Correcting SEP 11.0.x Virus Definition Date
This is an update regarding the issue that had Symantec EndPoint Protection (SEP) 11.0.x believing definitions dated after 12/31/2009 were out of date.
Before Symantec was able to roll out a patch to fix the behavior at hand, they worked around the issue by releasing new definitions that increased only the revision number and kept the date at 12/31/2009. People running SEP have been protected by the latest virus definitions throughout this entire process even though the date was only stating 12/31/2009.
In the last couple of days they have been releasing patches and definition updates that are correcting the issue for most every situation. Full details follow for the various constituencies below.
LiveUpdate definitions starting around January 8th corrected this back-date issue on machines running SEP in unmanaged mode. Those machines' SEP 11.0.x virus definitions should reflect the actual date of the latest update (assuming LiveUpdate has been run on or after January 8th).
To reiterate, Symantec states, "Beginning with virus definitions posted Friday January 8th, SEP clients running Live Update directly will receive content showing the current date (i.e. January 8th, 2010)."
Symantec has released patches for customers running a wide variety of versions of Symantec Endpoint Protection Manager (SEPM). If you are running any of the versions of SEPM listed on the page below, the patch will be automatically downloaded via LiveUpdate and applied. It will take a total of three LiveUpdate cycles to prepare the SEPM, download the patch, and begin using and distributing 2010 definitions.
For information on how to verify the patch was successful, obtaining a standalone patch, or information on preventing the automatic download of the patch, please refer to the KB article above.
Additional patches will be released for other builds of SEPM as they become available. Check that page for ongoing updates from Symantec.
Customers running LiveUpdate Administrator (LUA) now have the ability to configure their LUA to download the patch that will allow their SEPM to start downloading content dated after December 31st, 2009. Customers who use LUA as the primary source of updating their SEPMs will need to make configuration changes to receive 2010 definitions once the patches are released.
Customers who only use LUA to update clients do not need to make any changes as clients should already be receiving 2010 content. For information on configuring LUA to download the SEPM patch as well as content dated after December 31st, 2009, please refer to "Addendum for LiveUpdate Administrator Users" in the KB linked below.
Symantec has also received multiple inquiries about the impact this issue might have on definition size when the patches are released. To help answer questions and assist customers in preparing for this scenario and preventing download of full definitions once the patches are released, Symantec has updated the KB to include information pertaining to this topic.
- page from Symantec for SEP Managers
- page from Symantec for LiveUpdate Administrators
- Symantec's full write-up about this (updated when new information is released)
Check the full write-up link just above for updates as they are published by Symantec.