How do you rollback defs in SEP 11 RU5?
Updated: 04 Aug 2010 | 5 comments
Yesterday's defs decided to quarantine files associated with our core application and we couldn't figure out how to rollback the defs. There is exactly one LiveUpdate policy applied to everything. When I click on the LiveUpdate Content Policy and look at Security Definitions and Select A Revision, only the current defs are there.
Under Admin, Servers, Local Site, LiveUpdate tab, it shows we're holding 21 days of "Number of content revisions to keep:"
We do use GUPs for remote clients adn the SEPM itself for this location. The GUPs pull the defs from the SEPM server.
What am I missing?
Thanks,
Ray
Discussion Filed Under:
Comments
How to Backdate Virus
How to Backdate Virus Definitions in Symantec Endpoint Protection Manager
http://service1.symantec.com/support/ent-security.nsf/docid/2007111515160948
Do you have only one revision for all the contents ?
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Correct
It's showing just the Feb. 1, 2010 32-bit and the Feb. 1, 2010 64-bit defs. Needless to say, that is the def that took down fifty offices and hundreds of employees. this morning.
Ray
Number of revisions to be kept
I hope you do have the latest version of SEPM i.e. RU5
The Symantec Endpoint Protection Manager (SEPM) must have previous content revision downloads in order to create a "delta", or differential, capable of updating a client from its content version to the most recent version of that content being stored on the SEPM. The value of deltas is that content revisions are kept to a minimal size as they are sent across the network. To determine how many content revisions you should keep consider the following:
For the majority of your clients how often do they communicate with their SEPM?
Historically, how long have your clients had to go without communication with their SEPM?
What disaster recovery scenarios must you consider and of what duration?
The number of content revisions to keep should depend on the need to balance network bandwidth with the amount of hard drive storage availability on the SEPM. This setting should be made with the specific network environments requirements and limitations in mind.
You can control the number of content revisions that Symantec Endpoint Protection Manager stores for each content type. The setting is global, you cannot set each content type individually.
Admin > Servers > Edit Site Properties > LiveUpdate (tab) > Disk Space Management for Downloads
You can configure the Symantec Endpoint Protection client policy to use an older revision of content from the Symantec Endpoint Protection Manager cache.
Policies > LiveUpdate > LiveUpdate Content (tab) > LiveUpdate Content Policy > Edit the Policy > Security Definitions > Select a Revision*
*If it's grayed out, then Symantec Endpoint Protection Manager does not have any revisions of that content stored.
Check the file contentinfo.txt in :\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content for further relevant information
Thanks & Regards Sandip C Sali
Inline."I hope you do have
Hey, guess what? They are there!
When you look at the dialog box, it's huge with lots of white space below the current defs and we thought it didn't have the revisions. We were expecting to see the revisions with a radio button to select the one we wanted.
It turns out there is a little drop down arrow to the far right that lets us see the older versions.
Unfortunately the huge amount of empty space in the dialog box coupled with the documentation not saying how to see the revisions helped me overlook the little arrow.
So it looks like all is well and we've written our own documentation with pictures on how to roll back the defs.
Ray
More info
<removed>
Would you like to reply?
Login or Register to post your comment.