Protection Engine servers fail to apply new signatures even though lux.log shows success with result code 0x00011003 UNKNOWN
search cancel

Protection Engine servers fail to apply new signatures even though lux.log shows success with result code 0x00011003 UNKNOWN

book

Article ID: 269629

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

Symantec Protection Engine (SPE) servers fail to apply new signatures even though lux.log shows success but the result code shows 0x00011003 with result message UNKNOWN
Issue resolves itself with the new definition set (on following day) but not with release updates delivered through the day.
Restarting the SPE service also solves the issue. The issue is not seen in version 8.2.2

lux.log will show as below:

07:01:18.394023     [Component Result - START]
07:01:18.394023         Component ID: {CD657291-9FEB-46FD-8F22-4A67F2F0D3BE}
07:01:18.394023         Display Name: Stargate Definition
07:01:18.394023         PVL: Stargate-SPEforNAS 1.0 Definitions for x64-windows_MicroDefsB.CurDefs_SymAllLanguages
07:01:18.394023         Result Code: 0x00010000
07:01:18.394023         Result Message: OK
07:01:18.394023         [Package Result - START]
07:01:18.394023             File: 1680056386jtun_sgwino230327019.7z
07:01:18.394023             Result Code: 0x00011003
07:01:18.394023             Result Message: UNKNOWN
07:01:18.394023         [Package Result - END]
07:01:18.394023     [Component Result - END]
07:01:18.394023 [Session Results - END]
07:01:18.394023 [Session Summary - START]
07:01:18.394023     Components: 1
07:01:18.394023     Packages:   1
07:01:18.394023     Success:    1
07:01:18.394023     Fail:       0
07:01:18.394023 [Session Summary - END] 

Live update error from 9.0.0 onwards is seen as below:

Sun Jul 02 13:42:47 Greenwich Standard Time 2023, There was an error running content update, scanning will continue using the original definitions, Event Severity Level = Error, Definitions = Virus definitions, Error Message = Failed to get valid virtual definitions, Update Method = LiveUpdate, Symantec Protection Engine IP address = <spe_ip>, Uptime (in seconds) = 168028, Date/time of event(with millisec) = 1688305367073, Symantec Protection Engine Host Name = <spe_hostname>, Process ID = 4340 

Environment

SPE version 9.0 and later installed on Windows/Linux OS

Cause

The issue seems to be related to timing issue between controller and SPE service while updating definitions.

Resolution

This issue will be fixed in SPE 9.2, but until then, please use the workaround below or apply a hotfix to avoid this issue.

Hotfix :

Live update shows success but result code shows 0x00011003 for Protection Engine 9.1

Only the Windows version is provided.

 

Workaround :

VirtualHome parameter in configuration.xml can be set to false. 
This will instruct SPE to fallback to 8.2.2 Liveupdate logic. 

Steps:
1. Run the below command for Windows/Linux

Windows:

.xmlmodifier -s /configuration/Resources/System/VirtualHome/@enabled false configuration.xml

Linux

./xmlmodifier -s /configuration/Resources/System/VirtualHome/@enabled false configuration.xml

2. Restart the SPE services.

 

 

Additional Information

Jira: CRE-14817