SONAR definition is not updated to the latest by LiveUpdate on Endpoint Protection Manager (SEPM). When check SEPM console - [Admin] - [Servers] - [Local Site] - [Show LiveUpdate downloads], "SONAR Heuristics engine 14.0 RU1" revision is around "02/19/2018 r1". Running LiveUpdate manually does not resolve the issue.
02/23 01:17:34 [15ac:1864] ERROR spcBASH MicroDefs25DefUtilsContentHandler DU_E_MISSING_DEFINFOat MicroDefs25DefUtilsContentHandler.cpp[397]
02/23 01:17:34 [15ac:1864] WARNING spcBASH DefaultDefUtilsContentHandler Require download full definition set in next LiveUpdate session: true
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler CDefUtils::InitWindowsApp(SesmInstallApp) - start (File = defutils.cpp, Line = 1149
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler CDefUtils::InitWindowsApp(): end, returning true. (File = defutils.cpp, Line = 1201
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler CDefUtils::StopUsingDefs() - start; m_pszAppID: SesmInstallApp (File = update.cpp, Line = 2449
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler CDefUtils::GetCurrentDefs() - start. (File = defutils.cpp, Line = 2020
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler Missing USAGE.DAT; exiting. (File = defutils.cpp, Line = 2053
02/23 01:17:34 [15ac:1864] INFO(Low) spcBASH DefaultDefUtilsContentHandler CDefUtils::StopUsingDefs() - returning DU_E_APPID_NOT_REGISTERED (File = update.cpp, Line = 2463
02/23 01:17:34 [15ac:1864] WARNING spcBASH DefaultDefUtilsContentHandler DU_E_APPID_NOT_REGISTERED
02/23 01:17:34 [15ac:1864] INFO(Med) spcBASH AbstractLuContentHandler Moniker:{9F018B25-0AB4-F6D4-011B-1FC437E6A122},Set LASTPATCH.STATUS = FAIL : Succeed.
02/23 01:17:34 [15ac:1864] INFO(Med) spcBASH SesmLu PostSession failed!
Symantec Endpoint Protection Manager 14.0.1 (RU1), 14.0.1 MP1 (RU1 MP1)
This issue was fixed with "SONAR Heuristics engine 14.0 RU1" revision "03/04/2018 r1". Please update this content via LiveUpdate server again.