search cancel

Troubleshoot LiveUpdate and definition issues with Endpoint Protection Manager

book

Article ID: 151615

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This document describes how to troubleshoot LiveUpdate, definition and content update issues with Symantec Endpoint Protection Manager (SEPM).

Resolution

How to check the version of the current content that the Symantec Endpoint Protection Manager is using:

    1. Open and log into the Symantec Endpoint Protection Manager
    2. Click Admin in the left-hand pane
    3. Click Servers
    4. Highlight Local Site
    5. Click Show LiveUpdate Downloads under Tasks



How to understand the Lux.log, Log.LiveUpdate & SesmLu.log

NOTE: Starting in 14.3 RU 1, LiveUpdate uses a new engine in Symantec Endpoint Protection Manager, which is optimized to run on the cloud console. The new engine no longer supports the FTP method or LAN method to specify an internal LiveUpdate server to download content to the Symantec Endpoint Protection Manager.

The following goes over how to troubleshoot using the Lux.log, LiveUpdate & SesmLu log files.

Lux.log

Default location:

  • C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs

How to determine the server that LiveUpdate is attempting to connect to:

23:27:37.244954 [Server Selection - START]
23:27:37.384594  Result Code: 0x00010000
23:27:37.385568  Result Message: OK
23:27:37.386564  [Server - START]
23:27:37.387533   Host ID: {39767538-0657-4491-9AD6-A4C674DD9BCE}
23:27:37.388493   Status Code: 2
23:27:37.389481   Status Message: Server was selected
23:27:37.390470   Protocol: HTTPS
23:27:37.391431   Hostname: liveupdate.symantecliveupdate.com
23:27:37.391431   Port: 443
23:27:37.392410   Path: 
23:27:37.393385   Proxy ID: {00000000-0000-0000-0000-000000000000}
23:27:37.394362   Proxy Bypass: false
23:27:37.395405  [Server - END]
23:27:37.396331  Used proxy list was empty
23:27:37.397300 [Server Selection - END]

How to tell that LiveUpdate cannot connect to the server:

13:59:23.789851 [Server Selection - START]
13:59:45.030086  Result Code: 0x80010830
13:59:45.032057  Result Message: FAIL - failed to select server
13:59:45.033028  [Server - START]
13:59:45.034005   Host ID: {1A7389F6-238C-46F7-8D55-E87594EE3E65}
13:59:45.034974   Status Code: 1
13:59:45.035973   Status Message: Server was not selected
13:59:45.036948   Transport Return Code: 0x8001073B
13:59:45.038886   Transport Return Message: FAIL - the download has timed out
13:59:45.039871   Protocol: HTTP
13:59:45.040847   Hostname: 10.2.3.4
13:59:45.041821   Port: 80
13:59:45.042799   Path: 
13:59:45.043791   Proxy ID: {00000000-0000-0000-0000-000000000000}
13:59:45.044751   Proxy Bypass: false
13:59:45.045728  [Server - END]
13:59:45.046701  Used proxy list was empty
13:59:45.047680 [Server Selection - END]

 

Log.LiveUpdate 

Default Location:

  • C:\ProgramData\Symantec\LiveUpdate\Log.LiveUpdate

 

Purpose: This is the log for Windows LiveUpdate. Windows LiveUpdate is called by the Symantec Endpoint Protection Manager and is responsible for downloading new content from a LiveUpdate server.

 

How to determine the server that LiveUpdate is attempting to connect to:

7/16/2014, 20:50:42 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.3.100.15_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"

 

How to tell that LiveUpdate cannot connect to the server:

7/16/2014, 21:46:17 GMT -> Progress Update: TRYING_HOST: HostName: "10.10.20.50" URL: "http://10.10.20.50" HostNumber: 0

7/16/2014, 21:46:17 GMT -> Progress Update: TRIFILE_DOWNLOAD_START: Number of TRI files: 0 Downloading LiveUpdate catalog file

7/16/2014, 21:46:17 GMT -> LiveUpdate will download the first Mini-TRI file, liveupdate_3.3.100.15_english_livetri.zip

7/16/2014, 21:46:17 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 1, Estimated total size: 0

7/16/2014, 21:46:17 GMT -> Progress Update: PRE_CONNECT: Proxy: "(null)" Agent: "Symantec LiveUpdate" AccessType: 0x1       

7/16/2014, 21:46:17 GMT -> Progress Update: CONNECTED: Proxy: "(null)" Agent: "cmiU+b7flqQPzFVP95hzLl7R47Mp/LGUwAAAAA" AccessType: 0x1       

7/16/2014, 21:46:17 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://10.10.20.50/liveupdate_3.3.100.15_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"

7/16/2014, 21:46:38 GMT -> CSendHTTPRequest::SendRequest - Unable to connect to the server.

7/16/2014, 21:46:38 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://10.10.20.50/liveupdate_3.3.100.15_english_livetri.zip", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\liveupdate_3.3.100.15_english_livetri.zip" HR: 0x802A0045

7/16/2014, 21:46:38 GMT -> HR 0x802A0045 DECODE: E_UNABLE_TO_REACH_SERVER

7/16/2014, 21:46:38 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x802A0045, Num Successful: 0

7/16/2014, 21:46:38 GMT -> HR 0x802A0045 DECODE: E_UNABLE_TO_REACH_SERVER

7/16/2014, 21:46:38 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server 10.10.20.50 at path  via a HTTP connection. The server connection attempt failed with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.

7/16/2014, 21:46:38 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027

7/16/2014, 21:46:38 GMT -> LiveUpdate did not find any new updates for the given products.

 

File deletion command of the DIS script fails (minor error):

4/3/2014, 20:54:43 GMT -> DIS - DELETE("C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\tmp17532d71.tmp\SesmSyKnEngupdateDir.dis") <BEGIN>

4/3/2014, 20:54:43 GMT -> The file to delete was not found.

 

Copy command of the DIS script fails (major error):

7/16/2014, 3:59:52 GMT -> LiveUpdate couldn't expand replacement path SesmSyKnCalupdateDir-lumetadata.

7/16/2014, 3:59:52 GMT -> Progress Update: PATCH_ERROR: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\1175809807jtun_lum_the_cal70405005.zip.full.zip", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\sesmSyKnCal_lumetadata.dis", HR: 0x802A0006

7/16/2014, 3:59:52 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR

7/16/2014, 3:59:52 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\1175809807jtun_lum_the_cal70405005.zip.full.zip", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\sesmSyKnCal_lumetadata.dis", HR: 0x802A0006

7/16/2014, 3:59:52 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR

 

A successful SesmLu callback:

7/16/2014, 21:47:20 GMT -> The PostSession callback for product SESM AntiVirus Client Win64 completed with a result of 0x0

 

SesmLu.log

 

Default Location:

  • C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\SesmLu.log

 

Format of the SesmLu.log:

Date/Time (GMT) Severity ShortName Module Message
07/16 12:13:53 INFO(Medium) sesmSyKnWl TemphostUtils: Cleaning temp directories and reg keys

Important Log Messages:

 

How to check if the SesmLu component has tried to publish content to the Symantec Endpoint Protection Manager:

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&ServerMoniker={01BAFA03-6B97-4906-B1E0-D8EFAEEFC618}&action=LogContentUpToDate

 

The result of the SesmLu component attempting to publish content to the Symantec Endpoint Protection Manager:

07/16 12:14:01 [14b8:1730] INFO(Low)  sesmIPSdef32 SesmLu <?xml version="1.0" encoding="UTF-8" standalone="no"?> 

<Response ResponseCode="0"/>

0

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 ProductUtil Response code: 0x0

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 SesmLu Successfully notified sever of up-to-date content.

Symantec Endpoint Protection Manager's LiveUpdate Configuration blocks this Product Version Language (PVL) from downloading:

07/16 12:14:20 INFO(Medium) sesmAvClient32zh_hant SesmLu: sesmAvClient32zh_hant ({F1B08E6F-DFC6-42b1-8BB4-93F963864288}) blocked by configuration.

SesmLu requests that the Symantec Endpoint Protection Manager publish the current LiveUpdate inventory to disk:

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=PublishLuInventory

 

The Symantec Endpoint Protection Manager's response to SesmLu's request to publish the current LiveUpdate inventory to disk:

07/16 14:43:18 [1ac0:1b2c] INFO(Low)   SesmLu <?xml version="1.0" encoding="UTF-8" standalone="no"?>

<Response ResponseCode="0"/>

0

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   ProductUtil Response code: 0x0

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   SesmLu Server successfully published LU inventory.

 

Common issues found in SesmLu.log: 

Issue 1: Missing Hub Content

ERROR sesmVirDef32 MicroDefs25DefUtilsContentHandler: DU_E_APPLY_PATCH at .\MicroDefs25DefUtilsContentHandler.cpp[284]

ERROR sesmVirDef64 MicroDefs25DefUtilsContentHandler: DU_E_APPLY_PATCH at .\MicroDefs25DefUtilsContentHandler.cpp[284]

 

Issue 2: SesmLu is unable to connect to Tomcat over loopback to port 9090

07/16 15:22:18 [0524:18a4] INFO(Med)   SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=PublishLuInventory

07/16 15:22:19 [0524:18a4] ERROR       SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]

07/16 15:22:19 [0524:18a4] ERROR       SesmLu Server failed to publish the LU inventory.at SesmLu.cpp[1465]

07/16 15:22:19 [0524:18a4] WARNING     SesmLu Request for server to publish the LuConfig.xml, LuDownloadedContentArray.xml and LuSesmContentCatalog.xml returned error. One or more of these files may be out of date, potentially resulting in partial or incorrect LiveUpdate downloads.

 

Reconfiguring the Source for LiveUpdate Content

  1. Log into the Symantec Endpoint Protection Manager console
  2. Click the Admin button on the left margin
  3. Click the Servers button and then click the Local Site
  4. In the task section, click Edit Site Properties
  5. Click the LiveUpdate tab
  6. Select the Edit Source Servers button

 

Note: For most customers, it is appropriate to use the default, publicly accessible Symantec LiveUpdate server. This requires that the SEPM have internet access. If the SEPM does not have internet access, then it is also possible to configure the SEPM to connect to a LiveUpdate Administrator server to download content updates. If you have set up an internal LiveUpdate server, verify it is configured properly and that this machine can resolve the specified address.

 

Re-registering/Resetting Symantec Endpoint Protection Manager content with LiveUpdate

The following steps should only be performed if troubleshooting steps indicate that the problem is due to Symantec Endpoint Protection Manager content not being properly registered with LiveUpdate. This may solve issues seen when Symantec Endpoint Protection Manager is not downloading a specific type of content (notably, AV and IPS content).

  1. Click Start > Run
  2. Enter the following command including the quotes: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -cleanup
    1. This command will unregister all Symantec Endpoint Protection Manager content from LiveUpdate. We will then proceed to re-register the content again with LiveUpdate
    2. Note: If the SEPM is installed to a custom location, adjust the path in the command to the location of the LuCatalog.exe executable.
  3. Click Start > Run
  4. Enter the following command including the quotes: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -update

 

JDB Frequently Asked Questions:

Question: Where can you get VirusDefs files (VDB/JDB) that you can drop on a Symantec Endpoint Protection Manager's incoming directory?

Answer: Virus Definitions & Security Updates 

 

Question: Where can you drop a JDB onto Symantec Endpoint Protection Manager?

Answer: Default Location:

  • C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming

 

Question: How quickly will the SEPM begin processing the JDB file?

Answer: Symantec Endpoint Protection Manager polls this directory several times per minute.

 

Question: How do I know the Symantec Endpoint Protection Manager has processed the JDB file?

Answer: The JDB will disappear from the incoming folder.

 



References:

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file