LiveUpdate fails on the Endpoint Protection Manager with errors in Log.LiveUpdate

TECH201511
Last Updated October 28, 2019
Copy Article Title/URL
Feedback
Subscribe

When LiveUpdate is run on a Symantec Endpoint Protection Manager (SEPM) using the "Download LiveUpdate content" or a scheduled run of LiveUpdate, the SEPM does not update definitions and displays an error "LiveUpdate encountered one or more errors. Return code = 4". Log.LiveUpdate shows errors similar to "LiveUpdate couldn't expand replacement path [spcIronWl-incr-InstallDir]."

The SEPM has been configured to authenticate to a proxy using Windows Authentication and the SEPM can successfully update definitions using a .JDB file.

This is an example of the complete error from Log.LiveUpdate: 

1/9/2013, 18:39:19 GMT -> Progress Update: PATCH_START: Patch File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Script File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\IrvSP12i.dis"

1/9/2013, 18:39:19 GMT -> Progress Update: SECURITY_PACKAGE_TRUSTED: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z"

1/9/2013, 18:39:19 GMT -> Signer: cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation

1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_START: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221"

1/9/2013, 18:39:19 GMT -> Progress Update: UNZIP_FILE_FINISH: Zip File: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221\1357743292jtun_irev130109007.7z", Dest Folder: "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt221", HR: 0x0       

1/9/2013, 18:39:19 GMT -> Added package to cache...

1/9/2013, 18:39:19 GMT -> LiveUpdate couldn't expand replacement path [spcIronRl-incr-InstallDir].

 

This issue occurs when the SEPM had been configured to authenticate to a proxy using Windows authentication and when Windows User Account Control is enabled.

In order to Windows authentication to work properly, the LUALL.exe and LuCallbackProxy.exe executables are launched as the Windows user which was specified when proxy authentication was configured. These processes are launched by using the Windows API CreateProcessAsUser(). The created processes (LUALL.exe and LuCallbackProxy.exe) will both be assigned a Windows security token with limited privileges and permissions (even if the specified user is a member of the Administrators group) because of UAC.

This behavior of UAC is by design and cannot be bypassed with currently existing Windows APIs.

There are two possible workarounds to this issue:

  1. Reconfigure the SEPM so it does not use Windows Authentication when authenticating to the proxy.
  2. Configure a scheduled task in Windows to run LUALL.EXE with the -S switch.

Disabling Windows Authentication for Proxy Authentication

  1. Login to the SEPM
  2. Click Admin > Servers
  3. Right-click the SEPM server (in the top-left) and click Edit the server properties
  4. Click Proxy Server
  5. Uncheck Use Windows Authentication
  6. Click OK

 Configuring a Windows Scheduled Task to run LiveUpdate

  1. Click Start > Administrative Tools > Task Scheduler
  2. Click Task Scheduler Library > Create Task...
  3. In the Name field, type in: LiveUpdate
  4. Click Change User or Group... and enter the name of the Windows user which can authenticate through the proxy
  5. Click OK
  6. Select Run whether is logged on or not
  7. Checkmark Run with highest privileges
  8. Click Actions > New...
  9. Set Action to Start a program
  10. Browse to the location of LUALL.EXE (default: C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.exe)
  11. In Add Arguments, type: -S
  12. Click OK
  13. Click Triggers > New...
  14. Select Daily and pick the hour and minute to run the task
  15. Click Enabled > OK
    Note: If you wish LiveUpdate to run multiple times per day, create additional triggers for this scheduled task. By default, the SEPM runs LiveUpdate every four hours. This is recommended for most environments.
  16. Click OK

 

 

 

 

Imported Document ID: TECH201511

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.