Symantec Endpoint Protection client fails to update content until the system is rebooted. Content is not updated even if a manual liveupdate is triggered from the client GUI.
SEP System logs:
An update for Virus and Spyware Definitions Win64 failed to install. Error: 0xE0010001, DuResult: 37. LiveUpdate Manager
05/05 15:01:52.332  <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
05/05 15:01:55.441  <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=19
05/05 15:01:55.441  [Content]<ProcessLUDownloadedFile>SMC failed to process the content update: Error: 19
Process Monitor logs indicate that there is a sharing violation on the definfo.dat file.
ccSvcHst.exe 2572 CreateFile C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Data\Definitions\IronWhitelistDefs\definfo.dat SHARING VIOLATION Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0
The root cause is that something inside the Quest software is not allowing SEP to get a lock on the definfo.dat file in order to successfully update the content.
Suggestion is to disable or uninstall Quest ChangeAuditor application from the affected system. If disabling or uninstalling this application resolves the issue, Quest or Dell should be involved for further investigation.
Below steps can be followed to disable a File Driver that the Change Auditor (CA) Agent uses:
1. If you have removed the agent redeploy the agent.
2. Navigate to the location where the CA Agent is installed C:\Program Files\Quest Software\ChangeAuditor\Agent
3. Double click on ServiceStatusTray.exe
4. Go to the System tray and right click on the Agent icon, then left click on Agent Status
5. Once the Agent status dialog box is up press Alt-M
6. This brings up another dialog box, go to the File Server tab and towards the bottom disable File driver - change the value to 1.
Windows 2008 R2 Server Standard Service Pack 1 and Windows 2012 server.
Quest ChangeAuditor versions 5.8.56, 5.8.58, 5.8.65