Virus Definition Update Methods Available for Symantec Mail Security for Microsoft Exchange (SMSMSE)

Article:TECH131756  |  Created: 2010-01-16  |  Updated: 2014-05-06  |  Article URL http://www.symantec.com/docs/TECH131756
Article Type
Technical Solution


Issue



What methods are available to update virus definitions for Symantec Mail Security for Microsoft Exchange?

 


Solution



1. LiveUpdate for Certified definitions.

    To schedule LiveUpdate to retrieve Certified virus definitions:

    a. Open the SMSMSE console, and navigate to Admin -> LiveUpdate/Rapid Release schedule.
    b. Ensure Enable automatic virus definition updates is checked and Use Certified LiveUpdate definitions is selected.
    c. Under Schedule, set the schedule on which you would like LiveUpdate to run. Be aware only one set of certified definitions is available per day, so it is recommended to schedule only one update per day.


2. Rapid Release updates.

    To configure Rapid Release updates:

    a. Open SMSMSE console and navigate o Admin -> LiveUpdate/Rapid Release Schedule.
    b. Check the box for Enable Automatic virus definition updates, and check the radio box for Use Rapid Release definitions
    c. Under Schedule, set the schedule on which you would like Rapid Release to run. Multiple updates are available per day (appromately one release per hour), so you may want to set it to check every X hours. Rapid Release uses port 21 to download definitions, bypassing the need for port 80 access. Be aware that Rapid Release definitions are not tested as thoroughly as certified definition sets, but are updated more frequently.


3. Share definitions from a Symantec Endpoint Protection (SEP) client.

If SEP 12.0 or lower is installed there are certain conditions under which virus definitions can be shared. If the system is a 32-bit system, SMSMSE will share definitions with SEP or a legacy Symantec AntiVirus (SAV) client. If the system is a 64-bit system, SMSMSE can share definitions with SAV/SEP in certain conditions. Additional steps must be taken in order to share successfully. See the following document for details: 'How to Share Virus Definitions Between Symantec Endpoint Protection (SEP) and Symantec Mail Security for Microsoft Exchange (SMSMSE) 6 on a 64 bit Operating System'.


4. Schedule the Intelligent Updater using the steps provided in How to update definitions for Symantec Mail Security for Microsoft Exchange using the Intelligent Updater.

5. Use an internal LiveUpdate Server.

Configure an Internal LiveUpdate server (LiveUpdate Administrator 2.x). Symantec Mail Security can be set to retrieve certified definition sets from an internal LUA 2.x server via LiveUpdate. To configure an internal LiveUpdate server and point SMSMSE to retrieve updates from that server, follow the steps provided in this document: Distributing Virus definitions for Symantec Mail Security for Microsoft Exchange via LiveUpdate Administrator.

Each of these methods can have advantages or disadvantages relative to one another, depending on the environment. Here are some factors to consider when deciding which method is correct for your environment:

    1. LiveUpdate for Certified definitions: This is the default update method for SMSMSE virus definitions, and is enabled by default. This method has the advantage of being very simple to set up and maintain, but has two potential drawbacks. It requires access to the internet on port 80, and will use WAN bandwidth rather than LAN bandwidth as some other methods.
    2. Rapid Release Updates: This method is also very simple, and only requires configuration through the SMSMSE console. Multiple sets of Rapid Release definitions are available each day, meaning you will always have the latest definitions known to Symantec if you choose this method. However, these definitions are not tested as thoroughly as Certified definitions, and thus run a higher risk of catching false positives. Using Rapid Release definitions will also consume much more bandwidth than LiveUpdate.  Note that this method requires internet access for the Exchange server on port 21.
    3. Sharing Definitions with SAV/SEP: This method requires the least bandwidth to accomplish and does not require direct internet access on the Exchange server, as SMSMSE will be absorbing definitions that have been downloaded to a single server and distributed out to the clients. However this method requires some set-up initially to function correctly with current versions of SMSMSE, and also requires that a SAV/SEP client be installed on the Exchange server.
    4. Scheduled Intelligent Updater: This method requires internet access on port 21 for the Exchange server, and functions similarly to Rapid Release updates scheduled in the SMSMSE console, but applies certified definition sets instead of Rapid Release sets. This method is only recommended if none of the other methods are feasible for your network.
    5. Internal LiveUpdate server: This method requires only the use of internal network connections download definitions to the Exchange server, making it ideal for Exchange servers that have no internet access and do not have SAV/SEP installed making sharing unfeasible. However, this method requires you to have another machine to act as the internal LiveUpdate server, and this machine must have internet access on port 80. This method also requires some significant configuration up front, but once it is configured it does not require additional actions to be taken for definitions to stay up to date.


Technical Information


This section provides information on where SMSMSE stores virus definitions on various operating system versions:

 

Hawking Structure These are the virus definitions that are updated by LiveUpdate, as well as what is used by SAV/SEP for virus scanning. Any update method you choose will always update the Hawking structure first. Whenever this location is updated, an event ID 30 is observed in the event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"
Windows 2003 32-bit C:\Program Files\Common Files\Symantec Shared\VirusDefs
Windows 2003 64-bit C:\Program Files(x86)\Common Files\Symantec Shared\VirusDefs
NOTE: Windows 2003 64-bit If SAV/SEP is not installed on the system, this location does not exist with SMSMSE 6.0.9 and greater. See SMSMSE hawking structure below.
Windows 2008 C:\ProgramData\Symantec\Definitions\VirusDefs
NOTE: Windows 2008 If SAV/SEP is not installed on the system, this location does not exist with SMSMSE 6.0.9 and greater. See SMSMSE hawking structure below.
SMSMSE Hawking Structure On 64 bit systems, SMSMSE generates its own Hawking structure. LiveUpdate and other definition update methods update this directory. 
 
Whenever this location is updated, an event ID 30 is observed in the application event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful" 
 
SMSMSE 6.5.7 and later:
 
These are the definitions used by SMSMSE directly for virus scanning. SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.
 
SMSMSE 6.5.6 and earlier:
 
This acts as a file repository, and is not used directly for virus scanning by any process.
   
Windows 2003 32-bit N/A
Windows 2003 64-bit C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32
Windows 2008 C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32
   
CSAPI SMSMSE 6.5.7 and later:
 
This directory below is no longer updated, but SMSMSE still relies on the files being in this directory.
 
SMSMSE 6.5.6 and earlier:
 
These are the definitions used by SMSMSE directly for virus scanning. After virus definitions are processed into the Hawking structure by your chosen virus definition update method, SMSMSE checks the Hawking structure every 10 minutes for updates, and when a new update is available, copies the definitions into CSAPI. After the definitions are copied to CSAPI, SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.
Windows 2003 32-bit C:\Program Files\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs
Windows 2003 64-bit C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs
Windows 2008 C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus




Legacy ID



2010041610495954


Article URL http://www.symantec.com/docs/TECH131756


Terms of use for this information are found in Legal Notices