Virus Definition Update Methods Available for Symantec Mail Security for Microsoft Exchange (SMSMSE)
|Article:TECH131756|||||Created: 2010-01-16|||||Updated: 2012-07-22|||||Article URL http://www.symantec.com/docs/TECH131756|
What methods are available to update virus definitions for Symantec Mail Security for Microsoft Exchange?
1. LiveUpdate for Certified definitions.
To schedule LiveUpdate to retrieve Certified virus definitions:
a. Open the SMSMSE console, and navigate to Admin -> LiveUpdate/RapidRelease schedule.
b. Ensure Enable automatic virus definition updates is checked and Use Certified LiveUpdate definitions is selected.
c. Under Schedule, set the schedule on which you would like LiveUpdate to run. Be aware only one set of certified definitions is available per day, so it is recommended to schedule only one update per day.
2. RapidRelease updates.
To configure RapidRelease updates:
a. Open SMSMSE console and navigate o Admin -> LiveUpdate/RapidRelease Schedule.
b. Check the box for Enable Automatic virus definition updates, and check the radio box for Use Rapid Release definitions
c. Under Schedule, set the schedule on which you would like RapidRelease to run. Multiple updates are available per day, so you may want to set it to check every X hours. Rapid Release uses
port 21 to download definitions, bypassing the need for port 80 access. Be aware that Rapid Release definitions are not tested as thoroughly as certified definition sets, but are updated more frequently.
3. Share definitions from Symantec AntiVirus (SAV) or Symantec Endpoint Protection (SEP).
If SEP 12.0 or lower is installed there are certain conditions under which virus definitions can be shared. If the system is a 32 bit system, SMSMSE will share definitions with SAV/SEP. If the system is a 64 bit system, SMSMSE can share definitions with SAV/SEP in certain conditions. Additional steps must be taken in order to share successfully. See the following document for details: 'How to Share Virus Definitions Between Symantec Endpoint Protection (SEP) and Symantec Mail Security for Microsoft Exchange (SMSMSE) 6 on a 64 bit Operating System'.
4. Schedule the intelligent updater using the steps provided in this document: 'Scheduling virus definition updates for Symantec Mail Security for Microsoft Exchange using the Intelligent Updater.'
5. Use an internal LiveUpdate Server.
Configure an Internal LiveUpdate server (LiveUpdate Administrator). Symantec Mail Security can be set to retrieve definition sets from an internal server via LiveUpdate. To configure an internal LiveUpdate server and point SMSMSE to retrieve updates from that server, follow the steps provided in this document: Distributing Virus definitions for Symantec Mail Security for Microsoft Exchange via LiveUpdate Administrator.
Each of these methods can have advantages or disadvantages relative to one another, depending on the environment. Here are some factors to consider when deciding which method is correct for your environment:
- LiveUpdate for Certified definitions: This is the default update method for SMSMSE virus definitions, and is turned on by default. This method has the advantage of being very simple to set up and maintain, but has two potential drawbacks. It requires access to the internet on port 80, and will use WAN bandwidth rather than LAN bandwidth as some other methods.
- RapidRelease Updates: This method is also very simple, and only requires configuration through the SMSMSE console. Multiple sets of rapid release definitions are available each day, meaning you will always have the latest definitions known to Symantec if you choose this method. However, these definitions are not tested as thoroughly as Certified definitions, and thus run a higher risk of catching false positives. This method requires internet access for the Exchange server on port 21.
- Sharing Definitions with SAV/SEP: This method requires the least bandwidth to accomplish and does not require direct internet access on the Exchange server, as SMSMSE will be absorbing definitions that have been downloaded to a single server and distributed out to the clients. However this method requires some set-up initially to function correctly with current versions of SMSMSE, and also requires that SAV/SEP be installed on the Exchange server.
- Scheduled intelligent updater: This method requires internet access on port 21 for the Exchange server, and functions similarly to RapidRelease updates scheduled in the SMSMSE console, but applies certified definition sets instead of RapidRelease sets. This method is only recommended if none of the other methods are feasible for your network.
- Internal LiveUpdate server: This method requires only the use of internal network connections download definitions to the Exchange server, making it ideal for Exchange servers that have no internet access and do not have SAV/SEP installed making sharing unfeasible. However, this method requires you to have another machine to act as the internal LiveUpdate server, and this machine must have internet access on port 80. This method also requires some significant configuration up front, but once it is configured it does not require additional actions to be taken for definitions to stay up to date.
This section provides information on where SMSMSE stores virus definitions on various operating system versions:
|Hawking Structure||These are the virus definitions that are updated by LiveUpdate, as well as what is used by SAV/SEP for virus scanning. Any update method you choose will always update the Hawking structure first. Whenever this location is updated, an event ID 30 is observed in the event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"|
|Windows 2003 32-bit||C:\Program Files\Common Files\Symantec Shared\VirusDefs|
|Windows 2003 64-bit||C:\Program Files(x86)\Common Files\Symantec Shared\VirusDefs|
|NOTE: Windows 2003 64-bit||If SAV/SEP is not installed on the system, this location does not exist with SMSMSE 6.0.9 and greater. See SMSMSE hawking structure below.|
|NOTE: Windows 2008||If SAV/SEP is not installed on the system, this location does not exist with SMSMSE 6.0.9 and greater. See SMSMSE hawking structure below.|
|SMSMSE Hawking Structure||On 64 bit systems, SMSMSE generates it's own Hawking structure. LiveUpdate and other definition update methods update this directory.|
|Whenever this location is updated, an event ID 30 is observed in the application event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"|
|SMSMSE 6.5.7 and later:|
|These are the definitions used by SMSMSE directly for virus scanning. SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.|
|SMSMSE 6.5.6 and earlier:|
|This acts as a file repository, and is not used directly for virus scanning by any process.|
|Windows 2003 32-bit||N/A|
|Windows 2003 64-bit||C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32|
|CSAPI||SMSMSE 6.5.7 and later:|
|This directory below is no longer updated, but SMSMSE still relies on the files being in this directory.|
|SMSMSE 6.5.6 and earlier:|
|These are the definitions used by SMSMSE directly for virus scanning. After virus definitions are processed into the Hawking structure by your chosen virus definition update method, SMSMSE checks the Hawking structure every 10 minutes for updates, and when a new update is available, copies the definitions into CSAPI. After the definitions are copied to CSAPI, SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.|
|Windows 2003 32-bit||C:\Program Files\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs|
|Windows 2003 64-bit||C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs|
|Windows 2008||C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus|
Article URL http://www.symantec.com/docs/TECH131756