Endpoint Protection clients stopped updating the definitions

book

Article ID: 155741

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After migrating to or installing SEP 12.1 with the embedded database, clients eventually stop updating the definitions from the Manager. However, SEPM correctly downloads the newest definitions. Additionally the Symantec Endpoint Protection Manager (SEPM) may display incorrect definitions status on the clients even after the clients were manually updated via Intelligent Updater file or LiveUpdate.

After a restart of Symantec Endpoint Protection Manager service, SEP clients are able to get the newest definitions and their status gets updated in the manager.

  1. SEP clients remains connected to the SEPM, they show green dots and show the server IP or Name in the SEP interface (Troubleshooting)
  2. SEPM does not process the newly update definitions since the day of upgrade:
  3. In PackagePublisherTask-0.log there are no more updates since the day of upgrade (entries are few days old - they should be from 2012-01-10):
    1. 2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>> clientMoniker:{535CB6A4-441F-4e8a-A897-804CD859100E},seq:120105021
    2. 2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>>assigned seq:120105021
    3. 2012-01-06 04:52:19.014 THREAD 25 INFO: LuContentInfoCompiler>>createContentInfoForAgent>> add content info: clientMoniker:{535CB6A4-441F-4e8a-A897-804CD859100E},seq:120105021
  4. Sylink.log from the client (taken on the same date as PackagePublisherTask-0.log from SEPM) shows that client cannot find the new updates - only those published by SEPM few days ago:
    1. 01/10 08:28:36.031 [6068] 8:28:36=>Send HTTP REQUEST
    2. 01/10 08:28:36.062 [6068] 8:28:36=>HTTP REQUEST sent
    3. 01/10 08:28:36.062 [6068] <GetIndexFileRequest:>SMS return=200
    4. 01/10 08:28:36.062 [6068] <ParseHTTPStatusCode:>200=>200 OK
    5. (...)
    6. <File Checksum="0F60A30387C3497A156B73AD24EC83ED" DeltaFlag="1" FullSize="164041049" LastModifiedTime="1325821779607" Moniker="{535CB6A4-441F-4e8a-A897-804CD859100E}" Seq="120105021"/>
    7. so it is not downloaded by client because it already has such definitions:
    8. 01/10 08:28:36.078 [6068] [Content]<mfn_LiveUpdate:>Current index2 content entry: Moniker: {535CB6A4-441F-4e8a-A897-804CD859100E} Sequence: 120105021
    9. 01/10 08:28:36.078 [6068] <PostEvent>going to post event=EVENT_LICENSE_REQUIRE_STATUS
    10. 01/10 08:28:36.078 [6068] <PostEvent>done post event=EVENT_LICENSE_REQUIRE_STATUS, return=0
    11. 01/10 08:28:36.078 [6068] <PostEvent>going to post event=EVENT_LU_REQUIRE_STATUS
    12. 01/10 08:28:36.109 [6068] <PostEvent>done post event=EVENT_LU_REQUIRE_STATUS, return=20
  5. Inetpub\Content on SEPM shows more revisions than configured. The numeric folders with the content updated after the day of upgrade contain only full.zip files
  6. The restart of the SEPM service causes:
    1. The old content is deleted from the Inetpub\Content, so there are only as much revisions as configured in the SEPM.
    2. The full.zip files are extracted in every revision folder.
    3. SEPM starts to publish the newest updates.
    4. Clients can find them and update the definitions.
    5. At the next download of the definitions by SEPM the problem reappears (SEPM doesn't process the new updates, doesn't publish them, exceeds the number of the revisions, doesn't extract full.zip in the newest content, SEP clients cannot get the updates)

Cause

  • The Sybase JDBC driver does not support query time out

 

Resolution

This issue has been fixed in Symantec Endpoint Protection 12 Release Update 2 (RU2). For information on how to obtain the latest build of Symantec Endpoint Protection, read

TECH199676: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control
 

Applies To

  • Symantec Endpoint Protection Manager 12.1 with Embedded DB

Attachments

Stop_Data_Collector.png get_app
Etrack_2819061_How_to_collect_Log_Rev2.doc get_app
Collecting SQL Anywhere Performance Information using Microsoft Windows Performance Monitor.pdf get_app