Endpoint Protection

I thought maybe this would be obvious and in the client logs, but it only says definitions have been updated, not the source or where they were downloaded from.

We had an issue with 64 Bit clients using SAV 10, that required opening internet access to Symantec to get the definition files.

I believe this issue has been resolved in SEP 11 with 64 bit clients, but would like to easily verify it.

Perhaps the information is there and I'm not looking in the right place?

Or corporate SEP 11 client policy for LiveUpdate is to only download definitions from the management server.  They cannot get to Symantec.

Let me know if you have an easy answer.

I don't access to the servers, so I really don't want to perform a capture.

As it is, I think I need to do an export just to identify which machines have the 64 bit client.

Thanks!!

Hi Toko,

SEP 11.0 supports 64bit clients definition update from SEPM, hence no need to further update the clients with internet.

SEcondly, you can lock Liveupdate centrally from SEPM . This will ensure your clients are not going towards internet to download the upload.

Rgrds,
SAM

In SAV 10.it was the AV server who used to download the definitions and since it was on a 32 bit computer it only used to download 32 bit definition,So the 64 bit servers were only partially managed as they had to be in diffrent group and downloaded the definitions directly from the Internet.
However in SEP 11 its not SEP that downloads the definitions this job is done by SEPM console.Since SEPM is not dependent on any version or product so it can download everything.
Client updates any version
32 and 64 bit definitions and definitions for IPS and whilelist
So in SEP 64 bit clients are fully managed.
To determine where the clients are getting definitions from you can either check the Log.Liveupdate or you can check the Sylinkmonitor logs.

Hi,

In SAV 10 it is possible to download definitions for 64bit with Liveupdate Admin tool and then change the 64bit clients liveupdate settings from SSC or with liveupdate settings file exported from LUADmin. Then 64bit clients would download definitions with HTTP, FTP or UNC from internal server.

- Jukka

I would just like a way, in a log, in a report, debugs....etc

I wish the logs had just a little more detail other than "definitions have been updated"    "Scan has been completed". 

It seems there are more and more options, more and more scans and components.  It would really be nice to know what is doing what.

Thanks for the responses.

I suspect/assume lots of things, but proof or evidence is really nice.

C:\Document and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate

You will see the URL in the file if it is trying to access the update from the internet.

I also ran across this document, which helped a little more.  I'll keep a copy available.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/solutions_guide.pdf

Everything else I've seen is basically checking to see what is set in the registry, which should match what was set in the policy.

The toughest part is that you have to jump on to a remote client to dig around.

If we are pulling logs back you would thing it would be a log someplace.