Proactive Threat Protection definitions will not update, showing "Waiting for updates" or initial install definitions
Last Updated October 12, 2011
Proactive Threat Protection (PTP) definitions will not update and shows "Waiting for updates" or the initial installation definitions using Symantec Endpoint Protection 11.
From Event Viewer - Application log, following errors are seen:
'Symantec AntiVirus' - "TruScan has generated an error: code 11: description: Whitelist Failure"
'crypt32' - "Failed auto update retrieval of third-party root list sequence number from: <http ://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation"
Several variables can keep the PTP definitions from updating, although when seeing the errors above can be attributed to a policy or a GPO that prevents the Symantec Endpoint Protection client from trusting the Symantec Endpoint Protection Manager for the PTP definitions. This can also prevent the updated Symcert from being trusted and installed into the Windows Certificate Store.
Check the following registry value, the default State value should be set to 23c00: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State:23c00
Machines identified where PTP is not updating, the State value was set to 63c00, other values could be present. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State:63c00
PTP definitions assigned to a group can sometimes be corrupt. Roll back PTP definitions and then move the definitions forward.
1. Ensure the registry State value is set to 23c00.
2. Move the systems with old PTP definitions into a test group, roll definitions back, wait 2 heartbeats, and then roll definitions to use latest available.
A. Go into SEPM > Policies > LiveUpdate > LiveUpdate Content > LiveUpdate Content Policy > Security Definitions. B. Move "TruScan proactive threat scan heuristic signatures" and TruScan proactive threat scan commercial application list" back to older definition set by clicking "Select a revision". C. Verify that the clients received a new policy and that the definitions rolled back. D. After 2 heartbeats, roll both TruScan definitions forward by clicking "Use latest available" from the Security Definitions view.
3. Ensure that the Windows Root certificate is updated on all systems.
Imported Document ID: TECH171458
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe