Endpoint Protection

First question:

Ive noticed my Virus Defs are taking a long time to deploy to my clients.  Like today I still have not received my latest virus defs Im still stuck on January 7, but my server says that it has the ones from 1/11.  Why the lag time?  Now Ill be honest on mine I came in and was in Strandbye mode and have not yet rebooted.  Is that a factor?

Question 2.  On my SEP server, I have the console installed on my N Drive but the client itself is installed to the C Drive.  I've noticed on the C Drive the c:\program files\Common Files\Symantec Shared directory is 3.57 GIG.  No way its supposed to be this large?

 Why the lag time?  Now Ill be honest on mine I came in and was in Strandbye mode and have not yet rebooted.  Is that a factor?

Reboot is not causing the issue

On my SEP server, I have the console installed on my N Drive but the client itself is installed to the C Drive.  I've noticed on the C Drive the c:\program files\Common Files\Symantec Shared directory is 3.57 GIG.  No way its supposed to be this large?

Should not be huge ,,its related to original 31-dec-2009 date I guess.
More info here
https://www-secure.symantec.com/connect/forums/symcdata-folder-rapidly-fills-disk-space

https://www-secure.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010
 

 Where you install the program the definitions will be downloaded and stored in C drive ( root drive )
Main in 2 places
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads
C:\Program Files\Common Files\Symantec Shared\SymcData

Update your SEPM and SEP Clients to MR5/Ru5/11.0.5002.333

For definition issue please follow
https://www-secure.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-10-jan-2010

Our Virus Defs are on server at 1-11-2010 rev 003

Client side Im sitting January 7. 

I cannot update to MR5 yet due to higher ups not allowing us to do so.

What is the exact SEPM version you are using..
In SEPM -on top right -About
11.0.xxxx.xxxx ?? 

  Here is a workaround:

1. Stop all Symantec Endpoint Protection services

2. Delete all .tmp files and folders in C:\Program Files\Common Files\Symantec Shared\SymcData\sesmipsdef32, \sesmipsdef64, \sesmvirdef32, and \sesmvirdef64

3. Delete the contents of the C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads folder

4. Restart the SEP services

 
or call Symantec and get Symdeltmps utility

The SymDelTemps utility could also be used to delete the temp files in the sub-folders.  Please be aware that the behavior will continue if the utility is used without stopping the SEP services.

The guide above is essentially what the SymDelTemps utility does. So if you don't want to call support or don't have a valid license you can do this instead. Keep in mind this is strictly a workaround and the upgrade to RU5 should fix your issue.

Might help to get the disk space issue as of now, when you get time upgrade to MU5 at the earlies.
http://www.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm
very well written 

So is it Corrupted Def Files or is it a MR 4 Problem?

its MR4 problem
please upgrade to Mu5, and little addition by this 31 date issue, coz its gonna read the defs over and over again, thats what i can think about 

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010617161948?Open&seg=ent

Okay so right now My Server has downloaded 1-11-2010 updates but I have 1096 Updates still stuck on 1-7.  I can manually push them but thats gonna get old after a while.

This is tied to T-2k10? 

Even if I do a Live update from the client it won't download the newest defs

Okay so right now My Server has downloaded 1-11-2010 updates but I have 1096 Updates still stuck on 1-7.  I can manually push them but thats gonna get old after a while.

This is tied to T-2k10? 

Even if I do a Live update from the client it won't download the newest defs

The updated will be released soon to fix this issue,
updating from lu should show new date 

Live Update isn't fixing it though even though Im calling the actual server.  But the more important qustion is - why isn't my server pushing them down automatically?  If I can do it manually why won't it do it automatically?

when you say manually, is that you right click on the group and update content?
or restart the sep service?
 

Right Click and update content

What is the heart beat interval for your clients?
by default its 5 mins , have you changed that?
 

Heart Beat is every 10 mins and Im on Push Mode

if its in push mode then there is a constant connection with SEPM, there should not be delay in updating the defs. 
are you clients in diff region / subnets.
All the clients exhibit the same symptom

under
admin
server
liveupdate, have you set the content definitions to keep to 1.

With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009070719483348
 

No it was set to 2 but Ive changed it to 1 Going forward.

And Defs are not taking off.  Anything I should try?

They are on different subnets but where my server sits there shouldn't be a problem with the server pushing to them.

I have 11 Clients that have the 1-11 Defs.  1,179 have "All Other"

 Change it back to 1 or it will break for distribution of content updates
https://www-secure.symantec.com/connect/idea/symantec-endpoint-protection-manager-should-not-allow-set-number-content-revisions-keep-1

Your problem is with the 31-12 defs which cannot be fixed without a patch.

SEPM cannot distribute 2010 definitions ( do not go by what it shows on home tab Symantec version and SEPM version )

You clients got 2010 definitions by either manually updating it or from internet.
SEPM still cannot distribute 2010 definitions.

Take some time to go through this thread there are people having similar queries which has been answered.
https://www-secure.symantec.com/connect/forums/sepm-update

Alight so I can do an Update content and get them out that way, but the clients won't get them by theirselves atleast 2010 defs. 

If I push our MR5 Will it help?

 At the moment that will not help...Upgrading to MR5 will only help reducing your disk space..

Don't worry the fix should be out either today or tommorow that will automatically fix everything SEPM ..and sep will automatically get latest updates without human intervention.

Latest update on this issue today was
-----------------------------------------------------------------------------------------------------------------

Hi All

 

The team has completed one certification pass with extremely positive results, but we still need more time before posting. Our goal continues to be one that ensures the fix meets the highest quality with minimal customer intervention. Due to the complexity of testing, it is unlikely that the first fix will be delivered today while our confidence level for posting the fix tomorrow is higher it still continues to fluctuate based on test results.  I do realize the frustration this is causing with the moving target. This is the latest information that we have. Please be patient as we will be post another status later this evening.

As a reminder, once we are ready to post I will provide a 2 hour notification window before it goes live. 

 

JimW

 

 

Jim Waggoner
Director Product Management, Symantec Endpoint Protection, Enterprise Security Group, Symantec

 For the meanwhile you have 3 options

1. Use Liveupdate Administrator
2. If Bandwidth Permits Let the Client receive their definition from Internet till this issue is Fixed.
3.Adjust your LiveUpdate Content Security Definitions policy to force the client to use latest SEPM definitions which should be 31-12-2009 rev 122 ( this was released today and has all definitions upto 12th Jan but it only shows an older date as SEPM currently cannot handle 2010 defs)

Any updates?  Still sitting at 1,000 Old definitions.

Something else I noticed last night.  From inside my office I won't download the Virus defs but if I do a Live update from outside the office I get them.  Is that a problem because I can SEE my management server it doeesn't want to do Live Update?

 Updates for Mr3 has been released...Once Symantec gets positive result from MR3 fix ..they will release MR5 fix ..the fix for rest of the versions will follow after that..

So since server is at MR4 they haven't put it out yet correct?

 That is correct..
MR3 rolout has been successful so Symantec is planning to roll out MR5 definitions next may be today or tommor..then rest versions will follow.

 Update 16-JAN-2010

https://www-secure.symantec.com/connect/downloads/sepm-patch-definition-issue - video highlighting the Patch

Patches for the following builds:

SEPM MR3 (11.0.3001.2224)
SEPM MR4 (11.0.4000.2295
SEPM MR4 MP1 (11.0.4010.19)
SEPM MR4 MP1a (11.0.4014.26)
SEPM MR4 MP2 (11.0.4202.75)
SEPM RU5 (11.0.5002.333)

have been posted on the LiveUpdate servers.

Reminder: Do not downgrade to get this patch.

Please refer to the following KB document for details regarding this issue:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348 

any other way to upadte sepm