When LiveUpdate is run on a version 11 or 12.1 Symantec Endpoint Protection Manager (SEPM) using the "Download LiveUpdate content" or a scheduled run of LiveUpdate, the SEPM does not update definitions, and displayed an error "LiveUpdate encountered one or more errors. Return code = 4". Log.LiveUpdate shows errors similar to "LiveUpdate couldn't expand replacement path [spcIronWl-incr-InstallDir]."
The SEPM has been configured to authenticate to a proxy using Windows Authentication and the SEPM can successfully update definitions using a .JDB file.
This is an example of the complete error from Log.LiveUpdate:
1/9/2013, 18:39:19 GMT -> Progress Update: PATCH_START: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\IrvSP12i.dis"
1/9/2013, 18:39:19 GMT -> Progress Update: SECURITY_PACKAGE_TRUSTED: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z"
1/9/2013, 18:39:19 GMT -> Signer: cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation
1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221"
1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221", HR: 0x0
1/9/2013, 18:39:19 GMT -> Added package to cache...
1/9/2013, 18:39:19 GMT -> LiveUpdate couldn't expand replacement path [spcIronRl-incr-InstallDir].
This issue occurs when the SEPM had been configured to authenticate to a proxy using Windows authentication and when Windows User Account Control is enabled.
In order to Windows authentication to work properly, the LUALL.exe and LuCallbackProxy.exe executables are launched as the Windows user which was specified when proxy authentication was configured. These processes are launched by using the Windows API CreateProcessAsUser(). The created processes (LUALL.exe and LuCallbackProxy.exe) will both be assigned a Windows security token with limited privileges and permissions (even if the specified user is a member of the Administrators group) because of UAC.
This behavior of UAC is by design and cannot be bypassed with currently existing Windows APIs.
There are two possible workarounds to this issue:
- Reconfigure the SEPM so it does not use Windows Authentication when authenticating to the proxy.
- Configure a scheduled task in Windows to run LUALL.EXE with the -S switch.
Disabling Windows Authentication for Proxy Authentication
- Login to the SEPM
- Click Admin > Servers
- Right-click the SEPM server (in the top-left) and click Edit the server properties
- Click Proxy Server
- Uncheck Use Windows Authentication
- Click OK
Configuring a Windows Scheduled Task to run LiveUpdate
- Click Start > Administrative Tools > Task Scheduler
- Click Task Scheduler Library > Create Task...
- In the Name field, type in: LiveUpdate
- Click Change User or Group... and enter the name of the Windows user which can authenticate through the proxy
- Click OK
- Select Run whether is logged on or not
- Checkmark Run with highest privileges
- Click Actions > New...
- Set Action to Start a program
- Browse to the location of LUALL.EXE (default: C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.exe)
- In Add Arguments, type: -S
- Click OK
- Click Triggers > New...
- Select Daily and pick the hour and minute to run the task
- Click Enabled > OK
Note: If you wish LiveUpdate to run multiple times per day, create additional triggers for this scheduled task. By default, the SEPM runs LiveUpdate every four hours. This is recommended for most environments.
- Click OK