxy settings set ProxyEnable to 0.

You also need to locate and remove the following additional keys or the ProxyEnable and ProxyServer settings will repopulate on reboot:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Depending on how GPO's are managed, these settings may come back when the user logs back into the Domain. The solution here is to either disable the GPO that applies to the OU that the user is in, or send out a new GPO that removes these keys, then assign the user to a new OU that doesn't have this GPO applied.

If the clients are configured to obtain content using LiveUpdate, change the proxy settings for LiveUpdate:

1. Open Start, Settings, Control Panel, Symantec LiveUpdate
2. Click the HTTP tab
3. Choose "I want to use my Internet Options HTTP settings"
4. Click Configure
5. Select the Connections tab.
6. Click the LAN Settings button.
7. In the Local Area Network (LAN) Settings window check the "Bypass proxy server for local addresses" checkbox.