The Symantec Endpoint Protection (SEP) client is unable to update if its Group Update Provider(s) (GUP(S)) have temporarily been unreachable.
Last Updated March 30, 2012
There is a single GUP configured for a couple of SEP clients. All the machines are restarted every day.
If the GUP is booted up after the other client machines, SEP clients will not update, unless they are restarted one more time.
Since SEP 11.0 RU5, when you define a GUP (either single or multiple), it is stored as a GUP list in XML file on the SEPM (%SEPM%\data\outbox\agent\gup\globallist.xml). SEP clients receive this list and check its content, from the top to the bottom until it finds a GUP it can connect to:
- It will pick up the first GUP in the list. If this GUP is not appropriate/available/reachable, it will be mark as BAD by SEP client and it won’t try to connect to it anymore. - It will then pick up the second GUP, etc.
The problem with current releases of SEP is that once the client has reached the end of GUP list, it will never try from the header again, unless SEP is restarted, to purge its cache.
This problem should be fixed in the next release of SEP, RU7 MP2.
- Create a script for the SMC.exe service to restart on SEP client.
- Change your reboot schedules to ensure the GUP will be always available when SEP clients are starting.
- Use the GUP Bypass setting to allow clients to connect to SEPM if there is no GUP available.