Video Screencast Help

SEP 12.1.1000.157 (RU1) IPS Signature Definitions out of date and not updating

Created: 18 Sep 2012 | 10 comments

Hi All,

I have SEPMs that are 12.1 RU1 supporting a mixed client base of SEP 11 MR4, SEP 11 RU5, SEP 11 RU6a, SEP 11 RU6 MP2 and SEP 12.1 RU1 clients.  Most of the virus/spyware/sonar defs are up todate but I have a lot of systems that are reporting out of date IPS Signature definitions and I do not know how - nor can I find any KB articles on how to manually update. 

The clients are configured to access GUPs on their local subnets and we are not using Symantec LiveUpdate servers for the clients - only the SEPM.  Is there any way to force IPS Signature defs to download current?

Thank you!

Comments 10 CommentsJump to latest comment

.Brian's picture

What date are you showing? Latest from Symantec should be 9-17-2012 rev. 001.

Did you verify on a client that it is truly out of date? I seen some reporting issues here and there where the SEPM will report the client is out of date but upon checking the client, everything is fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PaulCourtois's picture

Hi Brian,

SEPMs show 9/15/2012 r2.  One client I verified is showing 9/8/2012 r2. 

Paul Courtois

CareFusion

Sr. Analyst Client System Security | PGP

.Brian's picture

Do you have the ability to run a LiveUpdate on the client to see what the result is? Just to test one client to see if it can update via LU...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PaulCourtois's picture

I moved the client into a group that enables live update and the client auto updated and is showing 9/17/2012 r1. 

I also pulled a SEP support tool that I have a Symantec Tech looking at. 

Paul Courtois

CareFusion

Sr. Analyst Client System Security | PGP

.Brian's picture

Are there any errors in the System log related to not being able to update or update failed to apply?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PaulCourtois's picture

No.  Everything looks normal. 

Paul Courtois

CareFusion

Sr. Analyst Client System Security | PGP

pete_4u2002's picture

whats the definotion on SEPM for IPS?

on the client not showing updated, can you check locally if it's the case?

 

PaulCourtois's picture

I downloaded LiveUpdate content for the SEPM and it showed that IPS has no new updates.  Not sure why it did not download 9/17/2012 IPS defs.  Virus/Spyware and SONAR defs are all current. 

Paul Courtois

CareFusion

Sr. Analyst Client System Security | PGP

jkubu's picture

Hi Paul,

Symantec just posted a new KB article about IPS signatures being stuck. I recommend you check out this doc: http://www.symantec.com/business/support/index?page=content&id=TECH196871 to see if the version of IPS signatures that you were stuck on is within the stated criteria. If so, a repair procedure is in the document.

If not, please continue to work with technical support (from your comments, it appears you've already engaged tech support).

If others need to contact technical support, you can find contact information at: http://www.symantec.com/support/contact_techsupp_static.jsp

Jon Kubu

Senior Manager, Enterprise Support Services

pete_4u2002's picture

thumbs up to above advise!

you should be seeingthe same pattern if the clients are updated using Symantec liveupdate as the reported issues are on SEP 11 only that too RU 5 and above.

http://www.symantec.com/business/support/index?page=content&id=TECH196871

Repair option

Intrusion Prevention updates that were released on September 18th, 2012 or later, dated 2012/09/16 rev. 002 or higher, remediate the attribute on almost all configurations. Administrators with configurations listed below can check their clients by searching in SEPM for clients that use an old IPS version.

  • Clients that consistently receive updates from a LiveUpdate server will receive the content update that will correct their configuration automatically.

  • Clients that use both LiveUpdate and Symantec Endpoint Protection Manager for content can be corrected by running LiveUpdate to a Symantec LiveUpdate server or to a LiveUpdate Administrator. This can be done from the management console by executing the "run LiveUpdate now" command. Once the client has received affected content from LiveUpdate, they will not be repaired until they run LiveUpdate again – the Symantec Endpoint Protection Manager will not distribute the fix.