Endpoint Protection

Its vacation time and most of the offices are shut down, therefore the computers in these offices are most likely to be turned OFF. When we return back from vacation and turn our computers ON, it’s quite likely that the installed software’s on the computers would reach out to the internet or a designated source to get its updates. Symantec products are no exception and they would try and fetch their respective updates. As far as SEPM & SEP client computers are concerned the below mentioned actions should help reduce the traffic and the bandwidth congestion in the network.

When you power on the machine after a gap of 1 or 2 weeks it’s possible that the SEPM console does not have the latest virus definitions and thereby the clients won’t have it too. The best strategy in such cases would be to upgrade the SEPM console with the latest virus definitions first. As far as the SEP clients are concerned the latest rapid release definitions should help. The rapid release definitions can be downloaded and kept at a centrally shared location so that the clients can download that exe file(If possible may be create a script file so that the exe file is installed when the computer starts and thereby the AV/AS definitions which consume bandwidth can be updated before they contact their respective SEPM) and update their definitions, by doing so it would reduce the traffic in the network between the SEP clients and the SEPM, because when the SEP clients contact the SEPM, the SEPM checks with its own database for the version of definitions available and if the SEP client has the latest or a day old definitions, it distributes the updates which are a few KB’s in size, however if the SEP client has definitions which are a week or two old, then the SEPM will dispatch the FULL.ZIP file and the size can be around 50 to 70 MB’s(Approximate value, it may vary) which will consume a lot of bandwidth.

How to update definitions for Symantec Endpoint Protection using the Intelligent Updater

The Intelligent Updater is an executable file that can be used to update virus definitions for the Symantec Endpoint Protection client. To update the definitions, run either the Daily Certified or Rapid Release Intelligent Updater on the local computer.

To use the Daily Certified Intelligent Updater to update definitions for the Symantec Endpoint Protection client

1. Download the Intelligent Updater by going to http://www.symantec.com/avcenter/defs.download.html.
2. Select the language.
3. For the product, select Symantec Endpoint Protection.
4. Locate the correct file to download for Symantec Endpoint Protection depending on whether it is for a 32-bit or a 64-bit operating system.
   For example, the file names might look like "20071008-016-v5i32.exe" (for 32-bit) or "20071008-016-v5i64.exe" (for 64-bit) .
5. Click the file specified for Symantec Endpoint Protection, and download it to your hard drive.
6. Locate the file that you downloaded, and double-click to run the Intelligent Updater.

To use the Rapid Release Intelligent Updater to update definitions for the Symantec Endpoint Protection client

1. Download the Intelligent Updater by going to http://www.symantec.com/avcenter/rapidrelease.download.html.
2. Locate the correct file to download for Symantec Endpoint Protection, depending on whether it is for a 32-bit or a 64-bit operating system.
   For example, the file names might look like "vd2a5020.jdb" (for 32-bit) or "symrapidreleasedefsv5i64.exe" (for 64-bit).
3. Click the file specified for Symantec Endpoint Protection, and download to your hard drive and run it.

How to update definitions for Symantec Endpoint Protection Manager using a JDB file

To Download the .JDB Daily Certified definitions:

In a browser, go to the following URL:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

On the next web page, "Symantec Endpoint Protection / Symantec Antivirus Corporate Edition", there are multiple headings/product categories presented. Be aware that each set of definitions available are grouped by 32 bit or 64 bit product installation sets. Download the correct (32 bit or 64 bit) .JDB file according to the Windows platform where the Symantec Endpoint Protection Manager is installed and save the file to the Windows desktop.

To Download the .JDB Rapid Release definitions:

1. In a browser, go to the following URL: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
2. Download the available .JDB file and save the file to the Windows desktop.

To use the .JDB file to update definitions for Symantec Endpoint Protection Manager:

1. After downloading, rename the file extension from ".zip" to ".jdb". (Most browsers detect the file type and automatically change the extension. This must be changed back to .JDB for use in the SEPM.)
2. Copy the .JDB file to the "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming" (The location listed in this line is the default installation location and is presented as an example only).
3. In a period of time from 30 seconds to a minute, the .JDB file will be processed. As the .JDB file is processed, all files and subfolders are removed from the "Incoming" folder.

Verify that the SEPM content is updated:

1. To verify that the SEPM content has been updated, look in the following folders:
   32-bit definitions: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}"
   64-bit definitions: "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{1CD85198-26C6-4bac-8C72-5D34B025DE35}"
2. Typically, there will be 3 numbered folders present. The folder naming convention is "yymmddxxx". For example "100602034". This is the date and build (revision) number of the definition set installed. Please note that the definition set installed may have been published the previous day and a set for the current day may not yet be available.
3. Looking inside the folder that matches the set downloaded and installed, there should be a folder named "Full" and a zip file named "Full.zip".
4. Looking inside the "Full" folder, there should be the files typically associated with a virus definition set.

Important Notes:

1. For the 32-bit Intelligent Updater files for clients, the file names end with "i32.exe" and the 64-bit client file names end with "i64.exe".
2. The Intelligent Updater file names for SAV clients end with "i32.exe" or "i64.exe".
3. The Intelligent Updater file names for SEP clients end with "v5i32.exe" or "v5i64.exe".
4. The Intelligent Updater file name that ends in "x86.exe" is only for certain products and should only be used with those products.
5. The SEPM updater file has a ".JDB" extension.
6. The SAV Parent updater file has a ".XDB" extension and only updates 32-bit virus definitions; SAV parent servers do not serve 64-bit definitions. 64-bit systems cannot be SAV parent servers.

Its applicable to Symantec Endpoint Protection Small Business Edition 12.0 as well with a few configuration changes.