Troubleshooting Content Delivery to the Symantec Endpoint Protection client
search cancel

Troubleshooting Content Delivery to the Symantec Endpoint Protection client

book

Article ID: 151624

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How do you troubleshoot Content Delivery to the Symantec Endpoint Protection (SEP) client?

Resolution

Symantec Endpoint Protection supports updates to its data and engines in the field. These updates are collectively referred to as "content".

Content reaches the Symantec Endpoint Protection client via 4 possible channels:

    • Distributed by the Symantec Endpoint Protection Manager
    • Downloaded from a LiveUpdate server (internal or external)
    • Distributed by the Group Update Provider (GUP)
    • Distributed by a third-party management system (TPM)

Content Flow
This is the general flow of content packages to Symantec Endpoint Protection clients for each channel.

Distributed by the Symantec Endpoint Protection Manager
Internal or External LiveUpdate Server > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Client

Downloaded from a LiveUpdate server (internal or external)
Internal or External LiveUpdate Server > Symantec Endpoint Protection Client

Distributed by the Group Update Provider (GUP)
Internal or External LiveUpdate Server > Symantec Endpoint Protection Manager > GUP Host > Symantec Endpoint Protection Client

Distributed by a third-party management system (TPM)
Internal or External LiveUpdate Server > Symantec Endpoint Protection Manager > Third Party Management System > Symantec Endpoint Protection Client
See About using third-party distribution tools to distribute content updates to managed clients (SEP 11.0.6 and higher) and Using third-party distribution tools to update client computers (SEP 12.1.2 and higher) for details.

Enabling or disabling each of these channels is done in the Symantec Endpoint Protection Manager Console under Polices > LiveUpdate. There are two policies: LiveUpdate Settings and LiveUpdate Content. LiveUpdate Settings policy controls which channels are enabled and other settings, such as scheduling. LiveUpdate Content policy controls which content types are enabled and which sequence number of each content type to use. LiveUpdate Settings is a location-specific policy, while LiveUpdate Content is a location-independent policy.

Symantec Endpoint Protection identifies each content type using a "moniker". A moniker is a GUID that uniquely identifies a combination of a content's product, platform and language. For instance, Virus Definitions Win32 v11 on Win32 in All Languages is identified by the moniker {C60DC234-65F9-4674-94AE-62158EFCA433}. Or {535CB6A4-441F-4e8a-A897-804CD859100E} for Virus Definitions Win32 v12.1 in All Languages. Each revision of a content type is identified by a "sequence number". The Virus Definitions released today will have a higher sequence number than the ones released yesterday.




Troubleshooting

If the Symantec Endpoint Protection client reports that its content is out of date and you can't figure out why, here are some things to try. When troubleshooting, keep these questions in mind:

    • Which update channels do I have enabled?
    • Do I have the content I'm expecting enabled in the LiveUpdate Content policy?
    • Do I have the content I'm expecting set to latest revision or a specific revision in the LiveUpdate Content policy?
    • If I am expecting content to come down via the Symantec Endpoint Protection Manager, does the Symantec Endpoint Protection Manager itself have the content?
    • If I am expecting content to come down via a LiveUpdate server, do I have LiveUpdate enabled in the LiveUpdate Settings policy?





Log.LiveUpdate (SEP 11)

The main LiveUpdate executable in SEP 11 is LuAll.exe. It is typically located in C:\Program Files\Symantec\LiveUpdate. When you click "LiveUpdate" on the Symantec Endpoint Protection Client UI, when you send down an "Update Content" command from the Symantec Endpoint Protection Manager Console or when a scheduled LiveUpdate is run, LuAll.exe will be launched. LuAll.exe is also launched when installing content updates (except for AV Definitions and IPS Signatures) distributed to the Symantec Endpoint Protection client via the Symantec Endpoint Protection Manager or other channels. AV and IPS content that arrives from Symantec Endpoint Protection Manager, GUP or TPM are not installed using LuAll.exe.

LuAll.exe outputs to a debug log (Log.LiveUpdate) every time it runs. This log is typically located at C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate (C:\ProgramData\Symantec\LiveUpdate on Windows Vista or newer).

If a content update package arrives on the client but fails to install, there is usually good related information in the Log.LiveUpdate log. A good strategy is to start looking for lines that contain "Start of New LU Session" and then examining the subsequent lines to determine if the session relates to the content you are interested in. Searching for the product name or the moniker associated with your content is also helpful. You should eventually be able to find the exact failure.

 

Log.Lue (SEP 12.1)
With SEP 12.1, LiveUpdate functionality for clients was moved from Windows LiveUpdate to the LiveUpdate Engine (LUE). LUE is run as a module within the ccSvcHst.exe process.

Note: LiveUpdate functionality for the Symantec Endpoint Protection Manager remains unchanged. LUE is only used for SEP clients.

By default, the LUE log for SEP clients is located here:

  • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Lue\Logs\Log.Lue
  • Windows Vista and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Lue\Logs\Log.Lue

 

Content Cache Directory

Content that arrives on the Symantec Endpoint Protection Client is cached on disk. The default number of cached revisions can vary from 1 to 5 depending on your Symantec Endpoint Protection version. AV and IPS content is always cached, no matter what channel it used to get there. Other content types are cached for all channels except the LiveUpdate server channel. The cache directories are as follows:

  • Symantec Endpoint Protection 11.0.1 or older
    • All content is typically under C:\Program Files\Symantec\Symantec Endpoint Protection\ContentCache
  • Symantec Endpoint Protection 11.0.2 or newer
    • AV content: C:\Program Files\Common Files\Symantec Shared\VirusDefs
    • IPS content: C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs
    • All other content is typically under c:\Program Files\Symantec\Symantec Endpoint Protection\ContentCache
  • Symantec Endpoint Protection 12.1 or newer
    • All content is typically under:
      • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ContentCache
      • Windows Vista and above: C:\Program Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\ContentCache

If you are unsure if new content has made it to the client and been installed, check the cache. Content that arrives but fails to install will not be cached.

More cache information: Cache Control


Event ID 13: LiveUpdate returned a non- critical error. Available content updates may have failed to install

This event shows up in the Symantec Endpoint Protection client's Windows Event Log. This error condition should be resolved as soon as new sequence number for that content becomes available. To figure out which content package is failing, look at the DbgView output and Log.LiveUpdate. If the Symantec Endpoint Protection client in question receives new content via Symantec Endpoint Protection Manager, TPM or GUP and you are sure that a new, corrected content packages is available, but are still seeing the error, some things you might try:

    • Verify that the new content package has been downloaded to Symantec Endpoint Protection Manager by checking that it is listed under the LiveUpdate Content policy
    • Verify that you have the content type in question set to "use latest available" in the LiveUpdate Content policy
    • Verify that intermediate steps in the content flow are up and running (the GUP, an internal LiveUpdate server, Third Party Management software)
    • If the content type that is failing is not AV Definitions or IPS Signatures, try deleting the cached revisions of that content under C:\Program Files\Symantec\Symantec Endpoint Protection\ContentCache. This will force a full package to come down via your enabled content channel(s) rather than a delta package.



References
How to use a 3rd party tool for content deployment

 


Powered by Wolken Software