How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file

Article:TECH102607  |  Created: 2007-01-08  |  Updated: 2014-03-06  |  Article URL http://www.symantec.com/docs/TECH102607
Article Type
Technical Solution


Issue



What steps can I take to update the antivirus definitions on a Symantec Endpoint Protection Manager (SEPM) using a .jdb file?  When is it necessary to use this procedure?

 


Cause



When the SEPM is behind a closed firewall/proxy or has no direct access to the Internet or an internal LiveUpdate Administrator 2.x (LUA 2.x) server, it cannot retrieve content from Symantec's LiveUpdate servers. For managed SEP clients configured to receive updates from this SEPM, their protection content then becomes out of date. If the SEPM cannot update its content by running LiveUpdate, then the use of a .jdb file to manually update the definitions content on the SEPM is the next preferred method.

There are also circumstances when it is necessary to immediately apply the very latest Rapid Release definitions to a SEPM in order to combat the outbreak of a new threat (malware).  Rapid Release definitions are not released through LiveUpdate, but may be applied to a SEPM through the use of a .jdb file.

 


Solution



A .jdb file can be used to update the virus definitions for SEPM. The updated SEPM will then begin to supply the updated definitions to the managed Symantec Endpoint Protection (SEP) clients that are configured to receive content from that SEPM.

The .jdb file for virus and spyware protection does not provide updated content for the firewall, IPS, SONAR, or other features for SEP clients. SEP 12.1.3 and later support .jdb files for Network-Based Protection (IPS) and Behavior-Based Protection (SONAR); earlier versions only support virus and spyware updates using the .jdb. IPS and SONAR .jdb files can be found on the Symantec Security Response Web site.

Use the .jdb certified definitions or the .jdb Rapid Release definitions to update SEPM content.

 
About Rapid Release virus definitions

Several times a day, all new detections are compiled into a new Rapid Release virus definition set, which is then posted to the Symantec public site. Rapid Release virus definitions are created whenever Symantec Security Response receives a new virus sample. The purpose of the Rapid Release virus definitions is to aid corporate customers in the event of a new virus infection. In a networked environment, it is possible for an undetected virus to spread quickly. Using Rapid Release virus definitions is a proactive effort to prevent the spreading of a new virus. 

Rapid Release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these definitions is the rapid detection of newly emerging threats. The definitions may be augmented later with more robust detection capabilities. While Symantec Security Response makes every effort to make sure that all virus definitions function correctly, you should understand that Rapid Release-quality virus definitions do pose some risks, such as the higher potential for false positives. Rapid Release definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast spreading virus outbreaks.

Several times per weekday, all new detections added as Rapid Release definitions go through the complete QA process, including testing for false positives and testing for full compatibility with Symantec Endpoint Protection. Once the Rapid Release definitions pass the full QA process, they are then posted as Certified LiveUpdate definitions or Multiple Daily Definitions.

Please note that the consistent use of the Rapid Release definitions is not encouraged by Symantec and the use of the Rapid Release definitions is intended to be used on a case by case basis to mitigate a possible virus outbreak. Under normal conditions, Symantec strongly encourages customers to use the Daily Certified definitions for routine use.

 
Downloading the .jdb file

If you are unsure as to which definitions set you should use, please contact Symantec Support for guidance.

 
To download the .jdb certified definitions:

  1. In a browser, go to the Symantec Endpoint Protection / Symantec Antivirus Corporate Edition web page at the following URL:
    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce
  2. On the Symantec Endpoint Protection tab, download the available .jdb file and save the file to the Windows desktop
    There are multiple headings/product categories presented. Be aware that there is only one .jdb in the list that will need to be downloaded. This is sufficient to update both 32- and 64-bit definitions on the SEPM.  

 
To download the .jdb Rapid Release definitions:

  1. In a browser, go to the Rapid Release Virus Definitions web page at the following URL:
    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
  2. Download the available .jdb file and save the file to the Windows desktop.
    There are multiple headings/product categories presented. Be aware that there is only one .jdb in the list that will need to be downloaded. This is sufficient to update both 32- and 64-bit definitions on the SEPM.

 
To use the .jdb file to update definitions for SEPM:

  1. After downloading, you may need to rename the file extension from .zip to .jdb. Most browsers detect the file type and automatically change the extension. You must change it back to .jdb for use by the SEPM.
  2. Copy the .jdb file to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming for 32 bit operating systems and to C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming for 64 bit operating systems. The location listed in this line is the default installation location and is presented as an example only.
    NOTE: Be sure to copy and paste the .jdb file to this location. Copying the .jdb file allows the file to inherit the correct permissions from the enclosing folder. If you cut and paste (or move) the .jdb file into this location, the file may fail to process correctly.
  3. Usually the .jdb file processes within one minute. As the .jdb file is processed, all files and subfolders are removed from the Incoming folder.

 
Verify that the SEPM content is updated:

To verify that the SEPM content has been updated, look in the following folders:

  • For SEP 12.1.x:
    32-bit Definitions: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{535CB6A4-441F-4e8a-AB97-804CD859100E}
    64-bit Definitions: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{07B590B3-9282-482f-BBAA-6D515D3855E2}      
  • For SEP 11.x:
    32-bit definitions: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}"
    64-bit definitions: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{1CD85198-26C6-4bac-8C72-5D34B025DE35}" 

Typically, there will be three or more numbered folders present. The folder naming convention is "yymmddxxx". For example, "100602034". This is the date and build (revision) number of the definition set installed. Please note that the definition set installed may have been published the previous day and a set for the current day may not yet be available.

There should be a folder named "Full" and a zip file named "Full.zip" inside the folder that matches the set downloaded and installed. Inside the "Full" folderare the files typically associated with a virus definition set.

 
Important Notes:

For details on how to manage the number of definitions maintained by the SEPM, see How to change the number of downloaded content revisions that are kept in 11.0.2000 (MR2) or later.

 
Additional Clarification:

The Intelligent Updater .exe files are designed to update client installs for SEP only. These Intelligent Updater files do not contain the required content needed by a SEPM.

  • The Intelligent Updater (IU) file names for SEP clients end with "v5i32.exe" or "v5i64.exe" (32- and 64-bit respectively).
  • The Intelligent Updater file names listed on the Symantec AntiVirus Corporate Edition tab should only be used with those specifically listed products.

 
References:

This document is available in the following languages:


 


Supplemental Materials

SourceETrack
Value1163481


Legacy ID



2007100820002048


Article URL http://www.symantec.com/docs/TECH102607


Terms of use for this information are found in Legal Notices