Your Symantec Endpoint Protection clients (SEP) are not downloading content definitions from the Symantec Endpoint Protection Manager (SEPM) despite a successful client-server connection. The SECARS test passes and you do not see any communication errors. Your clients only get updates from the SEPM and do not have a connection to Live Update or a Live Update Administrator.

You see the following in the client CVE.log:

[2020-May-15 16:06:03.765792] [ERROR] Send of message returned error 400 Bad Request [thread:1e68]
[2020-May-15 16:06:03.765792] [ERROR] cve::SylinkCommunicatorImpl::PerformLUCheck: http::ServerException occurred during get content file information - ServerException HTTP error code is: 400 [thread:1e68]
[2020-May-15 16:06:03.765792] [WARN ] Unable to find content for requested moniker {0F636DA6-59C8-47C6-B794-DCA49ED8D6EB} [thread:1e68]

SEP environment with clients configured to only download updates from the SEPM

SEP 14.2x, 14.3x

Full.zip downloads are blocked on the SEPM. This is preventing newly-installed clients from downloading full.zip packages.

Whether or not full.zip downloads are being blocked can be confirmed by checking the exsecars-a log on your SEPM for the following:

05/15 16:01:32 [1764:4196] Error: Full.zip is blocked.
05/15 16:01:32 [1764:4196] Error: Full.zip is blocked.
05/15 16:01:32 [1764:4196] Error: Full.zip is blocked.

Allow full.zip downloads on your SEPM or include virus definitions with new client install packages.

To allow full.zip on SEPM console navigate to  - [Admin] tab - [Edit the server properties] - [Full Definitions Download] tab - uncheck [Prevent clients from downloading full definition packages].

Alternatively, consider allowing clients to reach out directly to Symantec's Live Update servers.

Note: Large numbers of SEP clients simultaneously requesting full.zip files from the SEPM may result in diminished network and SEPM server performance. A full definition set can be up to several megabytes for SEP clients.