Virus Definition Update FAQ
|Article:TECH103326|||||Created: 2007-01-13|||||Updated: 2015-01-15|||||Article URL http://www.symantec.com/docs/TECH103326|
This article describes the differences among the available virus definition update types.
What does “Certified” mean?
Each certified set of virus definitions is fully tested and certified by Quality Assurance (QA) on all supported Symantec security products across all operating systems currently supported by Symantec. The testing includes a large corpus of threat samples to ensure comprehensive detection. Testing also includes an equally large set of clean files to ensure the avoidance of False Positive (FP) detections.
Certified virus definitions are optimized for quality, compared with Rapid Release virus definitions, which are optimized for high frequency deployment to customers. See the section below on Rapid Release virus definitions for a more complete explanation of this additional delivery option.
There are several types of definitions which are Certified:
Certified Multiple Daily LiveUpdate
Certified Multiple Daily LiveUpdate is published three times a day and offers the best protection from fast moving threats. These definitions are often referred to as MDD (Multiple Daily Definitions.) Customers using Symantec Endpoint Protection (SEP) are able to take advantage of this highest frequency of delivery. Other products may update less frequently.
Certified Daily LiveUpdate
Certified Daily LiveUpdate is published once per day and offers a high level of protection from fast moving threats. Customers using the legacy Symantec Antivirus (SAV) product are able to take advantage of this daily frequency of delivery. Many other Symantec products also use these daily certified updates. On mail security and other products at the enterprise's perimeter, it may be recommended to use Rapid Release definitions (see below) to ensure protection is available against the very latest threats in circulation rather than rely upon the once-per-day Certified Daily LiveUpdate.
Certified Weekly LiveUpdate
Certified Weekly LiveUpdate is published once per week and is considered a legacy level of support and therefore provides a lesser degree of protection compared with the daily and multiple daily frequencies. Given the large number of threats analyzed by Symantec Security Response each day, Symantec suggests that customers update their antivirus detection signatures at least once per day.
Certified Daily Intelligent Updater
Intelligent Updater (IU) virus definitions are a batch of the Rapid Release virus definitions that have undergone full QA testing and certification. The Intelligent Updater is an alternate delivery method for certified daily definitions.
Intelligent Updater Definitions can be obtained here:
HTTP Enterprise: http://www.symantec.com/avcenter/download/pages/US-SAVCE.html
FTP Enterprise: ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/
HTTP Consumer: http://www.symantec.com/avcenter/download/pages/US-N95.html
What does "Rapid Release" mean?
Rapid Release virus definitions are released slightly more than once per hour and are optimized for rapid deployment within an organization during a threat outbreak. They are passed through a somewhat lesser degree of testing than fully certified virus definitions, but they still maintain a relatively high level of quality. The primary risk in using Rapid Release virus definitions, although a relatively small risk, is potential false positive detections on a limited number of legitimate files.
Rapid Release virus definitions are generally used as part of an overall security strategy where fully certified virus definitions are deployed under normal circumstances and Rapid Release virus definitions are deployed during outbreak situations. Most customers do not use Rapid Release virus definitions as their standard deployment package for desktops, although it is technically possible to do so. Rapid Release virus definitions can more comfortably be deployed as a standard procedure on perimeter devices, such as email servers and web traffic gateways, as the risk posed by possible false positive detections on these systems only results in blocked traffic rather than disrupted desktop service.
Rapid Release virus definitions are not available via LiveUpdate. (This is the main difference between Rapid Release virus definitions and fully certified virus definitions in terms of deployment options.) Rapid Release definitions can be downloaded by HTTP or by FTP and then deployed in an organization. SAV and SEP customers can rest assured that they will be able to distribute microdefs delta packages to their endpoints when using Rapid Release packages. All versions of SEP support this capability. Users of the legacy SAV product should read the Clients receive very large updates after updating Symantec AntiVirus Corporate Edition clients and servers with Rapid Release definitions document for more detailed information.
Rapid Release definitions can be obtained by HTTP or by FTP.
Q: What are the primary differences between Rapid Release definitions and Daily Certified definitions?
A: All new detections are compiled into Rapid Release as they are created. These definitions are released many times a day and represent the most current virus definitions available. Although these signatures have gone through a battery of tests, Rapid Release-quality virus definitions may pose some risks, such as the higher potential for false positives.
Q: When and where should I use Rapid Release virus definitions?
A: Symantec recommends using Rapid Release virus definitions:
On an Email or Gateway server, where false positives prove little or no risk.
On Servers and Desktops during a virus emergency, when Certified LiveUpdate definitions may not be available for the very latest threats.
Important Note for users of Symantec AntiVirus Version 10.1.2 and earlier.
Newer versions of Symantec Software are designed to use a combination of Rapid Release and than native Virus Definition Transport Method (VDTM) more efficiently the earlier versions. For more information please read:
"Clients receive very large updates after updating Symantec AntiVirus Corporate Edition clients and servers with Rapid Release definitions."
Q: Will using Rapid Release definitions increase my network bandwidth consumption?
A: Yes. Rapid Release definitions and Intelligent Updaters contain protection against all known threats in one large file. These are equivant in size to downloading a full set of definitions- several hundred MB. If these large files are downloaded many times per day, the impact on bandwidth can be considerable. Running LiveUpdate to retrieve Certfied Daily Definitions or Multiple Daily Definitions will consume far less bandwidth.
Q: My organization uses a LiveUpdate Administrator 2.x (LUA 2.x) server to download and distribute content within our network. Can LUA 2.x download Rapid Release definitions and supply those updates to our servers and endpoints?
A: No, Rapid Release cannot be used with LUA 2.x at this time. LUA 2.x downloads certified definitions from Internet-based LiveUpdate source servers. It does not download Rapid Release definitions.
Article URL http://www.symantec.com/docs/TECH103326