About the LiveUpdate patch for Symantec Advisory SYM-12-017
|Article:TECH200168|||||Created: 2012-11-27|||||Updated: 2012-11-29|||||Article URL http://www.symantec.com/docs/TECH200168|
This document contains instructions and answers to frequently asked questions about the LiveUpdate patch to resolve the problems described in SYM12-017 Symantec Legacy Decomposer CAB File Issues.
On Wednesday, November 28th, 2012, Symantec published content through LiveUpdate that updates the Decomposer engine for Symantec Endpoint Protection (SEP) 11.x and 12.0 Small Business Edition. This content updates SEP clients to Decomposer 1.2.8.
Note: SEP 12.1.0 and newer products will not download this content. This applies to both clients and managers.
- The update replaces the Dec_ABI.dll and the Dec3.cfg files with updated versions.
- If the files are in use (such as during a scan), the Dec_ABI.dll and the Dec3.cfg file are marked for replacement, and the new files are stored in the SEP install directory until they can be replaced when the computer restarts.
- A registry value is created to note that a restart is required.
The update replaces the following files:
The new Dec_ABI.dll version is 220.127.116.11.
Frequently Asked Questions
Q: What is the size of this content update?
A: The content package is 860KB.
Q: Will this be downloaded with virus definitions?
A: No, this is a separate package. It will not be added to an existing virus definition update.
Q: How can I ensure that LiveUpdate Administrator is configured to download this update?
A: Under the Symantec Endpoint Protection details, ensure that the Decomposer content is selected.
To ensure that the Decomposer content is selected
In LiveUpdate Administrator, click Download & Distribute > Schedules.
Select the download schedule for Symantec Endpoint Protection content, and click Edit.
Note: If a download schedule for Symantec Endpoint Protection content does not already exist, it must be created.
Under Select Products, select Symantec Endpoint Protection v11.0 for your language, and click Add.
Expand Symantec Endpoint Protection v11.0 > Product Updates, and check the following items:
SESM Decomposer_lumetadata 11.0
SESM Decomposer 11.0
Click Add > OK.
Repeat steps 3 and 4 for the distribution schedule for Symantec Endpoint Protection content.
Q: Will this content be distributed from a Symantec Endpoint Protection Manager (SEPM) or Group Update Provider (GUP)?
A: Any 11.x or 12.0 SEPM will download the Decomposer update and distribute it to clients as configured. Also, any SEP 11.x GUP configured to pull content from an 11.x SEPM will download the content and distribute it to the 11.x clients as configured.
Q: Will SEP 12.1 clients or SEPMs download this content?
A: SEP 12.1 clients and managers will not download this content. They do not include the Decomposer content in their product libraries to download it, and are not affected by the problem that the update solves.
Q: If I am using a 12.1 SEPM, how can I get the updates to my SEP 11.x clients?
A: SEP 11.x clients can be configured to point to a Symantec LiveUpdate server or an internal LiveUpdate Administrator server temporarily in order to download the content. As an alternative, clients running SEP 11.0.5 to 11.0 RU7 MP3 may use the Decomposer Update Tool that is described in SYM12-017 Symantec Legacy Decomposer CAB File Issues.
Q: When does the client start using the new Decomposer?
A: The client starts using the new Decomposer when the RTVScan service restarts with the new files in place. If the files were not replaced because they were in use when LiveUpdate ran, the computer must be restarted to replace them for the client to use the new Decomposer. If the files were successfully replaced, the RTVScan service can be stopped and started manually without restarting the computer. LiveUpdate does not restart the service or reboot the computer automatically.
Q: How can I determine if a client requires a reboot?
A: If the files were not replaced when LiveUpdate ran, a client registry path is set under HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Patch: DecUpdateRebootRequired.
Q: I have already used one of the mitigation techniques provided in the Symantec Advisory. How will my client be updated?
A: The client will still download this content. In the event that the Dec3.cfg file has been edited, the LiveUpdate content replaces the existing .cfg file with a new one so that .cab file scanning is re-enabled. If the Decomposer Update tool has been run, the client will update the version of Decomposer, but the fixes are the same.
Q: What is the difference between the version of Decomposer in the Symantec Update tool and the version included in the LiveUpdate package?
A: Only the version number is different. In order to address the LiveUpdate packaging, the version of Decomposer was incremented to 18.104.22.168, while the Update tool includes 22.214.171.124. However, the same fixes are in both versions. There are no functional code differences.
Q: How can the version of Decomposer be verified on the client?
A: In the SEP client interface, under Help > Troubleshooting > Versions, Decomposer appears as 1.2.8 after the LiveUpdate.
Note: Due to a defect in the product, this version does not update in versions prior to RU5, as the file version referenced is incorrect. This defect was fixed in RU5. An alternative location for all versions is the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Decomposer ABI: Version
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Decomposer ABI: Version
Article URL http://www.symantec.com/docs/TECH200168