An Intelligent Updater (IU) file has been downloaded. But, it is the correct one to combat the threat? How can this be confirmed?
More information on Sequence Numbers can be found in the Connect article Sequence Makes Sense.
Whenever protection is added against a newly-discovered threat, the customer will receive a closing mail that includes a new Rapid Release sequence number. For example:
Submission Detail: This file is detected as Infostealer.Limitail with our existing Rapid Release definition set. Protection is available in Rapid Release definitions with a sequence number of 174361 or greater.
Signature Protection Name: Infostealer.Limitail
Rapid Release Sequence Number: 174361
However, this number does not appear in the name of the IU file. The files are either given a static name (a name that always remains the same) or are given a unique name not intended for human consumption (like vd489e09.jdb)
To view the version, use 7zip or another archive tool to extract/open the .jdb file (used to deploy Rapid Release definitions to Symantec Endpoint Protection Managers, from which they will cascade throughout the environment) or symrapidreleasedefscore15-v5i64.exe (used to update individual SEP clients).
There is a catalog.dat file inside. (Look inside VIRSCAN.ZIP for symrapidreleasedefscore15-v5i64.exe files). Scroll to the very bottom for Version Information:
That date can then be compared to the Rapid Release sequence listed on Rapid Release Definitions - Detections Added. In our example, the correct file has been downloaded for use.
Rapid Release Defs time Rapid Release Defs date Defs Version Extended Defs Version Sequence Number Total Detections 05:25:43 PST 2/15/2016 180215g 2/15/2016 rev. 7 174361 41832060