Troubleshooting failed LiveUpdate or definition update issues for
Symantec Endpoint Security

Use this topic to troubleshoot issues with content updates or LiveUpdate failures on the Symantec agent. If the content is out of date, it is most likely a problem with corrupted definitions, an expired license, or a LiveUpdate failure. LiveUpdate content includes virus and spyware definitions, behavioral analysis heuristic signatures, intrusion prevention signatures, submission control signatures, reputation settings, and advanced machine learning.
Content is considered old or out-of-date if:
  • Antimalware content (virus definitions) is out-of-date after 7 days.
  • Low-bandwidth and other content is out-of-date after 30 days.
Out-of-date content does not include client software updates.
Step 1: Check whether any clients have out-of-date content
First, check which clients are not getting current content.
  1. To check whether any clients have out-of-date content
  2. On the
    Home
    page
    Home
    tab, go to the
    Default
    or
    Threat Prevention
    view.
  3. In the
    Device Integrity KPI
    , look for the number of devices in the following categories:
    • Devices with LiveUpdate Failures
      Devices that did not receive content because of a LiveUpdate issue.
    • Devices with Out-of-Date Definitions
      Devices that have old content.
    If the number is 0, all your devices have up-to-date content.
Step 2: Diagnose and solve issues with outdated content
After you find out which clients do not update the content, go through the following checklist to diagnose and remediate the problem.
Solutions for out-of-date content and LiveUpdate failures
Issue
Description and solution
Content does not update on some of the clients.
If the content on some of your clients is old and LiveUpdate functions properly, check for the following issues:
LiveUpdate server does not download the content successfully.
To solve LiveUpdate failures, perform the following steps:
  1. Check the LiveUpdate error logs to pinpoint the cause of the problem.
  2. On the affected devices, make sure that the perimeter firewall and proxy servers can access the LiveUpdate URLs. Perimeter firewalls and proxy servers can block or prevent communication with the URLs that
    Symantec Endpoint Security
    uses to install and activate agents.
  3. If you use a proxy server for client-to-LiveUpdate communication, check that the proxy servings are correct. Proxy misconfiguration often causes LiveUpdate connectivity issues, and the clients continue to use stale definitions.
Viewing LiveUpdate failure events and error information
To view LiveUpdate failure events and error information
  1. On the client, open the LiveUpdate engine log file in the following location.
    C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs\Log.Lue
    (For Windows Vista and later.)
  2. On the cloud console, select
    Endpoint
    >
    Alerts and Events
    , and then select the
    Other Events
    tab, and filter on the
    Major
    severity and
    Application Activity
    events.
  3. Make sure that you can access the following URLs:
    • liveupdate.symantecliveupdate.com
    • liveupdate.symantec.com
      You cannot ping these URLs.
    • symantec.com
  4. Run a packet capture and contact Symantec Support for analysis.