LiveUpdate fails on the Endpoint Protection Manager with errors in Log.LiveUpdate

book

Article ID: 157546

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When LiveUpdate is run on a Symantec Endpoint Protection Manager (SEPM) using the "Download LiveUpdate content" or a scheduled run of LiveUpdate, the SEPM does not update definitions and displays an error "LiveUpdate encountered one or more errors. Return code = 4". Log.LiveUpdate shows errors similar to "LiveUpdate couldn't expand replacement path [spcIronWl-incr-InstallDir]."

This is an example of the complete error from Log.LiveUpdate: 

1/9/2013, 18:39:19 GMT -> Progress Update: PATCH_START: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\IrvSP12i.dis"

1/9/2013, 18:39:19 GMT -> Progress Update: SECURITY_PACKAGE_TRUSTED: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z"

1/9/2013, 18:39:19 GMT -> Signer: cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation

1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221"

1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221", HR: 0x0       

1/9/2013, 18:39:19 GMT -> Added package to cache...

1/9/2013, 18:39:19 GMT -> LiveUpdate couldn't expand replacement path [spcIronRl-incr-InstallDir].

 

Cause

This issue occurs when the SEPM had been configured to authenticate to a proxy using Windows authentication and when Windows User Account Control is enabled.

In order to Windows authentication to work properly, the LUALL.exe and LuCallbackProxy.exe executables are launched as the Windows user which was specified when proxy authentication was configured. These processes are launched by using the Windows API CreateProcessAsUser(). The created processes (LUALL.exe and LuCallbackProxy.exe) will both be assigned a Windows security token with limited privileges and permissions (even if the specified user is a member of the Administrators group) because of UAC.

This behavior of UAC is by design and cannot be bypassed with currently existing Windows APIs.

Environment

The SEPM has been configured to authenticate to a proxy using Windows Authentication and the SEPM can successfully update definitions using a .JDB file.

Resolution

There are two possible workarounds to this issue:

  1. Reconfigure the SEPM so it does not use Windows Authentication when authenticating to the proxy.
  2. Configure a scheduled task in Windows to run LUALL.EXE with the -S switch.

Disabling Windows Authentication for Proxy Authentication

  1. Login to the SEPM
  2. Click Admin > Servers
  3. Right-click the SEPM server (in the top-left) and click Edit the server properties
  4. Click Proxy Server
  5. Uncheck Use Windows Authentication
  6. Click OK

 Configuring a Windows Scheduled Task to run LiveUpdate

  1. Click Start > Administrative Tools > Task Scheduler
  2. Click Task Scheduler Library > Create Task...
  3. In the Name field, type in: LiveUpdate
  4. Click Change User or Group... and enter the name of the Windows user which can authenticate through the proxy
  5. Click OK
  6. Select Run whether is logged on or not
  7. Checkmark Run with highest privileges
  8. Click Actions > New...
  9. Set Action to Start a program
  10. Browse to the location of LUALL.EXE (default: C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.exe)
  11. In Add Arguments, type: -S
  12. Click OK
  13. Click Triggers > New...
  14. Select Daily and pick the hour and minute to run the task
  15. Click Enabled > OK
    Note: If you wish LiveUpdate to run multiple times per day, create additional triggers for this scheduled task. By default, the SEPM runs LiveUpdate every four hours. This is recommended for most environments.
  16. Click OK