Troubleshooting failed LiveUpdate or definition update issues for
Symantec Endpoint Security

Use this topic to troubleshoot issues with content updates or LiveUpdate failures on the Symantec agent. If the content is out of date, it is most likely a problem with corrupted definitions, an expired license, or a LiveUpdate failure. LiveUpdate content includes virus and spyware definitions, behavioral analysis heuristic signatures, intrusion prevention signatures, submission control signatures, reputation settings, and advanced machine learning.
Content is considered old or out-of-date if:
  • Antimalware content (virus definitions) is out-of-date after 7 days.
  • Low-bandwidth and other content is out-of-date after 30 days.
Out-of-date content does not include client software updates.
Step 1: Check whether any clients have out-of-date content
First, check which clients are not getting current content.
  1. To check whether any clients have out-of-date content
  2. On the
    tab, go to the
    Threat Prevention
  3. In the
    Device Integrity KPI
    , look for the number of devices in the following categories:
    • Devices with LiveUpdate Failures
      Devices that did not receive content because of a LiveUpdate issue.
    • Devices with Out-of-Date Definitions
      Devices that have old content.
    If the number is 0, all your devices have up-to-date content.
Step 2: Diagnose and solve issues with outdated content
After you find out which clients do not update the content, go through the following checklist to diagnose and remediate the problem.
Solutions for out-of-date content and LiveUpdate failures
Description and solution
Content does not update on some of the clients.
If the content on some of your clients is old and LiveUpdate functions properly, check for the following issues:
LiveUpdate server does not download the content successfully.
To solve LiveUpdate failures, perform the following steps:
  1. Check the LiveUpdate error logs to pinpoint the cause of the problem. See:
  2. On the affected devices, make sure that the perimeter firewall and proxy servers can access the LiveUpdate URLs. Perimeter firewalls and proxy servers can block or prevent communication with the URLs that
    Symantec Endpoint Security
    uses to install and activate agents. See:
  3. If you use a proxy server for client-to-LiveUpdate communication, check that the proxy servings are correct. Proxy misconfiguration often causes LiveUpdate connectivity issues, and the clients continue to use stale definitions. See:
Viewing LiveUpdate failure events and error information
You can view the LiveUpdate engine log file to find more information.
To view LiveUpdate failure events and error information
  1. On the client (for Windows Vista and later), open the LiveUpdate engine log file in the following location:
    C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs\Log.Lue
    For more information, see:
  2. On the cloud console, select
    Alerts and Events
    , and then select the
    Other Events
    tab, and filter on the
    severity and
    Application Activity
  3. Make sure that you can access the following URLs:
      You cannot ping these URLs.
  4. Make sure that the firewall and any LiveUpdate proxy servers allow traffic to the websites in the previous step.
    You must allow these URLs if you use one or more proxies in your environment. See:
  5. Run a packet capture and contact Symantec Support for analysis.