Endpoint Protection

I have one client that is showing the definition version that hasn't been published by Symantec. Pictures attached.This is the client that is on the same server as SEPM. All are using the same policy settings.

it could be rapid release definition that has been updated.

It must've got it from Symantec LiveUpdate. Did you verify? The System log will show when/where it was downloaded.

It got them from liveupdate.symantecliveupdate.com

 

Where can I check to see if it's getting Rapid Release definitions?

It sounds like your policy is configured to allow clients to go out to Symantec LU as well as get them from the SEPM. IS this what you want and did you check your LU policy? 

LU policy does allow them to get definitions directly from Symantec. I don't see where to allow/not allow rapid release definitions.

Rapid release needs to be manually dropped on the SEPM.

To me this looks like the client went out to LU and it had later content than the SEPM. This isn't abnormal.

How do I manually drop rapid release from the SEPM?

See here: http://www.symantec.com/docs/TECH104979 http://www.symantec.com/docs/TECH102607

Both of those articles show how to apply rapid release defintions. I don't see where it says to remove rapid release definitions?

There is no removing definitions. How do you know RR were even applied? This is a manual process to apply them. All I'm saying is the client went out to Symantec LU to get an update because your policy allows for it. I guess I'm confused on what the exact issue is here. The incorrect dates are likely just cosmetic and eventually work itself out. Either that or your SEPM hasn't reached out to Symantec LU to update itself. This is nothing new as I've seen this many times.

Hi, Thia is a certified definition, find the file attached Here's what may have happened... Today 03/30/2017, client may have tried reaching SEPM for definitions but it might habe failed for many reasons... So as configured, SEP went to live update server where it found this new certified rev 04 definition and downloaded it... https://www.symantec.com/security_response/definitions/certified/ So the question is why not SEPM has got this revision because it has not yet checked for the definition. SEPM will check that at its scheduled time.

I think our miscommunication came when you said "Rapid release needs to be manually dropped on the SEPM". I took "dropped" as in deleted, I believe you meant it as downloaded/applied.

 

Makes much more sense to me now. I have changed the policy so that the client will only check the SEPM now so it won't look like clients are ahead of the SEPM.

 

Thank you for your help!

My fault :) Yes, I meant downloaded and applied.

Sounds good. Check back if you need anything else.