Endpoint Protection

 View Only
  • 1.  IPS defs not updating on 11.0.7 unmanaged clients

    Posted Sep 10, 2012 06:45 PM

    We have 3 unmanaged clients (Windows XP Pro SP3 32 bit) all with IPS defs date of Sept. 6, 2012 r2.

    Today (9/10/12), we ran manual LiveUpdate from the unmanaged clients' UI to get the latest AV and IPS defs from liveupdate.symantecliveupdate.com.  Manual LiveUpdate reported downloading and installing AV defs and IPS defs.  

    However, the definition date in the UI for the IPS defs did not change from September 6, 2012 r2.   The UI should show September 7, 2012 r1.   We see a folder 20120907.001 in C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs.  All 3 unmanaged clients were updating properly before trying to install the 9/7/12 v1 IPS defs.

    How do we fix?   AV shows the correct date and version.   The problem is just with the IPS defs/date. 

    Please read carefully.   Do not send links as to how LiveUpdate works or recommend to uninstall/reinstall or upgrade.

    The unmanaged clients were updating correcty until the NTP 9/7/12 v1 IPS updates. Nothing has changed in the clients whatsoever with the exception of running manual LiveUpdate today.

    Thanks,

    Wally

     

     



  • 2.  RE: IPS defs not updating on 11.0.7 unmanaged clients

    Posted Sep 10, 2012 06:59 PM

     

    I've had success in the past fixing corrupt IPS defs by simply deleting the folder and letting re-download again.

    Following this document:

    http://www.symantec.com/business/support/index?pag...

    Except I would just run smc -stop, stop the SEP service and delete the IPSDefs folder. I wouldn't make any changes to the registry. The above doc is mainly for removing virus defs so it really doesn't apply much other than how to stop the services.

    Also, this was done in a test environment so I wasn't worried about breaking something.

    I'm just sharing what I have tried in the past. It's likely unsupported and not recommended so be cautious if you try it.



  • 3.  RE: IPS defs not updating on 11.0.7 unmanaged clients

    Posted Sep 11, 2012 06:14 PM

    Thanks for the info.   We took the safest and most expedient way and restored the PCs to recent backup images before the problem and then used manual LiveUpdate to update the defs to current revisions.

    We have opened a case with Symantec Support.   If I find an easier supported way to fix corrupted IPS defs from support I'll post it.

    We have no idea why all our clients choked on the 9/7/12 IPS defs.   Odd that all of them would react in the same way.



  • 4.  RE: IPS defs not updating on 11.0.7 unmanaged clients
    Best Answer

    Posted Sep 18, 2012 07:53 PM

    Hi Wally,

    Symantec just posted a new KB article about IPS signatures being stuck.  I recommend you check out this doc: http://www.symantec.com/business/support/index?page=content&id=TECH196871 to see if the version of IPS signatures that you were stuck on is within the stated criteria.  If so, a repair procedure is in the document.

    If not, please continue to work with technical support.

    If others need to contact technical support, you can find contact information at: http://www.symantec.com/support/contact_techsupp_static.jsp

     



  • 5.  RE: IPS defs not updating on 11.0.7 unmanaged clients

    Posted Oct 08, 2012 01:41 PM

    Hi jkubu,

    Thanks for the information.   It describes exactly the IPS problems we've been having.   All of our clients stopped updating on the same date.  Unfortunately, technical support didn't point us to this article.   The solution stated in the article is to run LiveUpdate an receive IPS updates dated 2012/09/16 rev. 002 or higher to remove the incorrect read-only attribute.

    Technical support told us to uninstall and reinstall the SEP client to fix the issue.   Evidently the tech I'm working with is not aware of this KB article.    He said that he was not aware of any issues with IPS definitions, but clearly there is one.   This was our suspicion since it affected all of our clients at the same time.   

    So, we've uninstalled and reinstalled and have our clients' IPSes working again, but I'm going to give you credit for the solution.     It was a real pain to have to uninstall/reinstall all of our SEP clients, I wish we had known about this sooner.

    Sorry for the late reply, and thanks again for the KB article.

    Regards,

    Wally