Update 28-FEB-2010
Previously Symantec communicated that 2009 dated definition content would no longer be available as of Sunday, February 28th. Due to a minority of customers still relying on these definitions, a decision has been made to continue posting these definitions three times per week until Saturday, March 13th. After this date no new 2009 definition content will be made available.
It is imperative that customers still deploying 2009 dated definitions make plans to immediately apply the patch to avoid leaving systems in an unprotected state. Customers running Symantec Endpoint Protection should confirm that all SEPMs are patched, either automatically via LiveUpdate or manually in order to continue to receive current definition content.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Update 16-JAN-2010
The SEPM patch for the RTM, MR1, MR1MP1, MR2, MR2MP1, and MR2MP2. have been posted to the LU servers. WIth this update all GA versions of SEP that have been released since September 2008 have a patch available for them. That list includes the following versions:
Symantec Endpoint Protection Product version
|
SEPM component version
|
Symantec Endpoint Protectoin 11 Release to Manufacturer (RTM) - 11.0.776.942 |
11.0.780.942 |
Symantec Endpoint Protection 11 Maintenance Release 1 (MR1) - 11.0.1000.1375 |
11.0.1000.1049 |
Symantec Endpoint Protection 11 Maintenance Release 1 Maintenance Patch 1 (MR1 MP1) 11.0.1006.103 |
11.0.1006.106 |
Symantec Endpoint Protection 11 Maintenance Release 2 (MR2) 11.0.2000.1567
|
11.0.2000.1213
|
Symantec Endpoint Protection 11 Maintenance Release 2 Maintenance Patch 1 (MR2MP1) 11.0.2010.25
|
11.0.2010.17
|
Symantec Endpoint Protection 11 Maintenance Release 2 Maintenance Patch 2 (MR2MP2) 11.0.2020.56
|
11.0.2020.26
|
Symantec Endpoint Protection 11 Maintenance Release 3 (MR3) - 11.0.3001.2224
|
11.0.3001.1106
|
Symantec Endpoint Protection 11 Maintenance Release 4 (MR4) - 11.0.4000.2295
|
11.0.4000.1171
|
Symantec Endpoint Protection 11 Maintenance Release 4 Maintenance Patch 1 (MR4MP1) - 11.0.4010.19
|
11.0.4010.17
|
Symantec Endpoint Protection 11 Maintenance Release 4 Maintenance Patch 1a (MR4MP1a) - 11.0.4014.26
|
11.0.4010.17 (same as MP1)
|
Symantec Endpoint Protection 11 Maintenance Release 4 Maintenance Patch 2 (MR4MP2) - 11.0.4204.75
|
11.0.4204.73
|
Symantec Endpoint Protection 11 Release Update 5 (RU5) - 11.0.5002.333
|
11.0.5002.282
|
Previously Symantec communicated that 2009 dated definition content would no longer be available as of Sunday, February 28th. Due to a minority of customers still relying on these definitions, a decision has been made to continue posting these definitions three times per week until Saturday, March 13th. After this date no new 2009 definition content will be made available.
It is imperative that customers still deploying 2009 dated definitions make plans to immediately apply the patch to avoid leaving systems in an unprotected state. Customers running Symantec Endpoint Protection should confirm that all SEPMs are patched, either automatically via LiveUpdate or manually in order to continue to receive current definition content.
---------------------------------------------------------------------------------------------------------------------------------
For those who have SEPM's which do not have access to LiveUpdate the manual fix tool is also available for download from the KB referenced. If you need instructions view this video highlighting the manual patch. https://www-secure.symantec.com/connect/downloads/sepm-patch-definition-issue -
Please refer to the following KB document for details regarding this issue if you need to download the manual patch.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348
***** In particular, if you use LiveUpdate Administrator and the following critieria are true:
-
The SEPM is configured to download updates through LUA instead of Public LiveUpdate
-
SEP Clients are configured to download updates from their SEPM.
then please ensure you read the following KB: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010901022848
-----------------------------------------------------------------------------------------------------------------------------------------------------
An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) server whereby all types of SEP definition content [AV/AS, IPS] with a date greater than December 31, 2009 11:59pm are considered to be “out of date”.
-
The SEPM is configured to download updates through LUA instead of Public LiveUpdate
-
SEP Clients are configured to download updates from their SEPM.
Then PLEASE ensure you read the following KB: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010901022848
Customers running SEP are still protected, and we are continuing to release updated definitions as normal. However, for the time being, SEP definitions will display a date of December 31, 2009, with increasing revision numbers.
Symantec is working on a solution and will update customers when a solution becomes available.
IMPORTANT: This issue does not impact any other enterprise products (e.g. SAV or SCS) or consumer products.
For further information please see Symantec KB:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348
Impacted Products:
-
Symantec Endpoint Protection v11.x Product Line
-
Symantec Endpoint Protection Small Business Edition v12.x Product Line
For those customers also running NAC who have Host Integrity configured to check their clients definitions, this issue will cause the HI check to fail. The following options are available to you:
-
To more accurately, for now, report on SEP clients that are genuinely behind on AV/AS defs, statically set the min allowed def date to be 30/12, so anything older than this fails HI.
Disable the HI check on definition date
-
For the specific AV/AS definition date check, you could temporarily check the box to “allow HI to pass even if it fails”, so you can still log and report centrally on HI results
This discussion will remain locked and serve as the official status post for this issue. It will be updated by Symantec Employee's with the latest information.
If you wish to discuss the issue further, please use the following post: https://www-secure.symantec.com/connect/forums/sepm-update
Symantec Endpoint Protection Engineering has completed their testing of the MR3 patch. We are posting the patch for MR3 and expect it to go live and be available for download within the next few hours.
In preparation of the first patch being released, please review the KB document for this issue. There are a number of conditions customers will need to keep in mind depending on their specific situation. The KB document can be located at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348
REMINDER: DO NOT downgrade from newer versions of SEPM to get this patch. We will be posting patches over the next week or so.
I will post another message once the patch is confirmed to be live on the LiveUpdate server.
Update 12-Jan-2010
Our Symantec Endpoint Protection Engineering team is continuing to work around the clock on the patch to resolve the SEPM definition issue. In the meantime, two different sets of definitions will be made available for SEP. A certified December 31st, 2009 dated definition set will be released three times a day and a certified 2010 definition set will be released 3x times a day for SEP Clients to download directly from LiveUpdate.