Video Screencast Help

Remove definitions for LiveUpdate administrator testing

Created: 02 Oct 2013 | 15 comments

What is the most effective way to remove definitions from my workstation to test downloading definitions from an internal LiveUpdate Administrator server.  I am working on a new LU server and want to test the download more that once a day.

Operating Systems:

Comments 15 CommentsJump to latest comment

Beppe's picture

Hello,

reinstalling the SEP client is the easiest way to do it.

Regards,

Giuseppe

Mithun Sanghavi's picture

Hello,

Why remove the defintions?

Instead, I would suggest you to -

1) Create a new TEST group.

2) Move the client/s to the TEST group. (so that they report to this group)

3) Change the Liveupdate Policy to take the updates from the LUA.

4) Upon next heart beat interval, the next updates would be taken via LUA.

LUA servers mirror the definitions available on Internet LU servers.  These defs inclue a type called Direct Deltas, but those are not the same as the delta defs generated by the SEPMS and delivered by GUPs.

Here's an article that may be of help:

A Helpful LiveUpdate Administrator 2.x Analogy
https://www-secure.symantec.com/connect/articles/helpful-liveupdate-administrator-2x-analogy

If SEP is the only Symantec product in the organization, and the SEPM has internet access, the SEPMs and GUPS can usually do a better job of keeping all clients up-to-date thana LUA.  LUA will always use more bandwidth, but can offer a couple options (testing defs before being rolled out, etc) that SEPM can't.

These articles can help, too:

https://www-secure.symantec.com/connect/articles/managing-liveupdate-administrator-2x-space-usage

https://www-secure.symantec.com/connect/articles/liveupdate-administrator-2x-server-connection-recommendations

https://www-secure.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

LUA is a great product, when used and configured correctly.  It is important to make sure it is right for you and then set it up thoughtfully. 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

nwranich's picture

The issue with that is I would like to test the update multiple times each day.  If the client is already running the same version of definitons that are on the LUA, then the update would not occur.

This LUA 2.3.2 server is a replacement of a LUA 1.x server.  This is not our primary source of defintions updates, we do use GUPs.  This is a secondary update method for manual updates that avoid going to the Internet.  I just want to be able to make changes on the LUA and see if my client still updates, hence why I want to remove the definitions from my client and test again.

Beppe's picture

The day after the client won't have anymore the same version of the definitions that are on the LUA and the update would occur.

Regards,

Giuseppe

nwranich's picture

That is true, but then I would only be able to test once :)  I'd like to test multiple times each day

Beppe's picture

Symantec releases definitions 3 times per day...
Anyway, you are making things more complex then they are... take few systems, connect them to your new LUA and monitor them for some days, that's all you really need.

Regards,

Giuseppe

Alex at Fishnet Security's picture

What I would do is to just delete the virusdef files from the directory.  This will force a full definition download on your next check-in.  This is the easiest way to do that part.

To enforce that you're downloading from the Live Update server, you can use either a group or a location.  That is up to you.  It's essentially the same thing, place the endpoint into the new group/location with a live update policy that updates only from the internal live update server.

nwranich's picture

Thanks Alex.  I will give that a shot.  I know I'm downloading from the internal LiveUpdate server because I'm testing by manually running LiveUpdate and that server is the only LiveUpdate server I have identified in the LU policy the test machine is in.

SMLatCST's picture

The below methods for clearing out corrupt defs would do the trick.  These are the most thorough methods of removing defs from a client (short of a full uninstall & install):

http://www.symantec.com/docs/HOWTO59193
http://www.symantec.com/docs/TECH103176
http://www.symantec.com/docs/TECH93036

Mick2009's picture

Hi nwranich,

Is this for short-term testing or will it be an ongoing procedure?  If you're going to be performing this testing, getting LUA 2.x configured well and then just monitor it, there may be an easy solution.  Create a newly-installed SEP client on VMWare, with the policy applied to retrieve definitions from the LUA server's Distribution Center.   Then create a snapshot of that image. 

Perform one test, alter the LUA server's configuration, restore the "newly installed, needs definitions" snapshot and test again.  That's what I often do.

Hope this helps!

Mick

With thanks and best regards,

Mick

nwranich's picture

Thanks Mick.  You are right in your thinking.  This is just a testing scenario until I have the internal LU server configured as needed.  I didn't think about using VM to do the testing.  That may be the easiest route.

Riya31's picture

Use rx4def tool...which will delete all the definition present in virusdefs folder.

Refer following document 

 

http://www.symantec.com/business/support/index?page=content&id=TECH93036

nwranich's picture

Is there another version of Rx4Defs for SEP 12?  I'm running SEP 12.1.2 MP1 and the version linked did not remove any defs.

SMLatCST's picture

Nopes, the tool is only for SEP11 AFAIK.  Please see my earlier linked article on how to remove defs from a SEP12.1 client (only one I could find at the time).

nwranich's picture

Thank you.  I was hoping to be able to remove the defs without editing the registry, but if this is what needs to be done, then I have no option.  Thanks again.