ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

After installing or updating to Endpoint Protection 14.2, Protection Engine 7.5 and later no longer update virus definitions automatically as expected

book

Article ID: 172077

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS Endpoint Protection

Issue/Introduction

Symantec Protection Engine (SPE) is installed on a system that also has Symantec Endpoint Protection (SEP) installed.  Attempts to run Liveupdate return a successful result but the definition date is never updated.

Review of the lux.log located at:  <SPE Install>\definitions\AntiVirus\Logs identifies the following error:

5:57:04.352118     [Component Result - START]
15:57:04.352118         Component ID: {BAE8FC84-53DC-11E1-8A6B-005056A9534A}
15:57:04.352118         Display Name: SPE 7.9 AV Definitions for x86_64-windows
15:57:04.352118         PVL: SPE 7.9 AV Definitions for x86_64-windows_MicroDefsB.CurDefs_SymAllLanguages
15:57:04.352118         Result Code: 0x00010000
15:57:04.352118         Result Message: OK
15:57:04.352118         [Package Result - START]
15:57:04.352118             File: 1531485436jtun_dssx64en180710009.m35
15:57:04.352118             Result Code: 0x80012000
15:57:04.352118             Result Message: UNKNOWN
15:57:04.352118         [Package Result - END]
15:57:04.352118     [Component Result - END]
15:57:04.352118 [Session Results - END]
15:57:04.352118 [Session Summary - START]
15:57:04.352118     Components: 1
15:57:04.352118     Packages:   1
15:57:04.352118     Success:    0
15:57:04.352118     Fail:       1
15:57:04.352118 [Session Summary - END]

Cause

This issue is caused by Symantec Endpoint Protection (Tamper Protection) feature.  This feature is designed to prevent malicious changes to Symantec file and registry path information.  As part of the LiveUpdate process the registry key:  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\InstalledApps or HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps  requires read/write access and is blocked by Tamper Protection.  This results in a Liveupdate package processing failure post Liveupdate definitions package download.

Resolution

Symantec has identified the root cause of this issue and a fix is scheduled for the SEP 14.2 MP1 release. To allow SPE virus definition updates in the interim, use the following workaround.

Workaround 

A specific Tamper protection exclusion must be created using Symantec Endpoint Protection Manager (SEPM).  To create the exclusion please perform the following:

(Note:  Steps 7 & 8 assume default installation path for SPE.  If the installation path is non-default these steps will need to be modified to account for alternate paths to SymcMicrodefsManager.exe)

  1. Launch the SEPM console.
  2. Click on Policies Exceptions.
  3. Under Tasks below click on Add an Exceptions Policy.
  4. In Overview for Policy name specify "Allow SPE virus definition updates".
  5. In Overview for Description specify "Unblock SPE Liveupdate from Tamper Protection".
  6. In Exceptions click Add > Windows Exceptions > Tamper Protection Exception.
  7. In Prefix variaible select "[NONE]".
  8. In "File" specify C:\Program Files\Symantec\Scan Engine\SymcMicrodefsManager.exe.
    Note: If the SPE install path has been customized from default, use the custom file path instead.
  9. Click Okay, Then Click OK to complete Exceptions Policy.
  10. Under Exceptions Policies on the right highlight the "Allow SymcMicrodefsManager.exe" policy.
  11. Under Tasks click Assign the policy.
  12. Select a value that will include all SPE deployments. If there is uncertainty about which group contains all the SPE servers, a global assignment will not cause problems.
  13. Click Assign to roll out the Exclusion change.
  14. In the SPE Console click: System > Liveupdate Content.
  15. Click on the AV Definitions row of the Definitions Details table
  16. Under Tasks click Liveupdate Content to launch Liveupdate and download new virus definitions.