Endpoint Protection

This morning a level 3 ThreatCon level showed up as W32.Imsolk.B@mm was in the wild.
Showed that 232 computers were unprotected from the virus, so we downloaded the latest DAT 2010-09-09 rev 049 and its been distributed to our client PC's.
However, its still showing all PC's as unprotected with the Security Status - Attention Needed message listing all PC's even though they have the latest DAT version.

Anyone else getting this ? Or is it a bug in v11.0.6100.645 ? Or is this normal behaviour ?

Thanks

Wayne

Hi,

I have seen this behaviour on all the SEPM's today. More  information is awaited...

Apply raid release update and see 
Refer this KB
How to update definitions for Symantec Endpoint Protection Manager using a JDB file

Here's an extract from the W32.Imsolk.B@mm threat page that says rev 049 protects you from it.
Therefore we shouldn't have to download any Rapid Release versions.



W32.Imsolk.B@mmRisk Level 3: Moderate
Discovered: September 9, 2010

Updated: September 10, 2010 7:07:08 AM
Also Known As: W32/Autorun-BHO [Sophos], W32/VBMania@MM [McAfee], WORM_MEYLME.B [Trend]
Type: Worm
Infection Length: 290,816 bytes
Systems Affected: Windows XP, Windows Vista, Windows Server 2003, Windows 2000

W32.Imsolk.B@mm is a mass-mailing worm that also spreads through removable and mapped drives. It additionally spreads through shared folders and instant messaging and attempts to download files on to the compromised computer.

I think it just says that the  computers are unprotected. But if you  click on the  the  line where  it says, 11  computers unprotected, it explains that the  definitions required to be able to deal with this  threat are already   there on the  computers.
So i think it is a minor issue, that will be  resolved soon.

Here is a writeup for the same

W32.Imsolk.B@mm
Web URL: http://www.symantec.com/security_response/writeup.jsp?docid=2010-090922-4703-99

Certified LiveUpdate definitions have now been posted for the same.

Same here. 2010-09-09 rev. 049 distributed into 88% of clients but SEPM still has "warning" that almost all of tem unprotected. Opening the list of "unprotected" clients, most of them having def 2010-09-09 rev. 049. Confused..

Resolved:


Update the SEPM with the rapidrelease .jdb file. Once all the  clients get updated to the next revision, the issue gets solved.

Well installing the Rapid Release DATs does fix the problem, but I hate to installed DATs that haven't been fully tested and certified.
Had to do it though just to get my manager off my back. Now the Security Status bar has turned green his looking a lot more relaxed.

See this:

Applying rapid release definitions to a Symantec Endpoint Protection (SEP) client.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052116163448

How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030710560348

The home page reports that all systems are unprotected because the data used to generate these reports is historical.  By default you will see information based on the last twelve hours of data, so if a client was not using definitions newer than 2010-09-09 rev. 049 during that time period, they will show up on this report.
 
The settings for these reports can be accessed from the “Preferences” link on the Home page. Only 12 and 24 hour options are available:

 
To see the current status of systems please run the default quick report:

 
 

We have the same issue. The console show 539 computer unprotected. we only have 500 clients not sure why it show 539?
Also we have 323 clients with the new def v49:

@mxu

 

You need to update ALL your  computers to def rev 49....

What about the PCs that have been off for a while?  Is there anyway to clear/reset the security response area?  Its not real easy to turn some of the PCs on and it would be nice to clear that area since it really is not that big of an issue.

It shows 3115 computers unprotected.  When I click on the link it shows a report that says 09-09-10 49 is the latest definition file to protect client, but it shows that most of the clients already have that version.  Please send us the fix?!

Having the same issue....

Will the next Certified release of defintions clear this? I dont like using rapid release definitions.

Yes, once the next certified definitions are  updated to SEPM, and then to the  clients. this should be fixed. The pc's that are off for a while...as soon as they connect  back, and get updated definitions, they should be fine.

 

 

 

Rapid Release updates the defs to todays date. The 9/9/10 v49 defs apparently dont fix the issue.  Once Symantec released the next official update, this should be resolved.

Just out of curiosity when does the next certified definition release happen? What's the typical time table on certified releases by Symantec?

Daily or sometimes a few times a day.