Hi,

I know that by default SEP downloads the definitions only from SEPM, does not it?
I need a better description of your issue,

regards,

Hi Giuseppe,
Thanks for your help. Our problem is, that we can't login to the domain after rebooting the workstation right after installing the SEP client because there are old definitions (of course right after installation) and SNAC reports, the client is not compliant and so isolation the client.
What we want now is to have a command line parameter or else to force the definitions update right after installation. So we could wait for the update to finish and then reboot the machine. That way, SNAC wont block active directory domain login. 
We tried to just wait until SEP updates itself but sometimes this takes more than 15 minutes. Such a delay is annoying during setup of workstations.
Thank you once again.
Have a nice day
Roland

install the SEPclient with the latest definition (instead of the default).

Changethe number of days the SEP client can go with old definition, hence avaoiding the network block in. If its push mode the clients can immediately get an update as soon it starts communicating with the SEPM.

cheers
Pete

If you make a plan of SEP deployment, cannot you just temporarly disable just this SNAC criteria about the definitions status during the deployment period just for the involved machines?

@pete: Thanks for the tip. However, since we're rolling out +1'800 workstations our rollout will take 6 - 8 weeks to finish. I can't/don't want to update the package every week with newer signatures... And think of the time after the rollout, I don't want  to update the package every now and then.

@Guiseppe: You're right, we could disable SNAC for the time of rollout. However, it's almost the same as workaround one. If we need to setup a workstation after the rollout, we encounter the same problem.

So what I want is a permanent solution, not just a workaround.
How are you guys working around this?

  We even tried with smc -updateconfig but the SEP client didn't update for more than 15 mins.
After we started the 'update content' function on this workstation through SEPM everything was fine and it updated very fast and so SNAC turned 'green'.
How can I force the 'update content' function from the workstation through a script?
Anyone?

This should definitely work for you

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008042213451848

How about enabling SNAC after the SEP deployment, and updates. By default SEP clients update thru SEPM.

@Kavishbakshi: Thanks for that link. However, pete already provided this tip. And since the rollout takes 6 - 8 weeks I had to update the package every week or set the SNAC tolerance to such a long period (up to 8 weeks old signatures) which makes SNAC unuseful.

@Paul Mapacpac: How can I enable SNAC after first successful SEP updates? This sounds interesting. Or do you mean, that I don't enable the SNAC policy until we're finished with the rollout? In the latter it's not possible.

you can enable SNAC, but if you say block client with X days old definition, then you might land up facing the problem,not connecting to the Network. In this kind of situation, have a remediation server which acts as host for providing definition to the clients, once these clients have definition, then they can connect back to network.

I understand since the roll out takes some task/time, but this is the option the SEP product has this feature, i was added this comment to have latest Definition set in package in "ideas" section. If Symantec team include in coming build/s that will resolve the issue.

Cheers

Pete