Update virus definitions and content for Endpoint Protection
|Article:TECH102467|||||Created: 2007-01-11|||||Updated: 2014-11-21|||||Article URL http://www.symantec.com/docs/TECH102467|
This article describes how to update Symantec Endpoint Protection (SEP) or Symantec Network Access Control (SNAC) with the latest virus definitions and other content updates.
For protection against the latest threats, it is very important to ensure that antivirus definitions, IPS signatures and other content is always up-to-date. There are several different methods of configuring an environment's update architecture. The best method for a particular environment depends on the number of clients, amount of bandwidth available, and ability of the computers to connect to Symantec's Internet-based LiveUpdate source servers.
The following methods of updating content exist: Sites/Management Servers, Client Groups managed by the servers, and local clients:
About configuring a site to download updates
The default behavior and best practice in most cases is to have sites download updates from the Symantec LiveUpdate server. When you configure a site to download updates, the updates are downloaded by one of the management servers, called Symantec Endpoint Protection Managers (SEPMs), and placed in the database. The SEPMs then use these definitions to distribute updates to clients.
In most Symantec Endpoint Protection deployments, the Symantec Endpoint Protection Manager (SEPM) will download and distribute materials to all of its Windows clients efficiently.
About configuring the management server to run LiveUpdate from an internal server
In certain environments, it is desirable to have an internal LiveUpdate server on the network rather than obtain updates from the Internet source servers. LiveUpdate Administrator 2.x (LUA 2.x) or the legacy LiveUpdate Administration Utility (LUAU 1.x) may be preferable in:
- high-security "airlocked" environments
- environments with many different Symantec products
- on corporate networks where all updates must be tested prior to widespread deployment
- in environments with 10,000 endpoints or more
- in environments with many Macintosh or Symantec AntiVirus for Linux (SAVFL) clients. ("SEP for Mac" and SAVFL cannot receive definitions directly from the SEPM, and must either download from the Internet LiveUpdate source servers or from an internal source)
There are additional cases in which it is preferable to use LUA 2.x. See When to use LiveUpdate Administrator,Best Practices for LiveUpdate Administrator (LUA) 2.x and the Connect forum article A Helpful LiveUpdate Administrator 2.x Analogy for more information.
For details on how to configure a site to download updates from an internal LiveUpdate server, please see Setting up an internal LiveUpdate server
About site replication and content updates
If you configure sites on your network for replication from another site, the content updates (AV definitions and so on) that are in the database of the primary site can be configured to replicate as part of the database. In this case, you only need to configure updates on the primary site.
If you choose to use product updates as well as content updates, you should not replicate product updates between sites, because these updates can be quite large, and one exists for every language that you select. For more information, please see Managing sites and replication and Specifying which data to replicate.
About updating definitions for Symantec Endpoint Protection Manager using a JDB file
If a SEPM cannot run LiveUpdate or has no access to Internet or internal source servers, it is possible to update the server's antivirus definitions by manually applying a special file. For details please see How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file.
Please note that the .jdb file only contains antivirus/antispyware definitions and will not provide updated content for the firewall and other features for the Symantec Endpoint Protection (SEP) clients.
For information on how SEP client computers are updated, please see How client computers receive content updates
Configuring how groups of clients download updates
In order to configure the behavior of a client group, you use LiveUpdate client policies, which you create in the Symantec Endpoint Protection Manager. There are two kinds of LiveUpdate client policy: LiveUpdate Settings policies, and LiveUpdate Content policies. The following table shows what each type of policy controls, and to what products each applies:
|Policy type||Controls||Applies to|
Viewing and changing the LiveUpdate Content policy that is applied to a client group
LiveUpdate Content policies are applied to groups and to all locations in groups. Therefore, the policy does not appear with other policies under locations in the console.
To view and change the LiveUpdate Content policy that is applied to a group
- In the console, click Policies, and create at least two LiveUpdate Content policies.
- Apply one of the policies to a group.
- In the console, click Clients, and then click the group that you want to view.
- In the right pane, on the "Policies" tab, under "Location-independent Policies and Settings", under "Settings", click LiveUpdate Content Policy Settings.
- In the dialog box, specify the LiveUpdate Content Policy to use for the group, and then click OK.
About Group Update Providers (GUPs)
When you create a LiveUpdate Settings policy, you have the option of specifying a Group Update Provider (GUP). The Group Update Provider provides updates to clients in the group, and any subgroups that inherit policies as set on the Clients tab. If you have clients in a group at a remote location that have bandwidth issues over the WAN, make a client in the group the Group Update Provider. The Group Update Provider must be a member of the group to which it provides updates. The Group Update Provider also lets you offload processing power from the Symantec Endpoint Protection Manager if you need that option.
When you configure a Group Update Provider, you specify a host name or IP address and a TCP port number. The default TCP port number is 2967, a port that was used in Symantec AntiVirus 10.x and Symantec Client Security 3.x network communications. If your Group Update Provider computer receives IP addresses with DHCP, you should either assign a static IP address to the computer, or type the host name. If your Group Update Provider computer is at a remote location, and if that remote location uses network address translation (NAT), type the host name.
For more information on GUPs, please see About the types of Group Update Providers, Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP) and Group Update Provider: Sizing and Scaling Guidelines.
About Third-Party Management (TPM)
TPM refers to the management of SEP client content updates using a distribution mechanism other than the SEPM. A SEPM is still required to download and package content from LiveUpdate, as well as generating policy files. The only thing TPM actually replaces is the transfer of policies and content to the SEP client. See About using third-party distribution tools to distribute content updates to managed clients (SEP 11.0.6 and higher) and Using third-party distribution tools to update client computers (SEP 12.1.2 and higher) for details.
Configuring a local client to download updates
If a client is unmanaged ("self-managed"), or if a LiveUpdate Settings policy for managed clients allows, several options exist for downloading updates on individual clients.
Running LiveUpdate manually
Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow manual updates have the LiveUpdate button enabled in the Symantec Endpoint Protection window. Clicking this button will launch a utility that downloads the latest content update.
Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow changes to the LiveUpdate schedule can be configured locally to download updates at specific times.
To configure the LiveUpdate schedule, please see How to schedule LiveUpdate on an Unmanaged (self-managed) client
Running LiveUpdate from the command line
In SEP 11 Windows clients only, LiveUpdate can also be run from the command line or as a Windows scheduled task, with an optional -s(ilent) switch:
"C:\Program Files\Symantec\LiveUpdate\Luall.exe" -s
This should normally be done only to check LiveUpdate's function, e.g. running it without the silent switch to verify the list of products that are registered with LiveUpdate.
Using Intelligent Updater (IU)
It is possible to update the antivirus definitions on managed or unmanaged SEP clients using a standalone tool. See How to update definitions for Symantec Endpoint Protection using the Intelligent Updater for details.
This document is available in the following languages:
Article URL http://www.symantec.com/docs/TECH102467