This document describes how to troubleshoot LiveUpdate, definition and content update issues with Symantec Endpoint Protection Manager (SEPM).
|Several important steps are illustrated in the short videos Troubleshooting Out-of-date Definitions on Clients (Part 1) and Troubleshooting Out-of-date Definitions on Clients (Part 2) on SymantecTV|
How to check the version of the current content that the Symantec Endpoint Protection Manager is using:
How to understand the Log.LiveUpdate & SesmLu.log
The following goes over how to troubleshoot using the LiveUpdate & SesmLu log files.
Purpose: This is the log for Windows LiveUpdate. Windows LiveUpdate is called by the Symantec Endpoint Protection Manager and is responsible for downloading new content from a LiveUpdate server.
How to determine the server that LiveUpdate is attempting to connect to:
How to tell that LiveUpdate cannot connect to the server:
File deletion command of the DIS script fails (minor error):
Copy command of the DIS script fails (major error):
A successful SesmLu callback:
Format of the SesmLu.log:
|07/16 12:13:53||INFO(Medium)||sesmSyKnWl||TemphostUtils:||Cleaning temp directories and reg keys|
How to check if the SesmLu component has tried to publish content to the Symantec Endpoint Protection Manager:
The result of the SesmLu component attempting to publish content to the Symantec Endpoint Protection Manager:
The Symantec Endpoint Protection Manager's response to SesmLu's request to publish the current LiveUpdate inventory to disk:
Issue 1: Missing Hub Content
Issue 2: SesmLu is unable to connect to Tomcat over loopback to port 9090
Reconfiguring the Source for LiveUpdate Content
Note: For most customers, it is appropriate to use the default, publicly accessible Symantec LiveUpdate server. This requires that the SEPM have internet access. If the SEPM does not have internet access, then it is also possible to configure the SEPM to connect to a LiveUpdate Administrator server to download content updates. If you have set up an internal LiveUpdate server, verify it is configured properly and that this machine can resolve the specified address.
Re-registering/Resetting Symantec Endpoint Protection Manager content with LiveUpdate
The following steps should only be performed if troubleshooting steps indicate that the problem is due to Symantec Endpoint Protection Manager content not being properly registered with LiveUpdate. This may solve issues seen when Symantec Endpoint Protection Manager is not downloading a specific type of content (notably, AV and IPS content).
Question: Where can you get VirusDefs files (VDB/JDB) that you can drop on a Symantec Endpoint Protection Manager's incoming directory?
Answer: Virus Definitions & Security Updates (http://www.symantec.com/security_response/definitions.jsp
Question: Where can you drop a JDB onto Symantec Endpoint Protection Manager?
Answer: Default Location:
Question: How quickly will the SEPM begin processing the JDB file?
Answer: Symantec Endpoint Protection Manager polls this directory several times per minute.
Question: How do I know the Symantec Endpoint Protection Manager has processed the JDB file?
Answer: The JDB will disappear from the incoming folder.