Video Screencast Help

IPS Signature not updating?

Created: 06 Sep 2012 | 11 comments

I'm running SEP v.12.1.1101.401 on a mixed Server 2003/Server 2008R2/WinXP/Win7 environment. I've got two Server 2008R2 servers that are showing IPS signatures six weeks out of date, but when I open SEP on the server desktop, it shows the old date (7/27/2012) of the signatures, but the status display is "Secure". I checked in C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\ and the latest definition set on the management server is there (9/5/2012 at this writing), so it appears that the "client" server is downloading the package from the management server, but not applying it.

Other Server 2008R2 servers on the network running the same version of SEP off the same management server are up to date, and AntiVirus, Download Protection and SONAR definitions are up to date on the servers with out-of-date IPS signatures.

Any suggestions?

Jim

Comments 11 CommentsJump to latest comment

.Brian's picture

Are both of those servers in the same group as the servers that are updating?

Or are they in a different group with no IPS policy applied?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jvonstein's picture

All of my Server 2008R2 servers are in the same SEP group.

Jim

.Brian's picture

Is there any error(s) showing in the System log on the client?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

I've had success in the past fixing corrupt IPS defs by simply deleting the folder and letting re-download again.

Following this document:

http://www.symantec.com/business/support/index?pag...

Except I would just run smc -stop, stop the SEP service and delete the IPSDefs folder. I wouldn't make any changes to the registry. The above doc is mainly for removing virus defs so it really doesn't apply much other than how to stop the services.

Also, this was done in a test environment so i wasn't worried about breaking something.

I would bet that re-installing your client would fix it and may be your best bet but I'm just sharing what I have tried in the past. It's likely unsupported and not recommended so be cautious if you try it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

Wow that sounds very simple "run smc -stop, stop the SEP service and delete the IPSDefs folder".

How often does the IPS gets updated ? I believe is not as frequesnt as the AV signature ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

jvonstein's picture

I don't see any error messages in the client log (Windows or SEP) that shed any light on things. I'm a little nervous about blowing the folder away, since both of the servers with this behavior are important production servers.....

Jim

.Brian's picture

You can try a repair.

A reinstall will require a reboot. You can also try to reinstall just the NTP component but that will also require a reboot.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jvonstein's picture

Very interesting. I tried to delete the folder and was unable to. Even though logged in as a domain admin and running Windows Explorer as an administrator, when I tried to delete the folders, I got a "You'll need permission from an Administrator" message. I tried taking ownership of the files/folders as the domain admin login, and got "Access denied".

Same result working from the command line....

.Brian's picture

Did you stop the service?

Disable tamper protection.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

Hi,

If you are not able to delete Definations please restart system.

Symantec Endpoint Protection (SEP) 12.1 client is maintaining multiple virus definitions versions on servers

http://www.symantec.com/business/support/index?page=content&id=TECH180056

 

Most of the computers that are affected have been found to be running scheduled scans at the same time as the LiveUpdate session.  Scheduling the scan for a later time (or switching from daily scheduled scans to weekly) will typically enable the older definition sets to be successfully deleted by SEP.

Additional workarounds are available, though neither will prevent the issue from happening again:

  • Reboot the machine. In observed cases where definitions had been marked for reboot, this does actually remove the definitions.
  • It has also been reported that stopping the client services and deleting the older virus definitions is also successful in clearing them out.

Symantec is currently investigating the issue further and this document will be updated when more information is available.

Thanks In Advance

Ashish Sharma

 

 

Ian.Crowl's picture

I just wanted to check and see if anything more has come from this.

I have a handful of server that are running Windows Server 2008R2 that has this same issue. it only affects the IPS definitions. I have tried the steps above at a previous time to remove the definition location on the server where the IPS files are stored. this resolved my issue for a bit, but then the server i tested on eventually showes out of date IPS definitions.

I am currently on 12.1.1101.401 for all servers and i am planning to try 12.1.2 soon, but not this week most likely.
My live updates are downloaded to a host server on the same network as the servers in question and the servers check for updates every 4 hours.

Can you please let me know if there is any sort of permanent fix?
if you need any more information on my end, please feel free to ask

Ian