Symantec Endpoint Protection 11.0 and 12.0 Small Business Edition clients do not update Intrusion Prevention Signatures

Article:TECH196871  |  Created: 2012-09-18  |  Updated: 2012-09-18  |  Article URL
Article Type
Technical Solution




Symantec shipped seven IPS definition updates between September 5 and September 13, 2012 that contained an incorrect read-only file attribute. This attribute was included in definitions dated September 6th, 2012 through September 12th. The attribute was removed with the IPS definitions dated September 13th, 2012.

Due to this issue, Symantec Endpoint Protection (SEP) clients will not update content beyond the initial affected download and IPS will not run correctly, impacting network threat detection. Additional layers of protection, such as Antivirus, Antispyware, and Proactive Threat Protection, are not affected.




SEP clients affected:

  • SEP clients that receive content directly from Symantec LiveUpdate or a LiveUpdate Administrator

  • SEP clients receiving updates via third-party system management products


SEP versions affected:

  • SEP 11.0: RU5 and higher

  • SEP 12.0 SBE: All versions


SEP versions and clients NOT affected:

  • SEP 11.0 RTM to MR4-MP2

  • SEP 12.1 : All versions

  • Any client that receives content only from SEPM or GUP

Clients that receive content only from a SEPM or a GUP are not affected, as SEPM file processing removes the attribute change.



Affected clients display IPS content between 2012-09-06 rev. 002 and 2012-09-12 rev. 001 on either the SEP client or SEPM, despite updated content being available. For affected clients, the IPS protection service does not run correctly, impacting network threat detection.

A client that fails over to a LiveUpdate server during this timeframe will receive the affected content and will not be further updated by the Symantec Endpoint Protection Manager.



Intrusion Prevention updates that were released on September 18th, 2012 or later, dated 2012/09/16 rev. 002 or higher, remediate the attribute on almost all configurations. Administrators with configurations listed below can check their clients by searching in SEPM for clients that use an old IPS version.

  • Clients that consistently receive updates from a LiveUpdate server will receive the content update that will correct their configuration automatically.

  • Clients that use both LiveUpdate and Symantec Endpoint Protection Manager for content can be corrected by running LiveUpdate to a Symantec LiveUpdate server or to a LiveUpdate Administrator. This can be done from the management console by executing the "run LiveUpdate now" command. Once the client has received affected content from LiveUpdate, they will not be repaired until they run LiveUpdate again – the Symantec Endpoint Protection Manager will not distribute the fix.



Article URL

Terms of use for this information are found in Legal Notices