How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control

Article:TECH102467  |  Created: 2007-01-11  |  Updated: 2013-11-20  |  Article URL http://www.symantec.com/docs/TECH102467
Article Type
Technical Solution


Issue



You need to know how to ensure that your Symantec Endpoint Protection (SEP) or Symantec Network Access Control (SNAC) network maintains the latest virus definitions and other content updates.


Environment



For protection against the latest threats, it is very important to ensure that AntiVirus definitions, IPS signatures and other content is always up-to-date. There are several different methods of configuring an environment's update architecture.  The best method for a particular environment depends on the number of clients, amount of bandwidth available, and ability of the computers to connect to Symantec's Internet-based LiveUpdate source servers.


Solution



The following methods of updating content exist Sites/Management Servers, Client Groups managed by the servers, and local clients:

Location Function
Site
  • Configure the management server to run LiveUpdate from the Symantec server. This is the default.

  • Configure the management server to run LiveUpdate from an internal server.

  • Configure the site to replicate the database from another site.

  • Update definitions for Symantec Endpoint Protection Manager using a JDB file

 

About configuring a site to download updates

The default behavior and best practice in most cases is to have sites download updates from the Symantec LiveUpdate server. When you configure a site to download updates, the updates are downloaded by one of the management servers, called Symantec Endpoint Protection Managers (SEPMs), and placed in the database. The SEPMs then use these definitions to distribute updates to clients.

In most Symantec Endpoint Protection deployments, the Symantec Endpoint Protection Manager (SEPM) will download and distribute materials to all of its Windows clients efficiently.

For more information, please see Managing content updates and Configuring a site to download content updates.

 

About configuring the management server to run LiveUpdate from an internal server

In certain environments, it is desirable to have an internal LiveUpdate server on the network rather than obtain updates from the Internet source servers. LiveUpdate Administrator 2.x (LUA 2.x) or the legacy LiveUpdate Administration Utility (LUAU 1.x) may be preferable in:

  • high-security "airlocked" environments

  • environments with many different Symantec products

  • on corporate networks where all updates must be tested prior to widespread deployment

  • in environments with 10,000 endpoints or more

  • in environments with many Macintosh or Symantec AntiVirus for Linux (SAVFL) clients. ("SEP for Mac" and SAVFL cannot receive definitions directly from the SEPM, and must either download from the Internet LiveUpdate source servers or from an internal source)

There are additional cases in which it is preferable to use LUA 2.x. See When to use LiveUpdate Administrator,Best Practices for LiveUpdate Administrator (LUA) 2.x and the Connect forum article A Helpful LiveUpdate Administrator 2.x Analogy for more information.

For details on how to configure a site to download updates from an internal LiveUpdate server, please see Setting up an internal LiveUpdate server

 

About site replication and content updates

If you configure sites on your network for replication from another site, the content updates (AV definitions and so on) that are in the database of the primary site can be configured to replicate as part of the database. In this case, you only need to configure updates on the primary site.

If you choose to use product updates as well as content updates, you should not replicate product updates between sites, because these updates can be quite large, and one exists for every language that you select. For more information, please see Managing sites and replication and Specifying which data to replicate.

 

About updating definitions for Symantec Endpoint Protection Manager using a JDB file

If a SEPM cannot run LiveUpdate or has no access to Internet or internal source servers, it is possible to update the server's antivirus definitions by manually applying a special file. For details please see How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file.

Please note that the .jdb file only contains antivirus/antispyware definitions and will not provide updated content for the firewall and other features for the Symantec Endpoint Protection (SEP) clients.


Location Function
Client Group
  • Configure clients to receive updates from the management server. This is the default.

  • Configure clients to run LiveUpdate from the Symantec server.

  • Configure clients to run LiveUpdate from an internal server.

  • Configure a Group Update Provider (GUP) to distribute updates to clients.

  • Configure clients to receive updates via a Third-Party distribution system

For information on how SEP client computers are updated, please see How client computers receive content updates

 

Configuring how groups of clients download updates

In order to configure the behavior of a client group, you use LiveUpdate client policies, which you create in the Symantec Endpoint Protection Manager. There are two kinds of LiveUpdate client policy: LiveUpdate Settings policies, and LiveUpdate Content policies. The following table shows what each type of policy controls, and to what products each applies:

Policy type Controls Applies to
LiveUpdate Settings
  • How and from where clients receive updates

  • How often clients receive updates

  • Whether one of the clients is a Group Update Provider

  • Whether clients are allowed to download updates manually
  • Symantec Endpoint Protection

  • Symantec Network Access Control

LiveUpdate Content
  • What types of updates clients can download

  • Which specific revisions of updates clients can download
  • Symantec Endpoint Protection


These policies apply to both Windows and Macintosh ("SEP for Mac") clients. See Configuring a LiveUpdate Settings policy and Configuring a LiveUpdate Content Policy for details.

 

Viewing and changing the LiveUpdate Content policy that is applied to a client group

LiveUpdate Content policies are applied to groups and to all locations in groups. Therefore, the policy does not appear with other policies under locations in the console.


To view and change the LiveUpdate Content policy that is applied to a group

  1. In the console, click Policies, and create at least two LiveUpdate Content policies.

  2. Apply one of the policies to a group.

  3. In the console, click Clients, and then click the group that you want to view.

  4. In the right pane, on the "Policies" tab, under "Location-independent Policies and Settings", under "Settings", click LiveUpdate Content Policy Settings.

  5. In the dialog box, specify the LiveUpdate Content Policy to use for the group, and then click OK.

About Group Update Providers (GUPs)

When you create a LiveUpdate Settings policy, you have the option of specifying a Group Update Provider (GUP). The Group Update Provider provides updates to clients in the group, and any subgroups that inherit policies as set on the Clients tab. If you have clients in a group at a remote location that have bandwidth issues over the WAN, make a client in the group the Group Update Provider. The Group Update Provider must be a member of the group to which it provides updates. The Group Update Provider also lets you offload processing power from the Symantec Endpoint Protection Manager if you need that option.

When you configure a Group Update Provider, you specify a host name or IP address and a TCP port number. The default TCP port number is 2967, a port that was used in Symantec AntiVirus 10.x and Symantec Client Security 3.x network communications. If your Group Update Provider computer receives IP addresses with DHCP, you should either assign a static IP address to the computer, or type the host name. If your Group Update Provider computer is at a remote location, and if that remote location uses network address translation (NAT), type the host name.

For more information on GUPs, please see About the types of Group Update Providers, Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP) and Group Update Provider: Sizing and Scaling Guidelines.

 

About Third-Party Management (TPM)

TPM refers to the management of SEP client content updates using a distribution mechanism other than the SEPM. A SEPM is still required to download and package content from LiveUpdate, as well as generating policy files. The only thing TPM actually replaces is the transfer of policies and content to the SEP client. See About using third-party distribution tools to distribute content updates to managed clients (SEP 11.0.6 and higher) and Using third-party distribution tools to update client computers (SEP 12.1.2 and higher) for details.

Location Function
Local client
  • Run LiveUpdate manually on a local client.

  • Schedule LiveUpdate to run on a local client.

  • Download the Intelligent Updater manually on a local client (virus definitions only).

 

Configuring a local client to download updates

If a client is unmanaged ("self-managed"), or if a LiveUpdate Settings policy for managed clients allows, several options exist for downloading updates on individual clients.

 

Running LiveUpdate manually

Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow manual updates have the LiveUpdate button enabled in the Symantec Endpoint Protection window. Clicking this button will launch a utility that downloads the latest content update.

 

Scheduling LiveUpdate

Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow changes to the LiveUpdate schedule can be configured locally to download updates at specific times.

To configure the LiveUpdate schedule, please see How to schedule LiveUpdate on an Unmanaged (self-managed) client

 

Running LiveUpdate from the command line

In SEP 11 Windows clients only, LiveUpdate can also be run from the command line or as a Windows scheduled task, with an optional -s(ilent) switch:

"C:\Program Files\Symantec\LiveUpdate\Luall.exe" -s

This should normally be done only to check LiveUpdate's function, e.g. running it without the silent switch to verify the list of products that are registered with LiveUpdate.

 

Using Intelligent Updater (IU)

It is possible to update the antivirus definitions on managed or unmanaged SEP clients using a standalone tool. See How to update definitions for Symantec Endpoint Protection using the Intelligent Updater for details.

 

References

This document is available in the following languages:

 




Legacy ID



2007091122402048


Article URL http://www.symantec.com/docs/TECH102467


Terms of use for this information are found in Legal Notices