What does an unmanaged Symantec Endpoint Protection 11 client retrieve from LiveUpdate for its definitions?

Article:TECH169751  |  Created: 2011-09-16  |  Updated: 2012-03-08  |  Article URL http://www.symantec.com/docs/TECH169751
Article Type
Technical Solution


Issue



What, specifically, does an unmanaged Symantec Endpoint Protection (SEP) client retrieve, when it connects to a LiveUpdate server to update its definitions?  What requests and responses are normal?  Why does SEP occasionally require a very large update, when most days the files downloaded are small?


Solution



To ensure that protection is provided "straight out of the box," a SEP client is installed with a base set of antivirus definitions intact.  After the installation is completed, the client will initiate a LiveUpdate session to retrieve the most up-to-date protection for all of its components.

Unless configured otherwise, an unmanaged SEP client connects directly to LiveUpdate to update its definitions.  A managed SEP client typically does, as well, when LiveUpdate is run manually from the client interface.

The default connection URLs are:

  • http://liveupdate.symantecliveupdate.com
  • http://liveupdate.symantec.com
  • ftp://update.symantec.com/opt/content/onramp 

The SEP client maintains an encrypted LiveUpdate product inventory list (C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate) that records the components and products installed with the SEP client.  As seen in a typical log.liveupdate:

25/08/2011, 15:23:00 GMT -> Opened the product inventory at "C:\ProgramData\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".

LiveUpdate will check this list when determining which combination of components it needs to retrieve.  For example 

25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Automatic LiveUpdate, Version: 3.3.0.102, Language: English. Mini-TRI file name: automatic$20liveupdate_3.3.0.102_english_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Decomposer, Version: 1.0.0, Language: SymAllLanguages. Mini-TRI file name: decomposer_1.0.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symevent Installer, Version: 12.8, Language: SymAllLanguages. Mini-TRI file name: symevent$20installer_12.8_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: MS Light, Version: 5.0, Language: SymAllLanguages. Mini-TRI file name: ms$20light_5.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Known Application System, Version: 1.5.0, Language: SymAllLanguages. Mini-TRI file name: symantec$20known$20application$20system_1.5.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SEP PTS Engine Win32, Version: 6.1.0, Language: SymAllLanguages. Mini-TRI file name: sep$20pts$20engine$20win32_6.1.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SEP PTS Content, Version: 6.1.0, Language: SymAllLanguages. Mini-TRI file name: sep$20pts$20content_6.1.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Virus Definitions Win32 v11, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: sesc$20virus$20definitions$20win32$20v11_microdefsb.curdefs_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Virus Definitions Win32 v11, Version: MicroDefsB.Apr, Language: SymAllLanguages. Mini-TRI file name: sesc$20virus$20definitions$20win32$20v11_microdefsb.apr_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Submission Control Data, Version: 11.0, Language: SymAllLanguages. Mini-TRI file name: sesc$20submission$20control$20data_11.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC IPS Signatures Win32, Version: 11.0, Language: SymAllLanguages. Mini-TRI file name: sesc$20ips$20signatures$20win32_11.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Security Content B1, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: symantec$20security$20content$20b1_microdefsb.curdefs_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Security Content A1, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: symantec$20security$20content$20a1_microdefsb.curdefs_symalllanguages_livetri.zip
 

(Note that there are two separate SESC Virus Definition files necessary to ensure that a client is brought up to date: CurDefs and HubDefs)

 

The definitions that are retrieved from the public LiveUpdate server in a typical default installation of an unmanaged client can be seen in the log.liveupdate.

The example log below provides an extract of entries found in a log.liveupdate that shows what antivirus definitions are retrieved at first:

 

25/08/2011, 17:18:33 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 110418018 to 110824050. Server name - liveupdate.symantecliveupdate.com, Update file - 1314253617jtun_nav2k8enncur25.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

25/08/2011, 17:18:33 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.Apr - SymAllLanguages. Update for HubDefs takes product from update 110418018 to 110818021. Server name - liveupdate.symantecliveupdate.com, Update file - 1313715088jtun_nav2k8enn04m25.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

Both CurDefs and HubDefs were downloaded and successfully applied, bringing the newly-installed SEP client up-to-date.
 
When the SEP client performs subsequent LiveUpdate sessions, the client typically retrieves only the incremental (CurDef) definitions. LiveUpdate will compare the current client definitions and will decide what definitions the client needs based on what it already has.

 

Below is an extract example of a subsequent LiveUpdate session, showing you the file that the client retrieves from LiveUpdate:

 

25/08/2011, 19:35:29 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 110824050 to 110825002. Server name - liveupdate.symantecliveupdate.com, Update file - 1314282430jtun_nav2k8en110824050.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

 
The client retrieved only the CurDefs definitions, updating from the version "2011 Aug 24 revision 050" to "2011 Aug 25 rev 002."

 

A set of current monthly based definitions (sometimes called "hub," "full" or "error" definitions) are published once per month. For detail son the conditions when a SEP client will need to download thee larger files, please see the article Symantec Endpoint Protection 11.x LiveUpdate "Micro Definition" Updates Explained. 





Article URL http://www.symantec.com/docs/TECH169751


Terms of use for this information are found in Legal Notices