Video Screencast Help

How do you change the frequency of the virus definitions out of date message?

Created: 08 Oct 2012 | 37 comments
chris48's picture

We have a SEPM 12.1 server which manages our SEP 12.1 clients.  As a number of these clients do not always log in regularly we often get users calling in as they get the virus definitions are out of date message but when they click ok this message reappears very shortly afterwards.  Is there a way to change the frequency that this meesage appears, so for example once an hour or twice a day?  We still require the users to get this message, but the amount of times it keeps appearing seems to be excessive and is causing our users to call in unnecessarily.

 

Thanks.

Comments 37 CommentsJump to latest comment

Ashish-Sharma's picture

To modify the Antivirus and Antispyware policy's notification settings:

 

  1. Log into the SEPM console and select the Policies tab
  2. Select the Antivirus and Antispyware Policies link from the View Policies pane
  3. Select the policy used by the affected clients from the Antivirus and Antispyware Policies pane
  4. Click the Edit the Policy link in the Tasks pane
  5. Expand Windows Settings and select the Miscellaneous tab
  6. Select the Notifications tab in the Miscellaneous pane
  7. Set the Days before a warning appears in Symantec Endpoint Protection value to the number of days calculated as "safe" for the affected clients.
  8. Click the OK button to close the AV Policy window and save the changes to the policy

Reference

http://www.symantec.com/business/support/index?page=content&id=TECH150078

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

This issue occurs when definitions provided by the Symantec Endpoint Protection Manager are older than the amount of days configured in the Antivirus and Antispyware policy before an outdated definitions notification will appear.

If the definitions on the SEP client and SEPM server are less than 24 hours old, the Antivirus and Antispyware policy is likely configured to warn after definitions are 1 day out of date. This is against best practices as definitions new definitions are not made available immediately at midnight.

Miscellaneous tab is available in Enterprise Edition only, it's not available in Small Business Edition.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

_Brian's picture

Select your AV policy

Miscellaneous >> Miscellaneous tab >> Adjust Display a Windows Security Center message when definitions are outdated

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

chris48's picture

Thanks everyone for your replies.

I have already set the appropriate settings under the miscellaneous policy, however this isn't the problem.  We have some clients that have not accessed the network for more than 30 days, but I don't want to chnage the notification to alert for out of date definitions longer than that.

The problem we have is that when a client does receive the notification they only have the option to click 'close' and when they do they get another prompt about 30 seconds later, even though the client is in the process of updating.  This is causing great annoyance to some of our users which is why I want to modify the frequency of this alert so they will only get the prompt again if the client hasn't updated within a specified amount of time (eg 1 hour).

Ashish-Sharma's picture

Hi,

I think this option are not available in SEPM you can Set Specify Amount of time.

 

Thanks In Advance

Ashish Sharma

 

 

megamanVI's picture

The original post is experiencing and issue where pressing OK on the "out of date" message doesn't actually make the message go away. It keeps popping up immediately after pressing OK.

I experience this issue too on 12.1 MP1 RU1. I didn't experience it before upgrading to this latest release. I'm hoping this issue is resolved in 12.2.

GD Sec's picture

We have also had the same problem when running 12.1 RU1 MP1.  The notification does not suppress for 24 hours like previously in SEP 11.  I had a case with support who told me to change my out of date notifications to 28 days, that does not work in my enviroment.

 

SEP 11 used to have the option to "not remind me for another 24 hours" which was generally plent of time for the GUP or Live Update to push out the definitions.  Since support does not seem to remember this feature I have turned it off on the client end, and monitor it from the SEP Manager and vulnerability scanner.

 

Mithun Sanghavi's picture

Hello,

I would suggest you to edit the "Virus Definitions Out-of-Date" Notification and set the correct Damper Period and correct settings.

 

Damper Period:

Specifies the length of the damper period, in minutes or hours, that you want to use for this notification.

Some logs use a damper period for event aggregation. Events are held on the clients for the damper period before they are aggregated into a single event and then uploaded to the console. The damper period helps to reduce events to a manageable number.

The default damper setting is Auto (automatic). If a notification is triggered and the trigger condition continues to exist, the notification action that you configured is not performed again for 60 minutes. For example, suppose you configure a notification to alert you when a virus infects five computers within one hour. If a virus continues to infect your computers at or above this rate, you receive notifications every hour. The notifications continue until the rate slows to fewer than five computers per hour.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

megamanVI's picture

This isn't an issue with notifications to the Symantec administrator. These pop ups are happning on the SEP clients.

Chetan Savade's picture

Hi,

Could you please check the damper settings.

Navigation path:

SEPM --> Monitors --> Notifications --> View Notifications --> Notifications Conditions --> Edit Virus Definitions out of date --> Check damper setting time, I hope it's not set to Auto.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

chris48's picture

Thanks Chetan,

I have checked the above settings you have advised and the Damper setting time is 10 hours - (not set to auto).

However am I not correct in understanding that this setting relates to notifications on the server, not on the client itself?

Chetan Savade's picture

Hi,

You are correct, these settings are relates to notification on the server.I was just co-relating it.

Can you move all those clients to a new group and disable notification pop up on that group.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

chris48's picture

Thanks Chetan,

I could move them, but this does not resolve the issue.  I still want them to receive notifications but I want to reduce the frequency of the pop-ups.

Mithun Sanghavi's picture

Hello,

There is no such settings under notification where you could specifically reduce the frequency of the pop-ups.

Hope that helps!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

I don't see any such settings under notification where you could specifically reduce the frequency of the pop-ups.

I am not able to find any registry tweak as well sad

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

_Brian's picture

Just out of curiousity, has anyone done a complete uninstall/reinstall? Did that fix it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI,

This setting not available in SEPM ,

You can raised Idea for this option 

Thanks In Advance

Ashish Sharma

 

 

John Santana's picture

What is that "Damper" means ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Chetan Savade's picture

Hi John,

Damper settings is very interesting concept.

You can set a damper period for notifications. The damper period specifies the time that must pass before the notification condition is checked for new data. When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.

Reference: http://www.symantec.com/docs/HOWTO55051

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

John Santana's picture

surprise Yes Chetan you are right !

I have been bombarded with Unamanged Notification list email (about 100 of them) since I put it 10 minutes.

Thanks for pointing this out man

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ch@gGynelL_12's picture

Not even encountered in my present Administration of SEP. To avoid annoyance to client, disable all the pop-ups and refer to the logs for your reference.

chris48's picture

Thanks everyone for your responses.  Your solution, Ch@gGynelL_12, is OK as a workaround, however we do want the clients to be notified if virus defs are older than 30 days, so will keep the alerts on.  This is in case anything is missed in the logs or a client drops out of SEPM without us realising (this has happened before with 2 pcs with the same hardware id).  The client side alert at least will prompt user to call if there is a problem.  It seems that we have to accept there is no way to configure this, which is a shame and seems to be an oversight in the design of SEP 12.1.  Maybe next release will include this feature as the lack of it will potentially cause a lot of calls to service desks when there are a lot of clients deployed in a SEP environment.

dsmith1954's picture

When they get the message, are your users checking the box that says "Don't remind me again until after the next update"? If not, have them give that a try.

sandra.g's picture

In which version of SEP do you see this checkbox? Thanks.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

dsmith1954's picture

I think it's been there since the SAV days. This is the notification on the client.

John Santana's picture

Yes, that is correct, I guess this is harmless since the SEP client AV definitions will be downloaded soon after it talks back to the SEPM server.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

sandra.g's picture

Thanks. In SEP (12.1.2 enterprise version), I can confirm that a.) there is no way to define a period of X minutes/days before the next notification occurs, but b.) that the "Don't remind me again until after the next update" check box is still there in the client-side pop-up notification.

(I would think that this same checkbox is present in Small Business Edition, too, but I didn't get to check that directly.)

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

SMLatCST's picture

On a vaguely related note, have you considered using Location Awareness (http://www.symantec.com/docs/TECH97369) so that your SEP clients obtain the latest definitions directly from Symantec LiveUpdate when they are out of the office.

While this doesn't directly affect the notifications themselves, it would prevent the "Defs out of date" message from appearing, as the clients will be up-to-date.  Plus, you'll have the added security of ensuring your client machines are using the latest defs where ever they are (clearly this is only applicable if the out of office laptops have access to the Internet).

John Santana's picture

(clearly this is only applicable if the out of office laptops have access to the Internet).

.....and there is no proxy setting to use outside the office. blush

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Beppe's picture

Hello,

It has been found that the option "Don't remind me again until after the next update" is visible only if the logged user has admin priviledges and UAC is disabled.

Regards,

Giuseppe

kevin29's picture

Quote: It has been found that the option "Don't remind me again until after the next update" is visible only if the logged user has admin priviledges and UAC is disabled.

 

Does anyone know if 12.1.2 or 12.1.2.1 has fixed this issue or is it still outstanding? Thanks- 

dsaraf's picture

Will 12.1.3 have this option?  It's becoming a big problem for my organization. Also, is there any validity to the following comment.  "It has been found that the option "Don't remind me again until after the next update" is visible only if the logged user has admin priviledges and UAC is disabled."

I also noticed then when I add more text in the notification it pushes the "Don't remind me again until after the next update" checkbox down to where the user cannot check it.  There is some bug that is not resizing the dialog box properly.

ss0's picture

Will Symantec ever listen to it's user base and provide a solution to this issue? Please incorporate this into your product:

1. Provide a damper setting that controls the notification of out of date definitions on the client side.

2. Also provide a period of time after login for SEP to download the updates from the server. Typically a computer that has been off the network will connect back up after login and SEP will immediately issue this notification, increasing unnecessary help desk calls.

 

PLEASE FIX  THIS SYMANTEC. QUIT MAKING OUR LIVES MISERABLE!!!

ss0's picture

and yes we are using location awareness. and no disabling notifications is not an option because we do want to ensure users have the latest defs.

SMLatCST's picture

If you want to suggest changes to products, then please raise it as an IDEA via the "Create Content" section of these forums.

If your suggested change gathers enough community support, then Symantec may implement it.

John Santana's picture

Yes I have just voted !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.