Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.9 is installed on a system that also has Symantec Endpoint Protection (SEP) installed. Attempts to run Liveupdate returns a successful result but the definition date is never updated.
Review of the lux.log located at: <SMSMSE Install>\Server\definitions\AntiVirus\Logs identifies the following error:
16:16:56.562438 [Component Result - START]
16:16:56.562438 Component ID: {BAE8FC84-53DC-11E1-8A6B-005056A9534A}
16:16:56.562438 Display Name: SMSMSE 7.9 AV Definitions for x86_64-windows
16:16:56.562438 PVL: SMSMSE 7.9 AV Definitions for x86_64-windows_MicroDefsB.CurDefs_SymAllLanguages
16:16:56.562438 Result Code: 0x00010000
16:16:56.562438 Result Message: OK
16:16:56.562438 [Package Result - START]
16:16:56.562438 File: 1531164092jtun_dssx64encful.m35
16:16:56.562438 Result Code: 0x80012000
16:16:56.562438 Result Message: UNKNOWN
16:16:56.562438 [Package Result - END]
This issue is caused by Symantec Endpoint Protection (Tamper Protection) feature. This feature is designed to prevent malicious changes to Symantec file and registry path information. As part of the LiveUpdate process the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\InstalledApps requires read/write access and is blocked by Tamper Protection. This results in a Liveupdate package processing failure post Liveupdate definitions package download.
Symantec has identified the root cause of this issue. A fix is planned for the SEP 14.2 MP1 release. In the interim, use the workaround below to allow SMSMSE to continue updating virus definitions.
Workaround
C:\Program Files\Symantec\SMSMSE\7.9\Server\SymcMicrodefsManager.exe