Mail Security for Microsoft Exchange 7.9 does not automatically update virus definitions with Endpoint Protection 14.2 installed
search cancel

Mail Security for Microsoft Exchange 7.9 does not automatically update virus definitions with Endpoint Protection 14.2 installed

book

Article ID: 172045

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange Endpoint Protection

Issue/Introduction

Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.9 is installed on a system that also has Symantec Endpoint Protection (SEP) installed.  Attempts to run Liveupdate returns a successful result but the definition date is never updated.

Review of the lux.log located at:  <SMSMSE Install>\Server\definitions\AntiVirus\Logs identifies the following error:

16:16:56.562438     [Component Result - START]
16:16:56.562438         Component ID: {BAE8FC84-53DC-11E1-8A6B-005056A9534A}
16:16:56.562438         Display Name: SMSMSE 7.9 AV Definitions for x86_64-windows
16:16:56.562438         PVL: SMSMSE 7.9 AV Definitions for x86_64-windows_MicroDefsB.CurDefs_SymAllLanguages
16:16:56.562438         Result Code: 0x00010000
16:16:56.562438         Result Message: OK
16:16:56.562438         [Package Result - START]
16:16:56.562438             File: 1531164092jtun_dssx64encful.m35
16:16:56.562438             Result Code: 0x80012000
16:16:56.562438             Result Message: UNKNOWN
16:16:56.562438         [Package Result - END]

 

Cause

This issue is caused by Symantec Endpoint Protection (Tamper Protection) feature.  This feature is designed to prevent malicious changes to Symantec file and registry path information.  As part of the LiveUpdate process the registry key:  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\InstalledApps requires read/write access and is blocked by Tamper Protection.  This results in a Liveupdate package processing failure post Liveupdate definitions package download.

 

 

Resolution

Symantec has identified the root cause of this issue. A fix is planned for the SEP 14.2 MP1 release. In the interim, use the workaround below to allow SMSMSE to continue updating virus definitions.

Workaround

  1. Launch the SEPM console.
  2. Click on Policies>Exceptions.
  3. Under Tasks below click on Add an Exceptions Policy.
  4. In Overview for Policy name specify "Allow SMSMSE Virus Definition Updates".
  5. In Overview for Description specify "Unblock SMSMSE 7.9 LiveUpdate from Tamper Protection".
  6. In Exceptions click Add > Windows Exceptions > Tamper Protection Exception.
  7. In Prefix variable select "[NONE]".
  8. In "File" specify C:\Program Files\Symantec\SMSMSE\7.9\Server\SymcMicrodefsManager.exe
    Note: If the SMSMSE install path has been customized from default, use the custom file path instead.
  9. Click Okay, Then Click OK to complete Exceptions Policy.
  10. Under Exceptions Policies on the right highlight the " Allow SMSMSE Virus Definition Updates " policy.
  11. Under Tasks click Assign the policy.
  12. Select the value that will include all SMSMSE deployments.  If you are uncertain assigning the policy globally will not cause a problem.
  13. Click Assign to roll out the Exclusion change.
  14. In the SMSMSE Console click: Admin > Liveupdate/Rapid Release Status.
  15. Under Tasks click "Run LiveUpdate Certified Definitions" to launch LiveUpdate.