When LiveUpdate is run on a Symantec Endpoint Protection Manager (SEPM) using the "Download LiveUpdate content" or a scheduled run of LiveUpdate, the SEPM does not update definitions and displays an error "LiveUpdate encountered one or more errors. Return code = 4". Log.LiveUpdate shows errors similar to "LiveUpdate couldn't expand replacement path [spcIronWl-incr-InstallDir]."
The SEPM has been configured to authenticate to a proxy using Windows Authentication and the SEPM can successfully update definitions using a .JDB file.
This is an example of the complete error from Log.LiveUpdate:
This issue occurs when the SEPM had been configured to authenticate to a proxy using Windows authentication and when Windows User Account Control is enabled.
In order to Windows authentication to work properly, the LUALL.exe and LuCallbackProxy.exe executables are launched as the Windows user which was specified when proxy authentication was configured. These processes are launched by using the Windows API CreateProcessAsUser(). The created processes (LUALL.exe and LuCallbackProxy.exe) will both be assigned a Windows security token with limited privileges and permissions (even if the specified user is a member of the Administrators group) because of UAC.
This behavior of UAC is by design and cannot be bypassed with currently existing Windows APIs.
There are two possible workarounds to this issue:
Reconfigure the SEPM so it does not use Windows Authentication when authenticating to the proxy.
Configure a scheduled task in Windows to run LUALL.EXE with the -S switch.
Disabling Windows Authentication for Proxy Authentication
Login to the SEPM
Click Admin > Servers
Right-click the SEPM server (in the top-left) and click Edit the server properties
Click Proxy Server
Uncheck Use Windows Authentication
Configuring a Windows Scheduled Task to run LiveUpdate
Click Change User or Group... and enter the name of the Windows user which can authenticate through the proxy
Select Run whether is logged on or not
Checkmark Run with highest privileges
Click Actions > New...
Set Action to Start a program
Browse to the location of LUALL.EXE (default: C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.exe)
In Add Arguments, type: -S
Click Triggers > New...
Select Daily and pick the hour and minute to run the task
Click Enabled > OK Note: If you wish LiveUpdate to run multiple times per day, create additional triggers for this scheduled task. By default, the SEPM runs LiveUpdate every four hours. This is recommended for most environments.
Imported Document ID: TECH201511
Subscribing will provide email updates when this Article is updated. Login is required.