LiveUpdate fails with error 1845 when Symantec Endpoint Protection Manager is installed in same server with Symantec Mail Security for Exchange

book

Article ID: 177974

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Depending if Symantec Endpoint Protection Manager (SEPM) is installed before or after Symantec Mail Security for Exchange (SMSMSE), you might have errors 1845 in presession callback for SESC Virus Defs or for Mail Security Updates:


Examples from Log.LiveUpdate:

================================================================================
24/08/2009, 15.34.16 GMT -> LiveUpdate successfully launched a new callback proxy process for product SMSMSE Virus Definitions.
24/08/2009, 15.34.16 GMT -> LiveUpdate is about to execute a PreSession callback for product SMSMSE Virus Definitions.
24/08/2009, 15.34.16 GMT -> The callback failed with a return code of 0x80004005
24/08/2009, 15.34.16 GMT -> The PreSession callback for product SMSMSE Virus Definitions completed with a result of 0x80004005
24/08/2009, 15.34.16 GMT -> LiveUpdate aborted product SMSMSE Virus Definitions for the following reason (error code 1845), This product was not updated due to a processing error.
24/08/2009, 15.34.16 GMT -> Successfully released callback {0D7E9ED3-A063-4BB1-B3E6-E826F5D68306}
24/08/2009, 15.34.16 GMT -> LiveUpdate has called the last callback for product SMSMSE Virus Definitions, so LiveUpdate is informing the callback proxy that it can exit.
================================================================================

================================================================================
02/05/2009, 16.06.07 GMT -> LiveUpdate successfully launched a new callback proxy process for product SESC Virus Definitions Win32 v11.
02/05/2009, 16.06.07 GMT -> LiveUpdate is about to execute a PreSession callback for product SESC Virus Definitions Win32 v11.
02/05/2009, 16.06.08 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Successfully created an instance of an luProductReg object!
02/05/2009, 16.06.08 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Path for calling process executable is C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe.
02/05/2009, 16.06.09 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Setting property for Moniker = {B36CDA3C-B15B-421c-A2A4-7EC70E3B852B}, PropertyName = SEQ.HUBDEFS, Value = 90322018
02/05/2009, 16.06.09 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Setting property for Moniker = {B36CDA3C-B15B-421c-A2A4-7EC70E3B852B}, PropertyName = SEQ.CURDEFS, Value = 90501054
02/05/2009, 16.06.10 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Setting property for Moniker = {C60DC234-65F9-4674-94AE-62158EFCA433}, PropertyName = SEQ.CURDEFS, Value = 90501054
02/05/2009, 16.06.10 GMT -> ProductRegCom/luProductReg(PID=8264/TID=6416): Destroyed luProductReg object.
02/05/2009, 16.06.10 GMT -> The callback failed with a return code of 0x80004005
02/05/2009, 16.06.10 GMT -> The PreSession callback for product SESC Virus Definitions Win32 v11 completed with a result of 0x80004005
02/05/2009, 16.06.10 GMT -> LiveUpdate aborted product SESC Virus Definitions Win32 v11 for the following reason (error code 1845), This product was not updated due to a processing error.
02/05/2009, 16.06.10 GMT -> Successfully released callback {855BA5F4-6588-4F09-AE61-847E59D08CB0}
02/05/2009, 16.06.10 GMT -> LiveUpdate has called the last callback for product SESC Virus Definitions Win32 v11, so LiveUpdate is informing the callback proxy that it can exit.
================================================================================

 

Cause

Conflicts during the LiveUpdate job due to shared resources used by SEPM Virus Defs and SMSMSE Virus Defs.

Resolution

Follow this steps to correctly register SEPM and SMSMSE with LiveUpdate, avoiding conflicts:

  1. Uninstall and Reinstall LiveUpdate
    1. Uninstall LiveUpdate via the Control Panel > Add/Remove programs
    2. Rename/Delete the LiveUpdate folder under C:\Documents and Settings\All Users\Application Data\Symantec
    3. Download the latest version of LiveUpdate for Windows, lusetup.exe, from ftp://ftp.symantec.com/public/english_us_canada/liveupdate/3.3.0/LUSETUP.EXE
    4. Double click lusetup.exe to install LiveUpdate
  2. Re-register SEPM with LiveUpdate
    1. From the Start menu select Run
    2. Enter the following command including the quotes: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -cleanup

      This command will unregister all Symantec Endpoint Protection Manager content from LiveUpdate. We will then proceed to re-register the content again with LiveUpdate.
    3. From the Start menu select Run
    4. Enter the following command including the quotes: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -update
       
  3. Disable LiveUpdate schedule from Mail Security as decribed in the Related Article, below.
  4. Re-register SMSMSE with LiveUpdate
    1. Register the SAVFMSELU.dll manually.
    2. Open a DOS box on the Exchange Server
    3. Change to C:\Windows\system32
    4. Run the command: regsvr32.exe "C:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSELU.dll"

      NOTE: The path to regsvr32.exe, SAVFMSELU.DLL and the LiveUpdate folder may vary.
       
  5. Execute LiveUpdate from SEPM
    Then only run LiveUpdate from the SEPM console scheduler.




References
Best Practice calls for the SMSMSE LiveUpdate to be disabled on 32-bit Exchange servers that are protected by SAV or SEP clients. SMSMSE will automatically share the definitions downloaded by SAV or SEP. For more information, please see Configuring LiveUpdate when Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus Corporate Edition or Symantec Endpoint Protection are installed together


Another possible issue which can lead to this error is when SMSMSE is using the SEP definitions and is not actually updating itself as when it goes to check the definitions they are already up to date since the SEP is normally using a newer set of definitions due to it's accelerated update schedule. The error will be presenting itself in this case in the SEP liveupdate session and not if the update is run from the SMSMSE product.

If this error presents itself then it may be necessary to manually replace the product.inventory from an SEP system which does not have the SMSMSE product installed and then it will not call the definitions for SMSMSE as this is already redundant.


Applies To

Note: This solution in this document only applies to Endpoint Protection 12.0 and earlier. If you use Endpoint Protection 12.1, instead read the article Reinstall LiveUpdate for Endpoint Protection Manager 12.1 (http://www.symantec.com/docs/TECH171060)