Symantec Endpoint Protection 11.x LiveUpdate "Micro Definition" Updates Explained

Article:TECH180196  |  Created: 2012-01-30  |  Updated: 2013-03-12  |  Article URL http://www.symantec.com/docs/TECH180196
Article Type
Technical Solution

Product(s)

Issue



Symantec Endpoint Protection (SEP) 11.x Clients may download unexpected or multiple AntiVirus Definition updates via LiveUpdate.


Solution



SEP Clients update their AntiVirus definitions (defs) by downloading so called "Micro Definitions" via LiveUpdate (LU). If the client is up to date, the update will be a Direct Delta to patch the definitions to the latest available version. 

There are basically 4 content types LU clients could download. They fall into two categories: 

  1. Updates to the definitions the SEP client is actively using
  2. Updates to the so called "hub defs” - a cache of definitions primarily used by Legacy LiveUpdate clients in the definition update process: this cache is used in conjunction with downloaded delta patches to update the client. SEP Clients do not normally need these hub defs anymore, but may need them in the conditions described below.

 

The reason why the hub defs are still being updated, is to accommodate those situations where the direct deltas are either not available, or not usable, for whatever reason.

These hub defs can also be updated incrementally if they are not older than 10 months.

When a client does require a hub def update, it will also still need an update to the defs it is actually using, so the client will never get just a hub update by itself.

 

Content update type details and usage:

  • Direct Deltas
    • For clients that are up-to-date. This will directly patch them from the defs they use to the new defs
    • Filename convention: *en########.m25 (######## represents, yymmddrrr, e.g. 120126033 for 2012-01-26 rev.33. This will be downloaded by a client that uses 2012-01-26 rev.33 defs)
  • Curdefs
    • For clients that have "old defs", but current hub. Hop from the “current defs on the client” to what is available at download time.
    • Filename convention: *enncur25.m25
  • Hub-to-hub defs
    • For clients that have both old defs and non-current hub defs. The hub-to-hub is a delta update to patch the non-current hub.
    • Filename convention: * enn<month>m25.m25
    • These clients also need the Curdefs in addition to patch the old defs they are currently using.
  • Full defs
    • For extreme cases where both the hub (older than 10 months) and “current” defs on the client are old (i.e. no direct deltas available)
    • Filename convention: *ennful25.m25
    • These clients also need the Curdefs in addition to patch the old defs they are currently using.

(Note: "old defs" are defined as any def set for which there is no direct delta currently posted)

 

Direct Deltas Availability

Direct Deltas will be available for the last 15 certified and released virus definitions. Since the advent of the multiple daily LU definitions (on average 3 times daily) this means that on average SEP 11 clients will get Direct Deltas if they have definitions not older than 5 days.

Note that LiveUpdate servers host four weeks worth of daily updates for SEP 12.1 clients.  Unless a client is out of date for approximately one month, it will be able to download a delta.  

 

The increase in the number of microdefs files means that each day's downloads will be larger in SEP 12.1 than it was previously in SEP 11.

 

 

 

Example of definitions available on the Symantec LiveUpdate servers on 30 January 2012

Direct Deltas:

(the naming convention is: <posted_date_in_Unix_Epoch_time><JavaTriage><product>enyymmddrrr.m25. SEP clients share the same updates and are therefore the same “product” as NAV 2008, hence the “nav2k8” in <product>)

1327865301jtun_nav2k8en120128009.m25  For clients that are the most up to date on 30 January 2012. Previous LiveUpdate defs are 1/28/2012 rev. 9

 

1327865301jtun_nav2k8en120127019.m25

 

1327865301jtun_nav2k8en120127001.m25

 

1327865301jtun_nav2k8en120126033.m25

 

1327865301jtun_nav2k8en120126018.m25

 

1327865301jtun_nav2k8en120126003.m25

 

 

 

 

 

 

 

Curdefs 

1327865301jtun_nav2k8enncur25.m25 


Hub-to-hubs

1326744606jtun_nav2k8enn12m25.m25 

1326744606jtun_nav2k8enn11m25.m25

1326744606jtun_nav2k8enn10m25.m25

1326744606jtun_nav2k8enn09m25.m25

1326744606jtun_nav2k8enn08m25.m25

1326744606jtun_nav2k8enn07m25.m25

1326744606jtun_nav2k8enn06m25.m25

1326744606jtun_nav2k8enn05m25.m25

1326744606jtun_nav2k8enn04m25.m25

1326744606jtun_nav2k8enn03m25.m25

1326744606jtun_nav2k8enn02m25.m25 

1326744606jtun_nav2k8enn01m25.m25 

 
Full 
 
1326744606jtun_nav2k8ennful25.m25
 

 

 
 

 

 

 

 

1327865301jtun_nav2k8en120125033.m25

1327865301jtun_nav2k8en120125018.m25

1327865301jtun_nav2k8en120125003.m25

1327865301jtun_nav2k8en120124035.m25

1327865301jtun_nav2k8en120124022.m25

1327865301jtun_nav2k8en120124008.m25

1327865301jtun_nav2k8en120123034.m25

1327865301jtun_nav2k8en120123018.m25

1327865301jtun_nav2k8en120118001.m25

1327865301jtun_nav2k8en120111002.m25




Article URL http://www.symantec.com/docs/TECH180196


Terms of use for this information are found in Legal Notices