Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Delay security definitions from going out

  • 1.  Delay security definitions from going out

    Posted Nov 30, 2010 09:16 AM

    Hi All,

    Just wondering if it's possible to delay security definitions from going out by a day or so through SEPM 11. We've got over 2000 endpoints and there's a fear that if a bad definition gets out it'll be deployed across all my machines and could cause a serious amount of damage.

    I'd like to be able to create two different policies to update test machines immediatly and production machines a day later.

    Definitions being out by a day wouldn't pose much of a threat and this can always be changed if the threat level is very high.

     

    Thanks



  • 2.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 09:26 AM

    ...... is this only possible using a GUP? time to go investigating.



  • 3.  RE: Delay security definitions from going out

    Broadcom Employee
    Posted Nov 30, 2010 09:39 AM

    from SEPM you can update the right definition which will correct the coorupt definition.

    client gets the update from SEPM/GUP based on heart beat configured.



  • 4.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 09:45 AM

    So basically you need to upload the definitions to two groups of PCs: test (to test defs) and to the production one (if the test is passed)? I am affraid it is not possible in SEPM - while you can set in LiveUpdate policy that for this and that group you need an older set of defs, you will need to change it every day manually and it is nonesense.

    In your case the best solution is to use LiveUpdate Administrator to deploy definitions without your approval to a test group and with your approval to the production one.

    Please check:

    Installing and configuring LiveUpdate Administrator 2.x
    http://www.symantec.com/business/support/index?page=content&id=TECH102701&locale=en_US



  • 5.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 09:54 AM

    Thanks Pete, but definitions can sometimes damage much more than SEP itself. In April this year McAfee released a definition that saw svchost.exe as malware causing critical damage to XP machines. http://news.cnet.com/8301-1009_3-20003074-83.html

    If Symantec were to do something similar what would be the best way to protect against something like this?



  • 6.  RE: Delay security definitions from going out
    Best Answer

    Posted Nov 30, 2010 10:02 AM

    Look into LU Administrator - you can create different distributions for different PC and approve them or not... It is a really cool app :)



  • 7.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 11:12 AM

    Hi clynch,

    The SEPM can accomplish this natively if you are willing to manually manage definitions.

    Open the SEPM. Go to Policies and click LiveUpdate. Click the LiveUpdate Content tab.

    You will have a default policy called "LiveUpdate Content Policy". If you open it and go to the Security Definitions tab, you will notice that by default the policy is set to use the latest available definitions. If you put a dot in "Select a revision", you can manually pick what revision of definitions you want the SEPM to distribute.

    It is possible to create multiple LiveUpdate Content Policies so that you can have one for your production group and one for your test group.

    Regards,

    James



  • 8.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 11:15 AM

    Hi Clynch,

    A good way to protect about this would be to manually manage the definitions your environment uses. You can designate a test group which uses a set of definitions newer than the rest of the production group. If the test group functions well for a period of time using the newer set of definitions, you can then roll it out to the rest of the production environment.

    My other post (below) tells you how this can be accomplished.

    Regards,

    James



  • 9.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 11:19 AM

    In LiveUpdate policy you can change the definitions date but this way you will need to change it manually every day, won't you?



  • 10.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 11:45 AM

    Hello,

    Yes, he would have to manually manage it.

    If he wanted to lower the administrative overhead by a little bit, he could have two separate LiveUpdate Content Policies (one for his test group and one for his production environment.)

    His test group could be set (via its policy) to automatically update to the latest virus definitions while his production group could be set to only use the virus definitions he picks.

    His other option (and the one I personally prefer) would be to manually manage the virus definitions that both the test and the production group are using.

    This may be too much to do if you have the SEPM downloading three definition sets per day. It would be much more manageable if you have the SEPM download definitions but once a day. This would have a secondary benefit in that it would give his test group an entire day to run with the "suspect" definitions before he rolls them out to his production group.

    Regards,

    James



  • 11.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 11:47 AM

    I agree with your arguments. Still I suppose it will be much easier to use LUA in this case :-)



  • 12.  RE: Delay security definitions from going out

    Posted Nov 30, 2010 12:26 PM

    Thanks James-x but that would involve too much administrative over-head and with just myself doing it I'd have a bigger head ache wondering if it's getting done when I'm not in the office.

    LUA might look like a better option so I'll gwet tinkering with that and see what it can do.

    Thanks All