Symantec Endpoint Protection (SEP) clients are not updating content (virus definitions, IPS signature or Proactive Threat Protection updates) from Symantec Endpoint Protection Manager (SEPM). In addition, there are many large files in the \Program Files\Symantec Endpoint Protection\LiveUpdate folder, and these files appear to be growing in size.
In the \Program Files\Symantec Endpoint Protection\LiveUpdate folder you see files named LUF.tmp. Some of these files are 4 to 5 GB in size, and they appear to be continuing to grow over time.
The following entries are seen in the Sylink.log:
08/14 16:20:30  @@@@@@@@@ LU DEBUG ONLY-Download file failed due to wrong file size.
FileName:C:\Program Files\Symantec Endpoint Protection\LiveUpdate\LUF9D.tmpExpected file size: 0Actual file size: 412252
The headers of the content update files are getting compressed or corrupted. These headers contain information about the size of the file that is being downloaded. Since this information is stripped, the client does not know the files size ahead of time and therefore "expects" the file size to be 0. When the file transfer ends, the reported file size does not match the "expected" size of 0, and the client believes the update failed. At the next check in, the client re-requests the same file update from Symantec Endpoint Protection Manager and the same temp file is used to store the data, so that file continues to get larger.
If you are unable to migrate to the latest maintenance release, use one of the following workarounds:
If the clients are configured to obtain content from Symantec Endpoint Protection Manager:
1. Configure the forwarding proxies to not route traffic from Symantec Endpoint Protection Manager traffic over a proxy with AV scanning enabled. Alternatively you can exclude Symantec Endpoint Protection/Symantec Endpoint Protection Manager traffic from being scanned at the AV proxy. It may also be possible to disabled compressed file scanning on AV scanners, but this has not been confirmed as a possible workaround.
2. In some environments, proxy settings are set via GPO into the registry rather than through Internet Explorer. Setting the proxy values in the registry effects all accounts on including the SYSTEM account. The process that handles the content updates is SMC.EXE and is run under the SYSTEM account. Therefore these GPO proxy settings will impact SMC.EXE and force it to use the proxy.
To see if proxy settings are set in the registry, examine the following registry keys:
Depending on how GPO's are managed, these settings may come back when the user logs back into the Domain. The solution here is to either disable the GPO that applies to the OU that the user is in, or send out a new GPO that removes these keys, then assign the user to a new OU that doesn't have this GPO applied.
If the clients are configured to obtain content using LiveUpdate, change the proxy settings for LiveUpdate:
Open Start, Settings, Control Panel, Symantec LiveUpdate
Click the HTTP tab
Choose "I want to use my Internet Options HTTP settings"
Select the Connections tab.
Click the LAN Settings button.
In the Local Area Network (LAN) Settings window check the "Bypass proxy server for local addresses" checkbox.
Imported Document ID: TECH105695
Subscribing will provide email updates when this Article is updated. Login is required.