Endpoint Protection

 View Only

  • 1.  SEP 11- Does anyone monitor endpoint status for outdated AV, IPS defs, etc and investigate for remediation?

    Posted Oct 02, 2009 12:13 PM
    I'm curious to see if there are other customers experiencing the same results we are with SEP 11. We're running MR3 and have about 50k endpoints deployed. We're finding that a significant portion of our endpoint population (thousands) is either experiencing issues with updating AV and IPS defs (at least these two update types if not others) and/or issues with reporting those pieces of information back to the SEPM.  What we're finding are clients which are connected to the SEPMs, e.g. online on my network, and which seem to be healthy otherwise, can resolve my LU servers, etc, but have outdated AV or IPS defs reported to the SEPM. For some systems it's both AV and IPS, some just IPS or AV, etc.  Since there aren't really easy indicatators via the SEPM reporting, e.g. show me all clients where they have a recent check-in timestamp but have outdated AV or IPS defs, querying the database to quickly identify clients in this state is almost a must.  It appears that there may be at least a couple scenarios at play :

    1) Somehow the client sends information to SEPM which is blank or an incorrect value for the def date/version value
     2) The client is downloading updates but can't apply them.

    One problem is that the endpoint agent only seems to complain about outdated AV defs, while it runs along silently with outdated IPS defs. This makes it unlikely end users will notice and raise it as an issue for helpdesk or desktop support to investigate or repair. 

    It seems all fixes need to be made manually for these issues, e.g. the agent doesn't acknowledge any of the symptoms and try to self heal. Anyhow, I can't imagine we're alone and I suspect this exists in similar numbers for other customers, but is harder to detect and the SEPM doesn't alert you to these scenarios and they may be going undetected.  I believe the client needs to be fixed so it can detect these health issues and repair itself, but unless there are enough customers who recognize they too have the issue I'm not sure it's going to get the attention it deserves for a rapid fix.


  • 2.  RE: SEP 11- Does anyone monitor endpoint status for outdated AV, IPS defs, etc and investigate for remediation?

    Posted Oct 02, 2009 01:35 PM
     Upgrade.  That is the best advice I can give you.  You are now behind two major versions, let alone some critical hot fixes that were made in MR4 (MP1, MP1a, and MP2)

    There are available to you the following:
    MR4 MP2
    and latest and greatest RU5 (let's call it MR5, stupid rename of the patch bugs me)


    The MR5 update seems to make upgrades a breeze to the clients.  But you'll have to update your SEPM to MR4 first, before going to MR5 IIRC.


  • 3.  RE: SEP 11- Does anyone monitor endpoint status for outdated AV, IPS defs, etc and investigate for remediation?

    Posted Oct 02, 2009 01:36 PM
    we are using 1000 clients of sep 11mr4 . I do face this type of problem like client is online and sepm shows last checkin time as current but  client definations are 3 to 4 days old.

    although this type of clients are 5 to 7 % of total clients but it a area of concern as clent can connect to the sepm server but unable to update itself .



    For this I have created a test group with same policies as others .and move those problematic clients to that group  and after some time that client gets updated.

    then again  i move that client to original group.


    I don't know why thi shappens but It works sometime.


  • 4.  RE: SEP 11- Does anyone monitor endpoint status for outdated AV, IPS defs, etc and investigate for remediation?

    Posted Oct 02, 2009 03:50 PM
    I would agree with teiva-boy, we have much better luck with definitions after upgrading to MR4 and things seem great with RU5.