Endpoint Protection

I'm a little bit confused... I'm upgrading clients from 12.1 RU1 or 12.1 RU2 to 12.1 RU3.

I thought that if a client had only antispyware/antivirus component (no NTP, no Firewall, nothing), restart was not needed.
My clients, instead, reports Restart Needed if I open the SEP and in the tray the icon shows the well known yellow dot.

What is happening?

I've seen this before as well.

My understanding was this:

If going from 11.x to 12.1, a restart was needed no matter what.

If going from old 12.1 to new 12.1 with NTP than a restart is needed.

If going from old 12.1 to new 12.1 with only AV than no restart is needed.

However, I've also seen the reboot status go away after the upgrade is done. How long since you did the upgrade?

sep_inst.log reports installation completed 18 minutes ago.

Hello,

This could be due to certain kernel file changes in Autoprotect of SEP 12.1.

It's a best practice to reboot after unisntall/reinstalling software, again it's going to depend on the system state and could require a reboot, basically if it prompts to be rebooted then it should be rebooted.

Secondly, If you are planning to upgrade or migrate to Symantec Endpoint Protection 12.1.3, please take a look at the latest how-to article created by our very own SEP content council team.

Best practices for upgrading to Symantec Endpoint Protection 12.1.x

http://www.symantec.com/business/support/index?page=content&id=TECH163700

Hope that helps!!

Perhaps the AV engine has been updated in the latest release which requires the reboot

Thanks Mithun.

I know it's a best practice to reboot after installation but, you know, you cannot reboot some servers when you want.
I think a similar change (this didn't happen with 12.1 RU1 ---> 12.1 RU2) should be underlined in tech notes.

restart is not needed for the components to work, but restart is needed to complete the install.

For me it's an important change that should be tell in the tech notes... not good to leave (let me say) servers with yellow dot without knowing that.

AFAIK, a reboot is now always required.

This is meant to be due to the silo'd nature of the new upgrade method: the SEP installer caches all the files required for the new verson into a version specific folder, and swap round all pointers at reboot.  None of the files used by the older version of SEP should be touched until the reboot.

This is why you'd typically see multiple folders in the "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection" directory, listed with different version numbers (see screenie, taken from my test a moment ago for your LUA-related thread.  This did require a reboot to complete, but did not prompt for it).

This differs from the way SEP11 worked, in that when upgrading, 11 would attempt to make immediate changes to files used by the older version of SEP, in some cases reducing the security profile until it is able to swap the remaining locked files at reboot.  SEP12.1 is more secure in this way.

Big change from what I was told regarding 12.1 than

This is what I have observed from the upgrade today on an "AV Only" test box going from RU2 to RU3 as you can see from the screenie

Hi,

Thank you for posting in Symantec community.

Restart is required in this case as well.

SEP 12.1 employs a side-by-side, replace on reboot installation strategy. Side-by-side means that new files are written to a new folder, referred to as a silo, isolated from the existing operational folder. Because the two versions are separated from each other, during a migration the older software is left running unchanged until the next reboot.

The primary benefit of side-by-side installation and replace on reboot is that the system continues to be protected by the existing software until the new version is in operation after the reboot.

This technique enables you to change the normal portion of the installation path during a migration, when applicable. 

Thanks Chetan, precious post!