Endpoint Protection

We are having one heck of a time dealing with the large number of GUPs in our environment. With the fact that servers are changed out frequently without information from other teams, with the fact that there are usually a number of servers that end up with not enough disk space for the defintions to be held, and the fact that the new SEP 12.1 java GUP Monitoring tool is SO much slower to use than the previous 11.x vbs GUP monitoring tool., and finally the number of locations we deal with to make the GUPs work with the 11.x clients we cannot use the new 12.1 liveupdate policies for the GUP designation by subnet.

WIth all the above issues what we are wondering is if there is any way to setup a definiton update deployment using SCCM? We already have designated SCCM servers that are fairly static. We also have SCCM servers in many sites we do not currently have configured SEPM locations and GUPs setup thus reducing the update load on the SEPM servers. We also are dealing with a DB issue that is not allowing us to liveupdate the SEPMs daily with defintiions and this would be eliminated until the DB issue is resolved.

It would be nice if Symantec had some kind of SCCM plugin to create a package based on the defintion released and then do a defintion deployment.

I am hopeful that once we get most of our environment to the 12.1 clients and upgraded then the GUPs by subnet liveupddate will be a GREAT benefit but I have been haunted by dealing with tons of GUps for years now.

Anways anyone with any suggestions for a newly updated to 12.1 ru 2 server infrastructure and about 54k clients still at 11.x to help ease our defintion update growing pains?

I don't believe there is any way to do a package for Defs only. Workarounds exist but may be not exactly what you want.

You could push a client without defs or just basic content and than once installed/upgraded, configure it to grab the defs from the local GUP

How to export Symantec Endpoint Protection (SEP) client install packages without any definitions or package with Basic Content.

I think McAfee updates can be done with SCCM. not so sure about SEP.But this is something intresting that is worth looking at

http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/e008842d-d566-4b32-ba2f-4638c367f106/

Hello,

You can Enable third-party content management from the Liveupdate Policy.

This Enables third-party tools such as Microsoft SMS to provide updates to client computers securely.

To use this feature, you must set up the Symantec Endpoint Protection Manager to use as a staging server for content. This staging server does not require that the clients be connected to it. Configure the server to download updates on a periodic schedule. If you use continuous, the server downloads the latest updates when they are posted.

By default, the updates appear in the Default group's clients' content outbox folders. These folders are organized by content type. You can then pick up one or more content packages from the content outbox folder and deliver it to the client's inbox folder.

To ensure that only third-party management tools update client computers, disable the other LiveUpdate server options on this page.

Note: Third-party content management settings are applied to Windows clients only.

Reference: 

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

http://www.symantec.com/docs/TECH178257

Configuring a LiveUpdate Settings policy to allow third-party content distribution to managed clients

http://www.symantec.com/docs/HOWTO80943

Also, check this : Script to download Definitions from SEPM

https://www-secure.symantec.com/connect/downloads/script-download-definitions-sepm

Hope that helps!!

Alternative.

You can update the Rapid release in SEPM in jdb and the clients will get the defs. those are all connected to SEPM. These won't depend on GUP. All you have to know is the understand the Rapid release definitions.

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
http://www.symantec.com/docs/TECH102607 
 

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr

You can use Intelligent updater, which is an exe , deploy it as a package.

http://www.symantec.com/business/support/index?page=content&id=TECH106037

HI, 

Regards

Ajin