Troubleshooting failed LiveUpdate or definition update issues for Symantec Endpoint Security
Symantec Endpoint Security
Use this topic to troubleshoot issues with content updates or LiveUpdate failures on the Symantec agent. If the content is out of date, it is most likely a problem with corrupted definitions, an expired license, or a LiveUpdate failure. LiveUpdate content includes virus and spyware definitions, behavioral analysis heuristic signatures, intrusion prevention signatures, submission control signatures, reputation settings, and advanced machine learning.
Content is considered old or out-of-date if:
- Antimalware content (virus definitions) is out-of-date after 7 days.
- Low-bandwidth and other content is out-of-date after 30 days.
Out-of-date content does not include client software updates.
Step 1: Check whether any clients have out-of-date content
First, check which clients are not getting current content.
- To check whether any clients have out-of-date content
- On theHomepageHometab, go to theDefaultorThreat Preventionview.
- In theDevice Integrity KPI, look for the number of devices in the following categories:
If the number is 0, all your devices have up-to-date content.
- Devices with LiveUpdate FailuresDevices that did not receive content because of a LiveUpdate issue.
- Devices with Out-of-Date DefinitionsDevices that have old content.
Step 2: Diagnose and solve issues with outdated content
After you find out which clients do not update the content, go through the following checklist to diagnose and remediate the problem.
Description and solution
Content does not update on some of the clients.
If the content on some of your clients is old and LiveUpdate functions properly, check for the following issues:
LiveUpdate server does not download the content successfully.
To solve LiveUpdate failures, perform the following steps:
Viewing LiveUpdate failure events and error information
You can view the LiveUpdate engine log file to find more information.
To view LiveUpdate failure events and error information
- On the client (for Windows Vista and later), open the LiveUpdate engine log file in the following location:C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs\Log.LueFor more information, see:
- On the cloud console, selectEndpoint>Alerts and Events, and then select theOther Eventstab, and filter on theMajorseverity andApplication Activityevents.
- Make sure that you can access the following URLs:
- liveupdate.symantec.comYou cannot ping these URLs.
- Make sure that the firewall and any LiveUpdate proxy servers allow traffic to the websites in the previous step.You must allow these URLs if you use one or more proxies in your environment. See:
- Run a packet capture and contact Symantec Support for analysis.