Virus Definitions won't update - HELP!!!!!

[NotSoLucky]

We are using Norton Antivirus 9.0 corporate edition.

We had an individual come to me today who thought he had a virus on his system.

His virus definition stated 3/12/2007.

Our antivirus is setup on a server to update all clients from that server.

The server virus definition is 7/4/2007.

So why didn’t the client update?

I went to the server to verify other user’s definition date.

85% of the computers have 3/12/2007 as a virus definition date.

Why is this happening and how do I fix it?

Any help is greatly appreciated.

 

[ntinlin]

Usually denotes a problem with the Defwatch service on the client which is the bit that actually keeps an eye out for new defs. I think.

What happens if you try forcing the defs down via the console?


Neill

 

[NotSoLucky]

If I go to a client PC and click on LiveUpdate button it will update as long as the client has internet access.

Our Symantec Antivirus was orginally installed in August 2006.

It only stopped auto updating on 3/12/2007.

 

[SteveRoadWarrior]

AV defs can refuse to update for a variety of reasons. It's helpful to understand that Live Update is only a band-aid. If the client won't get updated defs, running Live Update (and getting current antivirus patterns) will only buy you time until the problem must be fixed.

The event logs inside of SAVCE will answer your question.
If the server actually has the most current definitions (see below), and the client's logs show that it's been trying to update cut cannot, then the easiest way to deal with it is to reinstall the client. There are many benefits to this course of action. You can even walk the user through doing it themselves over the phone. Have them browse to: \\servername\vphome\clt-inst\win32\setup.exe and follow the directions to reinstall. This will usually work. In the few cases it doesn't, uninstalling and then reinstalling almost always fixes it. In the few cases it doesn't, see the links below on clearing out corrupted virus definitions.

To determine the server AV defs: When you're in the SSC, and you click on the SAVCE Group (the one that must be unlocked) switch to the view that lets you see AV defs and scan times. Use this Virus Definition date as your guide in determining if the server is getting definitions or not. The SAVCE client on the server can occasionally give a different date.

Visit this link for information on updating an SSC/SAVCE server that isn't getting it's updates properly.

http://securityresponse.symantec.com/avcenter/defs.download.html

Hint: it DOESN'T involve anything automatic or executable. If you aren't downloading an *.XDB file, you're not doing it properly. The .EXE file downloads are for clients only, not servers.

Either the server is unable to get definitions or it can't apply them.
- If it can't get the definitions, check for misconfigured FTP proxy settings, restrictive outbound Firewall settings. Perform a command line FTP to an FTP Server somewhere ("ftp ftp.netscape.com" will get you started)
- If the server is unable to apply the definitions, it may be because they're corrupt. This happens more often than it should. Try these links, they talk about how to clear out the areas of the Server that hold definitions:

Error: "Norton AntiVirus services failed to start. Virus definition file is invalid. (CC001000)"
Situation:
After you update the virus definitions, the service fails to start. If you are running Windows NT/2000, the application event log contains the error messages "Could not start Service Engine err =CC001000" and "Norton AntiVirus services failed to start. Virus definition file is invalid. (CC001000)."

http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2001121416223748?Open&dtype=corp

This doc says to back date the virus defs to fix. Provides a link:
How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x
Situation:
You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms:
- The Symantec AntiVirus service fails to start.
- The number of Scan Omission errors in the Event Log is larger than normal.
You need to know how to revert to an earlier set of virus definitions.

http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2002102209110448?Open

 

[NotSoLucky]

The server was getting it's updates, but it was not sending them out to clients.

So I followed the instructions to manually repair or backdate the virus definitions.

Now I have another problem.

I can not unlock the server group. It gives me an error message that

"Error.Can't communicate with server group. Verify network connectivity and that machines are within the group. If problem persists, try clearing the server group cache and rediscoring all server groups."

So I cleared the group cache and ran the discovery service.

I get the same error message when I try to unlock the group.

HELP.....HELP!!!!

 

[SteveRoadWarrior]

this message can happen when the landesk services are running but the Symantec Antivirus service is not starting

verify that the SAV service is starting
check your EV for messages about why this service won't start

 

[NotSoLucky]

EV says

Error 7023 The symantec AntiVirus services terminated with the following error: The environment is incorrect.

What?

 

[SteveRoadWarrior]

Check the service path by opening the Services applett and right clicking the Symantec Antivirus Service. Then look at the path to the exe. Verify this still exists.

Another tech on this site, lawnboy, suggests downloading the .exe updater from Symantec and running it. In my opinion, at this point, having the service run is most important. If this doesn't work, you can try downloading the xdb/vdb files from the link above.

 

[NotSoLucky]

The patch is

C:\Program Files\Symantec Antivirus\Rtvscan

The file is there.

I downloaded the latest xdb and I ran the .exe updater. That is what Symantec said to do to repair the virus definitions.

It was after running those that I started having problems with the "Can't communicate with server error".

Do I have to re-install the program?

 

[SteveRoadWarrior]

At this point you might get the problem fixed faster that way. You know the drill, do a full backup of the OS and System State. Since you're licensed for Symantec Antivirus, you're eligible for SAVCE 10. This might be a good opportunity to upgrade as well. The newer AV also supports Vista and has real time (as opposed to scan time only) anti-spyware support.

 

[SteveRoadWarrior]

you'll need to get the Symantec Antivirus service started in order to do an upgrade. If you can't, you'll have to perform a fresh install. You'll need your original 9 media if you have to perform a fresh install of 10. You may have to uninstall SAVCE 9 before installing 10.

 

[NotSoLucky]

Does SAV 10 require Active Directory?

We currently do not have AD.

I know, we are still in the stone age, but I have to deal with it.

 

[SteveRoadWarrior]

No, I don't think so. I haven't tried to install this in a network that doesn't have AD. I think the system requirements are:

http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1322&pvid=805_1

You need a new OS to run it, but AD or NT4Domain isn't listed as a requirement. So, why not install it on a test PC or server and see what you think. Roll out one client and evaluate how it performs (10 is a little slower because of some of the real time safety measures).

Then you'll know and you can make changes to the real server.

 

[SteveRoadWarrior]

You can configure 10 to support legacy clients as well, so if you have a client that can only run version 9, 10 will give it updated definitions.