search cancel

Identifying the Rapid Release Sequence of an Intelligent Updater File

book

Article ID: 162925

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

An Intelligent Updater (IU) file has been downloaded.  But, it is the correct one to combat the threat?  How can this be confirmed?

Cause

More information on Sequence Numbers can be found in the Connect article Sequence Makes Sense.

Resolution

Whenever protection is added against a newly-discovered threat, the customer will receive a closing mail that includes a new Rapid Release sequence number.  For example:

Determination:    NewThreat
Submission Detail:     This file is detected as Infostealer.Limitail with our existing Rapid Release definition set. Protection is available in Rapid Release definitions with a sequence number of 174361 or greater.
Signature Protection Name:     Infostealer.Limitail
Rapid Release Sequence Number:     174361

 

However, this number does not appear in the name of the IU file. The files are either given a static name (a name that always remains the same) or are given a unique name not intended for human consumption (like vd489e09.jdb)

To view the version, use 7zip or another archive tool to extract/open the .jdb file (used to deploy Rapid Release definitions to Symantec Endpoint Protection Managers, from which they will cascade throughout the environment) or symrapidreleasedefscore15-v5i64.exe (used to update individual SEP clients).

There is a catalog.dat file inside.  (Look inside VIRSCAN.ZIP for symrapidreleasedefscore15-v5i64.exe files).  Scroll to the very bottom for Version Information:

[verInfo]
Date=20160215.007
HubDef=0

That date can then be compared to the Rapid Release sequence listed on Rapid Release Definitions - Detections Added.  In our example, the correct file has been downloaded for use.

Rapid Release Defs time Rapid Release Defs date Defs Version Extended Defs Version Sequence Number Total Detections
05:25:43 PST 2/15/2016 180215g 2/15/2016 rev. 7 174361 41832060