SEP clients go to the LiveUpdate server on the Internet despite a LiveUpdate policy from the SEPM to prevent that.


Article ID: 177894


Updated On:


Endpoint Protection


Why do managed Symantec Endpoint Protection (SEP) clients go to the Internet for updates in addition to the default Symantec Endpoint Protection Manager (SEPM), when the LiveUpdate policy configuration option to "Use LiveUpdate Server" is unchecked?

After configuring the LiveUpdate policy to not allow clients to connect to Symantec LiveUpdate servers for updates, the SEP clients are receiving the policy but appear to ignore the setting.  The clients continue to contact the Symantec LiveUpdate source servers or an internal LiveUpdate Administrator 2.x (LUA 2.x) server on the company network. Entries in the Log.LiveUpdate confirm these hosts are periodically selected.


One cause for this issue was addressed in Symantec Endpoint Protection 11.0.4202 MR4 MP2.

"Enable LiveUpdate Scheduling" should not work after unselecting "use a LiveUpdate server"

Fix ID: 1595629
"Enable LiveUpdate Scheduling" still works after unselecting "use a LiveUpdate server".
LiveUpdate scheduling is disabled when LiveUpdate is not used and LiveUpdate UI options are disabled unless a user is allowed to configure the LiveUpdate schedule.

Another issue has been fixed in SEP 11.0 RU5, please upgrade to that version or higher for the solution:

LiveUpdate tries to contact external LiveUpdate Servers despite policy setting
Fix ID: 1678207
Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers.
Solution: The Use a LiveUpdate Server setting is checked before attempting to download content.


LiveUpdate's self-healing was enhanced in Release Update 7 Maintenance Patch 1 (RU7 MP1) to use the organizations' LiveUpdate policy settings as the defaults.  
This change will prevent the SEP clients from attempting to access LiveUpdate source servers on the Internet in event of corruption.

Symantec Endpoint Protection client connects to Symantec LiveUpdate server despite being configured to use an internal LiveUpdate Administrator
Fix ID:
Symptom: On a managed Symantec Endpoint Protection client, if the local LiveUpdate settings file is corrupted, Symantec Endpoint Protection will revert to the default settings and connect to the Symantec LiveUpdate server.
Solution: To ensure the LUA server is always used, liveupdt.hst is be kept in the LiveUpdate Install folder. As a backup measure, a last known good settings file (Settings.LastGood.LiveUpdate) is created. This file is used when the original settings file is missing or zero byte.

Applies To

Symantec Endpoint Protection 11.x