Symantec Endpoint Client not updating definitions

[Matthew Strickland]

Hi all,

Has anyone else had issues with some sep clients not updating their definitions even though they are connected to the SEPM and the server is fully updated and has updates available?

I regularly get the notification email "67 computers found with virus definitions older than 14 days." But this number doesn't decrease even when the clients are online and connected.

Looking at a particular client log: (I have a 4am GPO reboot scheduled)

1214 2/02/2016 4:02:50 AM Information 12070201 Windows Version info:  Operating System: Windows 10 (10.0.10240 )  Network  info:  No.0  "Ethernet"  f8-0f-41-3f-a8-8b  "Realtek PCIe GBE Family Controller" 169.254.58.229   

1215 2/02/2016 4:02:50 AM Information 12070202 Symantec Management Client has been started.

1216 2/02/2016 4:03:05 AM Information 12070301 Connected to Symantec Endpoint Protection Manager (sep.karamu.local)

1217 2/02/2016 4:03:46 AM Information 1207030A Symantec Endpoint Protection already has the newest policy.

1218 2/02/2016 4:03:49 AM Information 12072007 SymELAM Protection has been disabled

1219 2/02/2016 4:03:49 AM Information 12071050 Proactive Threat Protection has been disabled

1220 2/02/2016 6:49:07 AM Information 12070800 Symantec Endpoint Protection Manager is available to provide updates, so the scheduled LiveUpdate was skipped.

1221 2/02/2016 6:52:30 AM Information 120B0011 The client opted to download a full definitions package for AV definitions from the management server or GUP rather than download a large package from LiveUpdate.

I tried creating an additional policy that forces a content update every 4 hours, regardless if the machine is idle or not, yet the clients don't update.

Only thing interesting above is that symantec starts logging before a DHCP address is obtained, probably nothing to worry about.

The client application always updates - so when I create a new package and deploy it, the client is upgraded to the latest version (12.1 RU6 MP3) 12.1.6608.6300

If I manually update the client (Live Update) it updates. I am not sure if it then continues to self update via SEPM.

Any clues or submit a case?

Regards,

Matt

[Matthew Strickland]

I changed the policy to force the clients to retrieve updates from Symantec Live Update (online)

They have all updated. Maybe the SEPM server doesn't have updates going back far enough (incremental?) or some other issue that isnt obvious.

Matt

[Julian Davison]

Have you, then, switched back to the local one to see if it now works okay? Or just leaving it going direct to Symantec?

J,

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Strickland]

For now student machines via local, staff left online. Will monitor over next week or two and see what happens.

Will post back here. Failing support I may have to build a new SEPM and attach clients. (Think I did the SylinkDrop method last time)

Matt

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

[Matthew Strickland]

Seems the clients are happy now receiving updates from the server, with the exception of the odd client that was offline during policy change.

So I don't know whats going on there.

Next problem is the backup size in Veeam is always >14GB for an incremental. Not totally obvious as to why.

Another post for another day!

Matt

[Simon - OBHS]

On the Veeam thing... I take it you have checked your backup mode settings?

Just checked mine, i have one job for  a number of service servers, so looking at the actual files tells me nothing, but the logs for my systems server that symantec runs on shows that it reads 14.3GB for last night's backup, 13.9GB the day before, 14.5GB before that (which is a full backup), 14GB, and so on.

That is a curious amount of data change for a server which doesn't really do anything.

[Matthew Strickland]

My backup should be using changed block tracking (CBT) since its VM version 10 and no snapshots in vmware. (CBT enabled in job)

I have one job, incremental during week, full on Saturday, for all VM's on every host.

Only the SEP server has large incremental's. The Veeam logs are quite extensive.

I suspect the C:\ProgramData\Symantec\Definitions and C:\ProgramData\Symantec\LiveUpdate folders may play a part.

Maybe a little 'dr google' else log a ticket and let someone else diagnose :)

Matt