In SEP Manager UI, there is no settings available to set whether the system should download Rapid virus definitions automatically. These definitions can be downloaded manually, The latest Rapid definitions can be installed by downloading and copying to a certain folder manually. Sometimes it might be crucial to automatically install the latest Rapid definitions, e. g. when a fast mutating virus emerges or when a previously unknown virus outbreak happens to meet your systems.
To solve this problem, here is a PowerShell script. On the server, in the Task Scheduler, schedule it to automatically run in a given interval, e. g. every 3 hours. The script checks the Symantec FTP for Rapid definitions, and downloads them if they are newer than the last one downloaded previously. It copies the downloaded definitions into SEPM incoming folder (e. g.: „D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming”), where SEP Manager automatically detects and installs it. After this, it saves the last definitions name into a simple text file, later used to identify if there were any updates.
If the situation normalizes and the virus attacks fall back to the usual numbers, simply disable the script in Task Scheduler, so the system will only install only the certified definitions again.
The script's contents, copy it to your directory of choosing (e.g.: "D:\_scripts"):
$proto='ftp://' $fqdn='ftp.symantec.com' $docLibURN='/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/' $usr='anonymous' $pwd='pass' $dstFolder='D:\_RapidRelease' $RelVersion =$dstFolder+'\ReleaseVersion.txt' $TargetFolder='D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming' $verinfo = get-content $RelVersion $verinfolast = $verinfo | sort-object | select-object -last 1 $docList=@{} $proxy = [System.Net.WebRequest]::GetSystemWebProxy() $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials $req = [system.Net.WebRequest]::Create($proto+$fqdn+$docLibURN) $req.Credentials = new-object System.Net.NetworkCredential($usr, $pwd); #$req.PreAuthenticate = $true $req.proxy = $proxy $req.Method = [System.Net.WebRequestMethods+FTP]::ListDirectoryDetails try { $res = $req.GetResponse() $sr = [Io.StreamReader]($res.GetResponseStream()) $webpage = $sr.ReadToEnd() $sr.Close() $res.Close() $weblines=$webpage -split "`r`n|`r|`n" switch -regex ($weblines) { '.*href="(?<docRelPath>.*\.jdb)".*\>(?<docFolderName>.*)\<.*' { $docList[$matches.docFolderName]=$matches.docRelPath } } $webclient = New-Object System.Net.WebClient $webclient.Credentials = new-object System.Net.NetworkCredential($usr, $pwd); $webclient.proxy = $proxy $docList.keys | sort-object | select-object -last 1 | % { if ($verinfolast -eq $_) { write-host ($dstFolder+'\'+$_+' Exists') } else { $webclient.DownloadFile($($proto+$fqdn+$docList.Item($_)),$dstFolder+'\'+$_) echo $_ >>$RelVersion Move-Item $dstFolder\*.jdb $TargetFolder } } } catch [System.Net.WebException] { $res = $_.Exception.Response }
If you are using Symantec Protection Engine can do this without script,
You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Protection Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. To receive automatic Rapid Release updates, you must enable and schedule Rapid Release. When Rapid Release is scheduled, Rapid Release runs at the specified time interval that you select.
Reference: Configuring Rapid Release updates to occur automatically
http://www.symantec.com/docs/HOWTO79715
Very handy, thanks for sharing.
But one thing to be aware is that this Rapid definitions are not 100% fully tested, just a basic test. So you may find some applications being picked up incorrectly as viruses.
So something to be aware of. But this is a good tool. :)