Endpoint Protection

We are running a SEP 11 RU5 environment.  Some of the clients are stuck on antivirus definitions that are months out of date.  What is the best way to fix these issues remotely?

Should we use PSEXEC to launch SymDelTemps or RX4DefsSEP?

A large amount of our problem machines are in the field, so I need a method to fixed outdated definitions remotely and from behind the scenes.  How is everyone else handling this?

Hi Ed,

Have you tried the update command in the SEPM?

Run Command on Clients>Update Content

I have found hard drive space to be a contributing factor in most of the clients (I've seen) on updating defintions.

Thanks,

Mike

I've never found the Update Content command to anything useful.  All it does is trigger the client to update it's content, which is the same thing that the client is set to automatically do each day.  A client that fails to update its content on its own automatically each day also fails when you force it via this command.  I believe these client have corrupt definitions or something that is prohibiting the regular content updates from working.

In one or two clients try updating using inteligent updater.

Are the clients communicating to the SEPM?

You can configure the GUP on the segment on which clients are not updated. You can also use the jdb to update the clients.

You can script this procedure:

http://www.symantec.com/business/support/index?page=content&id=TECH103176

I am afraid that Rx4defsSEP is not working on 64-bit machines

Hello,

As of now, there is no tool for remote deployment of the Virus definitions to the machines carrying older definitions.

As I personally suggest in such cases, is to Deploy Symantec Endpoint Protection custom build package with Latest definitions on those machines.

Follow the Steps provided below:

NOTE: These steps are not recommended unless the Symantec Endpoint Protection Manager is on version Release Update 5 or later.

This process consists of the following main steps:

• Gather the current definitions from either the SEPM or the SEP client
• Export a client installation package from the Symantec Endpoint Protection Manager (SEPM) then modify the definition and intrusion prevention signatures included with that package.

Gathering current virus definitions and intrusion prevention signatures from the Symantec Endpoint Protection Manager

Virus Definitions
1. Navigate to the current virus definitions within the Endpoint Manager content folder. The default path is:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}

2. Within the "{C60DC234-65F9-4674-94AE-62158EFCA433}" folder there will be several numbered folders. Open the newest of these folders.
To determine the age of the folders click View, then click Details. The newest folder will have the most recent Date Modified value.

3. Copy the file labeled "full.zip" and paste it to the desktop.
On the desktop, rename the copy from "full.zip" to "vdefhub.zip"
 

IDS Definitions
1. Navigate to the current intrusion prevention signatures within the Endpoint Manager content folder. The default path is:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{D3769926-05B7-4ad1-9DCF-23051EEE78E3}

2. Within the "{D3769926-05B7-4ad1-9DCF-23051EEE78E3}" folder there will be several numbered folders. Open the newest of these folders.
To determine the age of the folders click View, then click Details. The newest folder will have the most recent Date Modified value.

3. Copy the file labeled "full.zip" and paste it to the desktop.
On the desktop, rename the copy from "full.zip" to "IPSDef.zip"

NOTE for 64-bit clients: To deploy content to 64-bit clients, use "full.zip" files in the following folders:

IPS signatures for 64-bit clients:
{42B17E5E-4E9D-4157-88CB-966FB4985928}

Virus Definitions for 64-bit clients:
{1CD85198-26C6-4bac-8C72-5D34B025DE35}

> Follow the procedure below "Export a client installation package" to create a client installation package, and replace the vdefhub.zip and IDSDef.zip with the updated copies.
> Run the setup.exe as normal, or create a self extracting executable using the procedure below "To create a self extracting executable package" .
 

Gathering current virus definitions and intrusion prevention signatures from an existing Symantec Endpoint Protection Client

First be sure that the client has been updated to the current AV and IDS content definitions.

Virus Definitions
1. Navigate to the current virus definitions within the SEP Client. The default path is: C:\Program Files\Common Files\Symantec Shared\VirusDefs\

2. Zip the contents of the latest dated definition folder (e.g 20100423.002) to vdefhub.zip
NOTE: Be sure to zip the contents of the folder, not the folder itself.

NOTE: On Windows Vista, Windows 7 or Server 2008 the folder is in the following location:
C:\ProgramData\Symantec\Definitions\VirusDefs\<dated definition="" folder=""></dated><dated definition folder>

IDS Definitions
1. Navigate to the current IDS definitions within the SEP Client. The default path is C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs

2. Zip the contents of the dated definition folder (e.g. 20100416.002) to IDSDef.zip
NOTE: Be sure to zip the contents of the folder, not the folder itself.

NOTE: On Windows Vista, Windows 7 or Server 2008 the folder is in the following location:
C:\ProgramData\Symantec\Definitions\SymcData\cndcipsdefs

> Follow the procedure below "Export a client installation package" to create a client installation package, and replace the vdefhub.zip and IDSDef.zip with the updated copies.
> Run the setup.exe as normal, or create a self extracting executable using the steps in "To create a self extracting executable package" below.
 

Export a client installation package

Export a client installation package that is not a single executable.

To export a client installation package please refer to the following document:
Creating custom Client Installation packages in the Symantec Endpoint Protection Manager Console
http://service1.symantec.com/support/ent-security.nsf/docid/2007110513361348

Navigate to the exported package.

Replace vdefhub.zip and IPSDef.zip within the exported package folder with the ones created above.

Clients deployed using this package will install with the modified virus definition and intrusion prevention signatures.

 

To create a self extracting executable package

To make the up-to-date package created above into a single executable file.

1. Navigate to the exported package with up to date definitions created in the steps above.

2.  If you wish to make the single executable package install silently, COPY the file "SaSetupWrapper.exe" from the "..\Symantec Endpoint Protection Manager\tomcat\bin" folder (default path is "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SaSetupWrapper.exe") to the full client install file set.
3. Archive the contents of the exported package using the zip archive format.
For Operating Systems that have an integrated zip utility (Windows XP/2003/Vista/2008):
Click Edit then Select All
Click File > Send To > Compressed (zipped) Folder

4. Name the archive "input.zip"
5. Move the input.zip file to C:\
6. Open a command prompt and navigate to the following directory:

>For Windows 32-bit operating systems type: cd C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\
>For Windows 64-bit operating systems type: cd C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\

7. Enter the following command:

makesfx.exe /zip="c:\input.zip" /sfx="output.exe" /title="Symantec Endpoint Protection" /defaultpath="$temp$\sepinst" /autoextract /delete /exec="$temp$\sepinst\setup.exe"

8. Once the command is complete the output.exe will be available at the path in step six and will run the installer when executed. (For more information on command line switches for MakeSFX.exe type "makesfx.exe /?" at the command prompt).

Note - If you want a complete silent installation, create the package in the SEPM with a custom configuration that includes the "silent" option and then use this command to create the .exe:

MakeSFX.exe /zip="C:\input.zip" /sfx="output.exe" /exec="$temp$\Symantec\SaSetupWrapper.exe" /defaultpath="$temp$\Symantec" /autoextract /delete /overwrite /NoGUI

Are symantec looking into this issue? As it's not an isolated issue and even affects users on RU6 MP2.

Is there a patch or a release due to fix this? As the solution is given is time consuming and not suitable for users with many endpoints having the same issue.

Hello,

I completely understand.

You can vote "UP" for the Tool to be created up here on the Symantec Forums.

https://www-secure.symantec.com/connect/ideas/tool-remote-deployment-antivirusantispyware-ips-and-ids-definitions

However, the Above Steps would help Administrator to create Custom Packages with Latest Definitions and the same custom packages could be deployed via "Migration and Deployment Wizard" to those Client machines, which would not only save Time but also Resolve the issue.

How to Deploy Symantec Endpoint Protection to your client machines using the Migration and Deployment Wizard.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/476542a2b4508f3d8825739300615c98?OpenDocument