Symantec Protection Engine (SPE) servers fail to apply new signatures even though lux.log shows success but the result code shows 0x00011003 with result message UNKNOWN
Issue resolves itself with the new definition set (on following day) but not with release updates delivered through the day.
Restarting the SPE service also solves the issue. The issue is not seen in version 8.2.2
lux.log will show as below:
07:01:18.394023 [Component Result - START]
07:01:18.394023 Component ID: {CD657291-9FEB-46FD-8F22-4A67F2F0D3BE}
07:01:18.394023 Display Name: Stargate Definition
07:01:18.394023 PVL: Stargate-SPEforNAS 1.0 Definitions for x64-windows_MicroDefsB.CurDefs_SymAllLanguages
07:01:18.394023 Result Code: 0x00010000
07:01:18.394023 Result Message: OK
07:01:18.394023 [Package Result - START]
07:01:18.394023 File: 1680056386jtun_sgwino230327019.7z
07:01:18.394023 Result Code: 0x00011003
07:01:18.394023 Result Message: UNKNOWN
07:01:18.394023 [Package Result - END]
07:01:18.394023 [Component Result - END]
07:01:18.394023 [Session Results - END]
07:01:18.394023 [Session Summary - START]
07:01:18.394023 Components: 1
07:01:18.394023 Packages: 1
07:01:18.394023 Success: 1
07:01:18.394023 Fail: 0
07:01:18.394023 [Session Summary - END]
Live update error from 9.0.0 onwards is seen as below:
Sun Jul 02 13:42:47 Greenwich Standard Time 2023, There was an error running content update, scanning will continue using the original definitions, Event Severity Level = Error, Definitions = Virus definitions, Error Message = Failed to get valid virtual definitions, Update Method = LiveUpdate, Symantec Protection Engine IP address = <spe_ip>, Uptime (in seconds) = 168028, Date/time of event(with millisec) = 1688305367073, Symantec Protection Engine Host Name = <spe_hostname>, Process ID = 4340
SPE version 9.0 and later installed on Windows/Linux OS
The issue seems to be related to timing issue between controller and SPE service while updating definitions.
This issue will be fixed in SPE 9.2, but until then, please use the workaround below or apply a hotfix to avoid this issue.
Hotfix :
Live update shows success but result code shows 0x00011003 for Protection Engine 9.1
Only the Windows version is provided.
Workaround :
VirtualHome parameter in configuration.xml can be set to false.
This will instruct SPE to fallback to 8.2.2 Liveupdate logic.
Steps:
1. Run the below command for Windows/Linux
Windows:
.xmlmodifier -s /configuration/Resources/System/VirtualHome/@enabled false configuration.xml
Linux
./xmlmodifier -s /configuration/Resources/System/VirtualHome/@enabled false configuration.xml
2. Restart the SPE services.
Jira: CRE-14817