Troubleshoot LiveUpdate and definition issues with Endpoint Protection Manager

book

Article ID: 151615

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This document describes how to troubleshoot LiveUpdate, definition and content update issues with Symantec Endpoint Protection Manager (SEPM).

Resolution

Several important steps are illustrated in the short videos Troubleshooting Out-of-date Definitions on Clients (Part 1) and Troubleshooting Out-of-date Definitions on Clients (Part 2) on SymantecTV

 

How to check the version of the current content that the Symantec Endpoint Protection Manager is using:

    1. Open and log into the Symantec Endpoint Protection Manager
    2. Click Admin in the left-hand pane
    3. Click Servers
    4. Highlight Local Site
    5. Click Show LiveUpdate Downloads under Tasks



How to understand the Log.LiveUpdate & SesmLu.log

The following goes over how to troubleshoot using the LiveUpdate & SesmLu log files.

Log.LiveUpdate 

Default Location:

  • C:\ProgramData\Symantec\LiveUpdate\Log.LiveUpdate

 

Purpose: This is the log for Windows LiveUpdate. Windows LiveUpdate is called by the Symantec Endpoint Protection Manager and is responsible for downloading new content from a LiveUpdate server.

 

How to determine the server that LiveUpdate is attempting to connect to:

7/16/2014, 20:50:42 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://liveupdate.symantecliveupdate.com/liveupdate_3.3.100.15_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"

 

How to tell that LiveUpdate cannot connect to the server:

7/16/2014, 21:46:17 GMT -> Progress Update: TRYING_HOST: HostName: "10.10.20.50" URL: "http://10.10.20.50" HostNumber: 0

7/16/2014, 21:46:17 GMT -> Progress Update: TRIFILE_DOWNLOAD_START: Number of TRI files: 0 Downloading LiveUpdate catalog file

7/16/2014, 21:46:17 GMT -> LiveUpdate will download the first Mini-TRI file, liveupdate_3.3.100.15_english_livetri.zip

7/16/2014, 21:46:17 GMT -> Progress Update: DOWNLOAD_BATCH_START: Files to download: 1, Estimated total size: 0

7/16/2014, 21:46:17 GMT -> Progress Update: PRE_CONNECT: Proxy: "(null)" Agent: "Symantec LiveUpdate" AccessType: 0x1       

7/16/2014, 21:46:17 GMT -> Progress Update: CONNECTED: Proxy: "(null)" Agent: "cmiU+b7flqQPzFVP95hzLl7R47Mp/LGUwAAAAA" AccessType: 0x1       

7/16/2014, 21:46:17 GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://10.10.20.50/liveupdate_3.3.100.15_english_livetri.zip", Estimated Size: 0, Destination Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads"

7/16/2014, 21:46:38 GMT -> CSendHTTPRequest::SendRequest - Unable to connect to the server.

7/16/2014, 21:46:38 GMT -> Progress Update: DOWNLOAD_FILE_FINISH: - NOTE - URL: "http://10.10.20.50/liveupdate_3.3.100.15_english_livetri.zip", Full Download Path: "C:\ProgramData\Symantec\LiveUpdate\Downloads\liveupdate_3.3.100.15_english_livetri.zip" HR: 0x802A0045

7/16/2014, 21:46:38 GMT -> HR 0x802A0045 DECODE: E_UNABLE_TO_REACH_SERVER

7/16/2014, 21:46:38 GMT -> Progress Update: DOWNLOAD_BATCH_FINISH: HR: 0x802A0045, Num Successful: 0

7/16/2014, 21:46:38 GMT -> HR 0x802A0045 DECODE: E_UNABLE_TO_REACH_SERVER

7/16/2014, 21:46:38 GMT -> EVENT - SERVER SELECTION FAILED EVENT - LiveUpdate failed to connect to server 10.10.20.50 at path  via a HTTP connection. The server connection attempt failed with a return code of 1814, LiveUpdate could not retrieve the catalog file of available Symantec product and component updates.

7/16/2014, 21:46:38 GMT -> Progress Update: HOST_SELECTION_ERROR: Error: 0x802A0027

7/16/2014, 21:46:38 GMT -> LiveUpdate did not find any new updates for the given products.

 

File deletion command of the DIS script fails (minor error):

4/3/2014, 20:54:43 GMT -> DIS - DELETE("C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\tmp17532d71.tmp\SesmSyKnEngupdateDir.dis") <BEGIN>

4/3/2014, 20:54:43 GMT -> The file to delete was not found.

 

Copy command of the DIS script fails (major error):

7/16/2014, 3:59:52 GMT -> LiveUpdate couldn't expand replacement path SesmSyKnCalupdateDir-lumetadata.

7/16/2014, 3:59:52 GMT -> Progress Update: PATCH_ERROR: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\1175809807jtun_lum_the_cal70405005.zip.full.zip", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\sesmSyKnCal_lumetadata.dis", HR: 0x802A0006

7/16/2014, 3:59:52 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR

7/16/2014, 3:59:52 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\1175809807jtun_lum_the_cal70405005.zip.full.zip", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt322\sesmSyKnCal_lumetadata.dis", HR: 0x802A0006

7/16/2014, 3:59:52 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR

 

A successful SesmLu callback:

7/16/2014, 21:47:20 GMT -> The PostSession callback for product SESM AntiVirus Client Win64 completed with a result of 0x0

 

SesmLu.log

 

Default Location:

  • 32-bit OS: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\SesmLu.log
  • 64-bit OS: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\SesmLu.log

 

Format of the SesmLu.log:

Date/Time (GMT) Severity ShortName Module Message
07/16 12:13:53 INFO(Medium) sesmSyKnWl TemphostUtils: Cleaning temp directories and reg keys

Important Log Messages:

 

How to check if the SesmLu component has tried to publish content to the Symantec Endpoint Protection Manager:

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&ServerMoniker={01BAFA03-6B97-4906-B1E0-D8EFAEEFC618}&action=LogContentUpToDate

 

The result of the SesmLu component attempting to publish content to the Symantec Endpoint Protection Manager:

07/16 12:14:01 [14b8:1730] INFO(Low)  sesmIPSdef32 SesmLu <?xml version="1.0" encoding="UTF-8" standalone="no"?> 

<Response ResponseCode="0"/>

0

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 ProductUtil Response code: 0x0

07/16 12:14:01 [14b8:1730] INFO(Med)  sesmIPSdef32 SesmLu Successfully notified sever of up-to-date content.

Symantec Endpoint Protection Manager's LiveUpdate Configuration blocks this Product Version Language (PVL) from downloading:

07/16 12:14:20 INFO(Medium) sesmAvClient32zh_hant SesmLu: sesmAvClient32zh_hant ({F1B08E6F-DFC6-42b1-8BB4-93F963864288}) blocked by configuration.

SesmLu requests that the Symantec Endpoint Protection Manager publish the current LiveUpdate inventory to disk:

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=PublishLuInventory

 

The Symantec Endpoint Protection Manager's response to SesmLu's request to publish the current LiveUpdate inventory to disk:

07/16 14:43:18 [1ac0:1b2c] INFO(Low)   SesmLu <?xml version="1.0" encoding="UTF-8" standalone="no"?>

<Response ResponseCode="0"/>

0

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   ProductUtil Response code: 0x0

07/16 14:43:18 [1ac0:1b2c] INFO(Med)   SesmLu Server successfully published LU inventory.

 

Common issues found in SesmLu.log: 

Issue 1: Missing Hub Content

ERROR sesmVirDef32 MicroDefs25DefUtilsContentHandler: DU_E_APPLY_PATCH at .\MicroDefs25DefUtilsContentHandler.cpp[284]

ERROR sesmVirDef64 MicroDefs25DefUtilsContentHandler: DU_E_APPLY_PATCH at .\MicroDefs25DefUtilsContentHandler.cpp[284]

 

Issue 2: SesmLu is unable to connect to Tomcat over loopback to port 9090

07/16 15:22:18 [0524:18a4] INFO(Med)   SesmLu http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=PublishLuInventory

07/16 15:22:19 [0524:18a4] ERROR       SesmLu InternetOpenUrl failedat SesmLu.cpp[1713]

07/16 15:22:19 [0524:18a4] ERROR       SesmLu Server failed to publish the LU inventory.at SesmLu.cpp[1465]

07/16 15:22:19 [0524:18a4] WARNING     SesmLu Request for server to publish the LuConfig.xml, LuDownloadedContentArray.xml and LuSesmContentCatalog.xml returned error. One or more of these files may be out of date, potentially resulting in partial or incorrect LiveUpdate downloads.

 

Reconfiguring the Source for LiveUpdate Content

  1. Log into the Symantec Endpoint Protection Manager console
  2. Click the Admin button on the left margin
  3. Click the Servers button and then click the Local Site
  4. In the task section, click Edit Site Properties
  5. Click the LiveUpdate tab
  6. Select the Edit Source Servers button

 

Note: For most customers, it is appropriate to use the default, publicly accessible Symantec LiveUpdate server. This requires that the SEPM have internet access. If the SEPM does not have internet access, then it is also possible to configure the SEPM to connect to a LiveUpdate Administrator server to download content updates. If you have set up an internal LiveUpdate server, verify it is configured properly and that this machine can resolve the specified address.


Re-registering/Resetting Symantec Endpoint Protection Manager content with LiveUpdate

The following steps should only be performed if troubleshooting steps indicate that the problem is due to Symantec Endpoint Protection Manager content not being properly registered with LiveUpdate. This may solve issues seen when Symantec Endpoint Protection Manager is not downloading a specific type of content (notably, AV and IPS content).

  1. Click Start > Run
  2. Enter the following command including the quotes: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -cleanup
    1. This command will unregister all Symantec Endpoint Protection Manager content from LiveUpdate. We will then proceed to re-register the content again with LiveUpdate
    2. Note: If the SEPM is installed to a custom location, adjust the path in the command to the location of the LuCatalog.exe executable.
  3. Click Start > Run
  4. Enter the following command including the quotes: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\LuCatalog.exe" -update

 

JDB Frequently Asked Questions:

Question: Where can you get VirusDefs files (VDB/JDB) that you can drop on a Symantec Endpoint Protection Manager's incoming directory?

Answer: Virus Definitions & Security Updates (http://www.symantec.com/security_response/definitions.jsp

 

Question: Where can you drop a JDB onto Symantec Endpoint Protection Manager?

Answer: Default Location:

  • 32-bit OS: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming
  • 64-bit OS: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming

 

Question: How quickly will the SEPM begin processing the JDB file?

Answer: Symantec Endpoint Protection Manager polls this directory several times per minute.

 

Question: How do I know the Symantec Endpoint Protection Manager has processed the JDB file?

Answer: The JDB will disappear from the incoming folder.




References:

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file