Security Content for Symantec Endpoint Protection clients

One more reason to use RUN Networks Integrated Antivirus.

Below is an excerpt from the Symantec Antivirus knowledgebase, http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348. This seems like a Y2K problem, only it’s 2010. Symantec antivirus, although it updates the same as before, doesn’t recognize a date newer than 2009. The fix: release new definition updates, but keep the December 31, 2009 date. Question/Issue: Why are the Security Content dates for Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Manager (SEPM) not progressing beyond 12/31/09? SNAC Behavior – If Host Integrity (HI) is being used to check for AntiVirus (A/V) definitions compliance on the agent, it will fail. Symptoms: Security Content dates on the following Symantec products are dated 12/31/09 rev xxx despite being the latest available through LiveUpdate:

• Symantec Endpoint Protection v11.x Product Line
• Symantec Endpoint Protection Small Business Edition v12.x Product Line
• Products which rely on Symantec Endpoint Protection for definition updates (e.g. Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino)

Note: This includes all Security Content updates – including Antivirus definitions, Proactive Threat Protection (PTS) Truscan definitions, and Intrusion Prevention System (IPS) definitions. This issue can manifest in the following ways: The following is a list of the expected behaviors of affected Symantec software with default configurations. If the settings for functionality such as alerts or notifications have been altered from the default values, it is possible that your experiences may vary from those below. Managed Clients:

• End users of managed clients will not receive an alert notification by default
• The default for this alert is 30 days

SNAC Clients:

• Large numbers of agents may be Quarantined as a result of failing HI checks based on A/V definition file dates.

Symantec Endpoint Protection Manager (SEPM) Console – Dashboard:

• The SEPM Dashboard by default will not display that the definitions are out of date. The default for this setting is “10” days
• The definition dates listed in the Virus Definitions Distribution section of the Home Page will reference 2010-01-xx rev xxx

SEPM Notifications:

• If SEPM Notification for “out of date definitions” has been enabled then it is possible that the prescribed threshold has exceeded and a notification may be triggered.

Group Update Provider:

• This issue does not directly impact this component

Live Update Admin Server:

• This issue does not directly impact this component.

Intelligent Updater (IU) Customer Solutions:

• IU definitions will display a normal version date and are not directly impacted by this issue.
• It is important to NOT attempt switching between IU and LUJDB based updates until this issue has been resolved.

  Cause: An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) which causes Security Content newer than 12/31/2009 11:59 PM to be considered older than content previous to that date/time. Any content with a date of 1/1/12:00 AM or newer will be purged from the SEPM if the maximum number of definitions revisions has been reached. Since 12/31/09 rev xxx is considered the latest content available to the SEPM, a client will not update to a content revision later than the highest numbered revision available on this date. To mitigate this issue, Security Response is no longer incrementing the date on SEP Security Content and instead only incrementing the revision number of the content. Security Response will continue to provide definitions in this manner as a work around until a permanent solution can be provided. Solution: Symantec is aware of this issue and is currently investigating it. This document will be updated as soon as more information becomes available. Once a solution is available it will be posted to LiveUpdate, and SEPM/SPC will download and apply the update automatically. Note: If you do not wish to have your SEPM/SPC updated automatically to address this issue, please see the section below titled “How to prevent LiveUpdate from updating SEPM/SPC.” Security Response will continue to publish Symantec Endpoint Protection security content with the date 12/31/2009, and will only increase the revision number of the content. More specifically the last certified definitions that was published on December 31, 2009 was “12/31/2009 rev. 041” version. The next certified definitions to be published will have a revision number greater than 041. As of Thursday January 7, 2010; the Symantec Endpoint Protection Antivirus definition version “12/31/2009 rev. 119” has been published. Rev 119 includes all of the latest definition updates through January 7, 2010. Note: It is important to recognize that although new security content updates will show a date of 12/31/2009, they will contain up-to-date content. Relative definition age can be determined by the revision number. While this issue is being resolved SEP definitions are being built outside of the normal build process. To ensure we retain the quality of the definitions during this period the SEP definitions are only being built once a day. Definition builds for all other products remain the same. SEP Customer Workarounds:

1. Client machines will continue to receive the latest protection available without any intervention from the user. Please be aware of the following exceptions:

• Rapid Release (RR) and Certified definitions distributed using the Intelligent Updater (IU) will reflect the actual publication date. Clients updated with one of these IU packages will no longer update from a SEPM unless the LiveUpdate Content Policy is configured to force the client to use a specific update.
• Clients using a Symantec Network Access Control (SNAC) Host Integrity (HI) Policy requiring a minimum Antivirus Signature File age may fail the HI Check. Until This issue is permanently resolved, HI policies should be modified to relax minimum Antivirus Signature File age requirements.

2. Configure clients to download content from Symantec LiveUpdate Note: Enabling client LiveUpdate may cause an increase in network traffic as each client connects to the internet to download virus definitions. To correct the definition date showing on SEP 11.0.x and SEP 12.0 SBE clients, customers can configure clients to download the latest ‘Virus and Spyware Protection’ definitions directly from LiveUpdate. These definitions are properly dated as 2010 definitions.

1. On the SEPM, click “Policies”
2. Click “LiveUpdate”
3. Click “LiveUpdate Settings,” then edit each of your LiveUpdate Settings policies.
4. Select “Server Settings,” then select the checkbox ‘Use a LiveUpdate Server’
5. Select “Use the default Symantec LiveUpdate server”

After making this change, after running LiveUpdate on a client, the ‘Virus and Spyware Protection’ definitions will have a January 2010 date. The latest ‘Proactive Threat Protection’ and ‘Network Threat Protection’ definitions were released in December 2009, and therefore will not show a January 2010 date. Note: Once a client has downloaded January 2010 definitions from LiveUpdate, the client should remain configured to download content from LiveUpdate until your servers have been patched with a fix for this issue. This is due to the SEPM server having ‘Virus and Spyware Protection’ definitions with a date of December 2009. Once patches are available and this temporary problem has been corrected by Symantec, details will be posted to this KB article. Please also note that once the SEPM servers have been patched, the clients should remain configured to download content LiveUpdate for at least 3 days to ensure that they will get delta definitions from the SEPM server .