Endpoint Protection

 View Only
Expand all | Collapse all

Trying to understand Rapid Release definitions

  • 1.  Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 01:34 PM

    I was trying to deploy Rapid Release definitions to a computer that I have connected to remotely. When this did not work, Symantec Tech Support says this is because the workstation is remote and I don't have appropriate permissions.

    I was then sent links to several articles

    In How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client it says:

    "in case the Intelligent Updater executable fails, you can also locally update managed SEP clients (clients which are associated with a SEPM) with the option "Third third party content management" and a JDB file. Please consult the document "TECH104363 -  How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file" for more information"

    I went to "TECH104363 -  How to manually update definitions for a managed Symantec Endpoint Protection Client using the .jdb file"  and the verbage is confusing.

    It says:

    Via the Symantec Endpoint Protection Manager:
    1.Go to "Clients"
    2.Open the Group in which the Clients can be found that need to be updated manually
    3.Edit the LiveUpdate Settings Policy
    4.In the LiveUpdate Policy, open the Tab "Servers Settings"
    5.On the "Servers Setting" Tab, enable the option "Enable third party content management"

    Directly on the Client:
    1.Make sure that the client got the policy change by checking for the existence of this folder:
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\inbox
    2.Download the *.jdb File from our Symantec Security Response Website:
    http://www.symantec.com/avcenter/defs.download.html for certified definitions or http://www.symantec.com/avcenter/rapidrelease.download.html for Rapid Release definitions.
    3.Copy the file on the Client PC into the folder:
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\inbox
    4.After a few minutes the client will have the new Antivirus Definitions.

     

    Questions

    1. Do we follow instructions for "Via the Symantec Endpoint Protection Manager"or "Directly on the Client"

    2. If we follow one or the other (not both), how would "Via the Symantec Endpoint Protection Manager"work? If you enable the option "Enable third party content management", does this mean the latest certified *.jdb definition is applied? How does this work?
     



  • 2.  RE: Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 01:57 PM

    does that show latest udpates if u open the sep console?



  • 3.  RE: Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 02:17 PM

    Yes, it does.

    After I posted my question, I tried it on another client, it seems to work.

    The verbage of the document was unclear. My suggestion is to change the headings to

    Via the Symantec Endpoint Protection Manager:
    Via the Client:
     

    few words can make a big difference



  • 4.  RE: Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 02:18 PM

    For the product feedback you may visit the following link
     
    http://engweb.symantec.com/enhancement/
     



  • 5.  RE: Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 02:30 PM

    Actually, I'm not sure of the client updated because I changed the LiveUpdate policy, or because SEP client was installed five minutes ago.

    The client still has old Policy ID, which is different from the policy of the test group I moved it to.

     

    Can someone familiar with applying *.jdb from SEPM to a single SEP client give little more detail on how it works. There is only so much someone can understand from reading the documentation.



  • 6.  RE: Trying to understand Rapid Release definitions

    Posted Apr 19, 2011 05:09 PM

    1. Do we follow instructions for "Via the Symantec Endpoint Protection Manager"or "Directly on the Client"

    2. If we follow one or the other (not both), how would "Via the Symantec Endpoint Protection Manager"work? If you enable the option "Enable third party content management", does this mean the latest certified *.jdb definition is applied? How does this work?

    Actually, both sets of instructions must be followed. You must enable the tick box in the SEPM, because that is what enables the creation of the inbox folder. Then on the SEP client, verify that the inbox folder exists. If it does, copy the jdb file into it.

    If you don't enable third party content management, the inbox folder does not get created and you can't do the Client steps.

    I'll see what I can do to clarify the document. smiley

    sandra

    Edit to add: I have updated the document for clarity. It may take a bit for the change to propagate.



  • 7.  RE: Trying to understand Rapid Release definitions

    Posted Apr 20, 2011 12:51 PM

    The document is now clear.

    I tried the steps and it still didn't work. What could have possibly gone wrong? I made sure the clients had the policy of the group, and it has been several hours.

    I went to

    http://www.symantec.com/business/security_response/definitions.jsp

    and had difficulty finding the appropriate *.jdb. From the above link, I went to

    Download Definitions By Product > Select Product > Symantec Endpoint Protection > was taken to http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce > Scrolled down to Manager Installations on Windows Platforms (32-bit) > downloaded and copied the first *.jdb file into the "inbox" folder, which I had to create myself.



  • 8.  RE: Trying to understand Rapid Release definitions

    Posted Apr 20, 2011 02:53 PM

    ...copied the first *.jdb file into the "inbox" folder, which I had to create myself.

    That's what went wrong. If you had to create the incoming folder yourself, then either the policy you modified was not applying to that client, or the client did not receive the policy.

    sandra

    ps. Glad the edits helped smiley



  • 9.  RE: Trying to understand Rapid Release definitions

    Broadcom Employee
    Posted Apr 21, 2011 09:13 AM

    yes, the .jdb file disappears after being placed in that folder. It extracts and updates the definition.

    You should not be concerned on the event logs, assuming the virus definition are getting update.



  • 10.  RE: Trying to understand Rapid Release definitions

    Posted Apr 21, 2011 09:16 AM

    Update:

     

    I was advised to run SEP Support tool and TestSec. Feedback was that there was a previous virus infection that may have corrupted virus definitions.

    The following event was in the logs:

    Event ID 13: "SescLU - LiveUpdate returned a non-critical error. Available content may have failed to install."

     

    I was told to run Rx4DefsSEP, and reboot, but it didn't work.

    Now, when I tried to delete the inbox file, it immediately creates itself. Thinking this was a good sign, I attempted to copy and paste the *.jdb file into inbox. Problem is, every time I paste the *.jdb file in inbox, it just disappears.

    What is happening?

     

    Edit: I rebooted, and client still has damanged AV/AS definitions



  • 11.  RE: Trying to understand Rapid Release definitions

    Posted Apr 21, 2011 09:20 AM

    Well, the clients are still not getting updated definitions. I was told to read

     

    Event ID 13: "SescLU - LiveUpdate returned a non-critical error. Available content may have failed to install."

    http://www.symantec.com/business/support/index?page=content&id=TECH91615&actp=search&viewlocale=en_US

     

    Any other advice?



  • 12.  RE: Trying to understand Rapid Release definitions

    Broadcom Employee
    Posted Apr 21, 2011 09:24 AM

    Run the sep support tool and post the results.



  • 13.  RE: Trying to understand Rapid Release definitions

    Posted Apr 21, 2011 10:30 AM

    As I run the SEP Support Tool the definitions for AV/AS and Network Threat Protection got up-to-date. However, Proactive Threat Protection is still from Apr 18.

    How do I post the .sdbz file, I am unable to attach



  • 14.  RE: Trying to understand Rapid Release definitions

    Posted Apr 21, 2011 10:47 AM
      |   view attached

    I posted

    D441QKC1__2011_04_21__10_07_42_LP_Full.zip

     

    change the filename back to

     

    D441QKC1__2011_04_21__10_07_42_LP_Full.sdbz

    Attachment(s)