Video Screencast Help

Old definitions from a new install package?

Created: 09 Aug 2012 | 4 comments

Hello, I'm testing SEP 12.1 on a group of computers before we begin to roll it out at my company. I have tested a few installation methods. When I create a .msi installer package and manually put the files on the client's computer and install, I see that the latest definitions (at the time the install package was made) for virus, sonar, ips are included. The machine quickly shows up in the sepm console with relatively new definitions.

My problem is when I move SEP 11 clients into a client group that has SEP 12 install packages. The SEP 11 client upgrades to 12.1 automatically with no problem, but I noticed that the SONAR and IPS definitions are 4 months old! If it is using an install package from 2 days ago that has recent definitions and is known to work when installed manually, why do the packages provide such old sonar and ips definitions when installed from the sepm console?

Please let me know if you have any suggestions or if you have experienced this situation. Thanks very much for your help!

Comments 4 CommentsJump to latest comment

SMLatCST's picture

From what you've described (and assuming you are using default settings) this is working as intended.

You only get the option to include the latest definitions when you are exporting a SEP Client package, and no similar option exists when assigning a client upgrade package to a group.

My guess at the reasoning behind this, is that an exported package could potentially be installed on a machine without network connectivity (and so cannot update), whereas using the upgrade option via the SEPM means that the client must have a connection to the SEPM, so is pretty much guaranteed to grab the latest defs once the upgrade is complete and it checks in.

There is a way round this however, and that is to use an exported SEP Client package (with latest defs) in conjunction with the Client upgrade feature in SEP.  Further details on this below:

Might be worth a try...

Mithun Sanghavi's picture


Could you check on the SEPM, if it carries the Latest SONAR and IPS Signatures?

SEPM >> Admin >> Servers >> Highlight Local Site and click on "Show Liveupdate Downloads".

To Answer your Question, when SEP version 12.1 clients are deployed with Packages from SEPM, these packages are created with Latest definitions in it. However, SEPM needs to have the Latest Definitions on them when creating the packages.

So as soon as SEP clients gets installed, the clients are installed with latest definitions.

Now, incase, these clients are Mobile machines, and then connect to the SEPM for definitions however, say incase, they are unable to fetch the entire downloads, then the next time it downloads it would download the same definitions again. 

i.e; It would fetch those days definitions which have not been received by Clients.

Here are few Article for you:

Symantec Endpoint Protection 12.1: Installing the Manager for the first time and deploying clients

Creating custom client installation packages in the Symantec Endpoint Protection Manager console version 12.1

Upgrade clients to SEP 12.1 by Auto upgrade feature


See About the types of threat protection that Symantec Endpoint Protection provides.

See Configuring client installation package features.

After installation, you can enable or disable the protection technologies in the security policies.

See About enabling and disabling protection.

See Performing tasks that are common to all security policies.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nonav249exe's picture

My SEPM definitely had the latest definitions when I moved the client into the group that had the 12.1 install package.

The attached image (click to see the whole thing) shows the 3 install packages on my SEPM. Don't they automatically update with whatever definitions the SEPM has? And if so, wouldn't any client that was moved into a group with that install package get the most recent updates?

SMLatCST's picture

I'm afraid there is no option to include the latest defs in the SEPM managed upgrade (as I mentioned in my earlier post), other than using the workaround I suggested.

When using the default SEPM Managed upgrade method, the endpoint are upgraded without the latest defs, and update their definitions via the heartbeat to the SEPM after the upgrade is complete.

This is the default behaviour by design.