Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

12.1.2015 Intrusion Prevention Signatures "not available"

Created: 19 Dec 2012 | 22 comments

So I was having an issue with some of our machines on 12.1 where it was not showing the current sigs in SPC management and causing the big red X.  Noticed that it was a known issue, so I put a couple of our machines on 12.1.2015 (ru2) as that seemed to be the fix.  Unfortunately, is been 24hrs now and those two machines are still showing under the intrusion prevention signature column "not available".  Ive run LiveUpdate on them a couple of times but to no avail.

Comments 22 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

SEP client are updated virus defination ?

You could use the rapid release definitions.

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr

Thanks In Advance

Ashish Sharma

 

 

Alludc's picture

yes all Clients effected have current virus def dec-18-2012-r20

Ashish-Sharma's picture

HI,

How many system having Problem ?

Please Provide error SNAP shot ?

What happens when you try Running a Repair of this SEP client from Add / Remove Programs

Thanks In Advance

Ashish Sharma

 

 

Alludc's picture

6 total systems having 'issues' with showing old signatures.  4 of them are on 12.1.1 and the 2 new ones that are showing "not available" are on 12.1.2015+

 

I ran LU yesterday and today on all the machines.

 

I have done a repair, no change to the problem.

 

SEP.jpg
Ashish-Sharma's picture

HI

Try this,

 

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

 

Article:HOWTO59193  |  Created: 2011-09-08  |  Updated: 2012-09-25  |  Article URL http://www.symantec.com/docs/HOWTO59193

 

Thanks In Advance

Ashish Sharma

 

 

pete_4u2002's picture

are the other module of SEP updated?

are these machines communicating with SEPM?

did you run symhelp tool? it will give you information if virus definition is corrupted.

Alludc's picture

Im currently completeing the manual clearing of definitions and its gathering the new defs via LU right now.

 

All other modules of SEP were fine, besides the Intrusion Prevention Signatures on the machines listed in the above post.

 

All machines are indeed communicating with SEPM

 

have not yet run symhelp.  Finishing this step 1st.

Alludc's picture

cleared all old defs, ran LU, everything updated.  Manager console still showing "not available" under Intrusion Protection signatures.

 

where specifically can I see the folder for those signatures?

.Brian's picture

Are the machines themselves out of date or is it just not reflecting properly in the SEPM?

What OS are you using?

For XP, IPS defs are in:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IPSDefs

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Alludc's picture

nope. one of these machines (win7) worked fine on 12.0, it failed after 12.1 and now also on 12.1.2

checked c:\programdata\syamtec\symantec endpoint protection\12.1.2015.2015.105\data\definitions\ipsdefs on this machine just now and it shows a 20121218.011 folder that was created 12/19 that it just got from LU.  SEP Manager still shows "not available" for this machine IPS

 

the other machine is a fresh install win8.

 

 

.Brian's picture

So it looks like the client has the correct defs, this seems to be more of a cosmetic issue...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Alludc's picture

Cosmetic maybe, but the big red X showing daily on the console is sure making my boss look at me sideways.

 

.Brian's picture

Have you deleted the SEP client from SEPM and let it check back in?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Could you delete the client enteries from the groups and let the clients re-register them in the SEPM.

OR

1. Ensure both IPS and Advanced Download Protection are uninstalled from the client to stop sending data on IPS definitions.
2. Force the client to generate a new hardware ID using the RepairClonedImage tool: http://www.symantec.com/docs/TECH163349
3. Delete the old client entry once the new entry appears.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Alludc's picture

Mithun.

I have deleted the client entry from the console and let it re-register twice now. no change. Again, the other PC is a brand new win8 machine with a fresh install exibiting the same behavior.  The :"not available" is a direct product of 12.1.2015 it seems.  The other issues with the 12.1 machines not showing (but being) updated is its own issue.

 

I do not follow on the "or" section #1.  not sure how to do that.  No need for #2, as I do not image our machines here, they are all standalone installs.

Rafeeq's picture

clients are set to take the updates from Manager or from Liveupdate?

in the home tab, if you click on more details option ( top right) whats the level set for IPS defs failures?

Alludc's picture

Clients get info from Live Update

 

no such "more details" in the upper riht of the home tab screen on SEP SBE

 

the version on the server is still 12.0.1001.95 if that makes a difference.

Mithun Sanghavi's picture

Hello,

Absolutely yes.

(In should have understood when you wrote: "So I was having an issue with some of our machines on 12.1 where it was not showing the current sigs in SPC management and causing the big red X. ")

I would please request you to Migrate the SPC (Symantec Protection Center) to the Latest Symantec Endpoint Protection Manager 12.1.

You need to Migrate to the Latest version of Symantec Endpoint Protection Manager 12.1 because the definitions are different for this product version.

To understand check the links below:

For Symantec Endpoint Protection 11.x - Symantec Endpoint Protection 12.0 (32 bit)

http://www.symantec.com/security_response/definitions.jsp?pid=sep11_32

For Symantec Endpoint Protection 12.1

http://www.symantec.com/security_response/definitions.jsp?pid=sep12

For Symantec Endpoint Protection 12.1 RU2

http://www.symantec.com/security_response/definitions.jsp?pid=sep1212

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Alludc's picture

well, 12.0 manager worked with the other 12.1 clients....and I havent read anything that said it wouldnt.  But ill go ahead and get around to upgrading the mgr then. Thanks

Mithun Sanghavi's picture

Hello,

I would suggest you to also follow the Article below when Migrating - 

Best practices for upgrading to Symantec Endpoint Protection 12.1.2

http://www.symantec.com/docs/TECH163700

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.