This article describes the differences among the available protection content update types (Rapid Release and Certified)
What does “Certified” mean?
Certified sets of protection content are fully tested and certified by Quality Assurance (QA) on all supported Symantec security products across all operating systems currently supported by Symantec. The testing includes a large corpus of threat samples to ensure comprehensive detection. Testing also includes an equally large set of clean files to ensure the avoidance of false positive (FP) detections.
Certified protection content are optimized for quality, compared with Rapid Release protection content, which are optimized for high frequency deployment to customers. See the section below on Rapid Release protection content for a more complete explanation of this additional delivery option.
There are several types of protection contents which are Certified:
Certified Multiple Daily LiveUpdate
Certified Multiple Daily LiveUpdate is published three times a day except weekend and US holiday and offers the best protection from fast moving threats. These protection content are often referred to as MDD (Multiple Daily Definitions.) Customers using Symantec Endpoint Protection (SEP) can take advantage of this highest frequency of delivery. Other products may update less frequently.
Certified Daily LiveUpdate
Certified Daily LiveUpdate is published once per day and offers a high level of protection from fast moving threats. Many other Symantec products also use these daily certified updates. On mail security and other products at the enterprise's perimeter, it may be recommended to use Rapid Release protection content(see below) to ensure that protection is available against the very latest threats in circulation rather than rely upon the once-per-day Certified Daily LiveUpdate.
Certified Weekly LiveUpdate
Certified Weekly LiveUpdate is published once per week and is considered a legacy level of support and therefore provides a lesser degree of protection compared with the daily and multiple daily frequencies. Given the large number of threats analyzed by Symantec Security Response each day, Symantec suggests that customers update their protection contents at least once per day.
Certified Daily Intelligent Updater
Intelligent Updater (IU) - protection content are a batch of the Rapid Release protection content that have undergone full QA testing and certification. The Intelligent Updater is an alternate delivery method for certified daily updates.
Intelligent Updater can be obtained here:
HTTP Enterprise: https://www.broadcom.com/support/security-center/definitions/download/detail?gid=sep14
HTTP-Foldered: https://definitions.symantec.com/defs/download/symantec_enterprise/index.html
What does "Rapid Release" mean?
Rapid Release protection content are released slightly more than once per hour and are optimized for rapid deployment within an organization during a threat outbreak. They are passed through a somewhat lesser degree of testing than fully certified protection content, but they still maintain a relatively high level of quality. The primary risk in using Rapid Release protection content, although a relatively small risk, is potential false positive detections on a limited number of legitimate files.
Rapid Release protection content are generally used as part of an overall security strategy where fully certified protection content are deployed under normal circumstances and Rapid Release protection content are deployed during outbreak situations or at the perimeter. Most customers do not use Rapid Release protection content as their standard deployment package for desktops, although it is technically possible to do so. Rapid Release protection content can more comfortably be deployed as a standard procedure on perimeter devices, such as mail servers and web traffic gateways, as the risk posed by possible false positive detections on these systems only results in blocked traffic rather than disrupted desktop service.
Rapid Release protection content are not available through LiveUpdate. (This is the main difference between Rapid Release and fully certified protection content in terms of deployment options.) Rapid Release protection content can be downloaded by manually and then deployed in an organization.
For details of how to distribute a Rapid Release update throughout a SEP organization, see the article Download .jdb files to update protection content for Endpoint Protection Manager. There are different .jdb files for SEP 12.1 and SEP 14, and for different types of networks (Reduced-Size Client, Dark-Network Client, etc). Be sure to download and apply the correct .jdb type for your organization! The Rapid Release Virus protection content page can help determine which type of file is needed. Once the SEPM has processed the .jdb file, it will distribute the protection to all managed SEP clients. |
Rapid release Intelligent Updater packages can be found here: https://definitions.symantec.com/defs/download/symantec_enterprise/rapidrelease/index.html
FAQ
Q: Are Rapid Release protection content available via FTP?
A: FTP has been discontinued and are available in the http-foldered directories listed above. The FTP servers themselves has been shutdown since late 2019.
Q: What are the primary differences between Rapid Release and Daily Certified protection content?
A: All new detections are compiled into Rapid Release as they are created. These protection content are released many times a day and represent the most current protection content available. Although these protection content have gone through a battery of tests, Rapid Release-quality protection content may pose some risks, such as the higher potential for false positives.
Q: When and where should I use Rapid Release protection content?
A: Symantec recommends using Rapid Release protection content:
On an Email or Gateway server, where false positives prove little or no risk.
On Servers and Desktops during a virus emergency, when Certified LiveUpdate protection content may not be available for the very latest threats.
Q: Will using Rapid Release protection content increase my network bandwidth consumption?
A: Yes. Rapid Release protection content contain protection against all known threats in one large file. These are equivalent in size to downloading a full set of protection content - several hundred MB. If these large files are downloaded many times per day, the effect on bandwidth can be considerable. Running LiveUpdate to retrieve Certified Daily or Multiple Daily protection content will consume far less bandwidth.
Q. What are sequence numbers? How can I tell, if a set of Certified protection content has a high enough sequence to detect a threat?
A. Each set of protection content released (whether Certified or Rapid Release) is identified by a unique sequence number. This number is used in correspondence from Security Response to indicate the earliest protection content necessary to detect a newly-identified threat.
Q: My organization uses a LiveUpdate Administrator 2.x (LUA 2.x) server to download and distribute protection content within our network. Can LUA 2.x download Rapid Release protection content and supply those updates to our servers and endpoints?
A: No, Rapid Release protection content cannot be used with LUA 2.x at this time. LUA 2.x downloads certified protection contents from Internet-based LiveUpdate source servers. It does not download Rapid Release protection contents.
Q: Those .jdb files are several hundred MB in size! When I drop one onto my SEPM, will it then push several hundred MB to each client?
A: Symantec Endpoint Protection customers can rest assured that the updated SEPM will be able to distribute microdefs delta packages to their SEP endpoints after using Rapid Release packages. The files transferred to each SEP client will be no larger than the usual files sent after the SEPM runs LiveUpdate and receives a certified sequence. All versions of SEP support this capability.