14.0 MP2 Endpoint Protection Manager reports warning that IPS content is out of date

Article Id: 170132
Status: Published
Updated On: 19-12-2017 17:16
Legacy Id: TECH247558
Products:
Endpoint Protection
Issue/Introduction:

After migrating the Symantec Endpoint Protection Manager (SEPM) and Symantec Endpoint Protection (SEP) clients to 14.0 MP2, Alerts or Reports indicate that Symantec Endpoint Protection client IPS content is out of date.

 

Notification subject - Critical: Old IPS Definitions

Reporting subject - Out-of-Date Clients Triggering Notification on (DATE)  The Intrusion Prevention content needs to be updated on one or more client computers.  For more information, see the Reports page.

Cause:

Scenario:
SEPM and the SEP clients are upgraded to 14.0 MP2 and IPS signature out-of-date Notification is enabled.

Result:
With the default setting for IPS signature out-of-date Notifications (Example: computers with definitions older than 7 days), after 7 days, IPS signature out-of-date notification will be sent out with the old IPS definition version from before the upgrade.

Reason:
There are 2 client monikers associated with the same Agent_ID in SEM_CONTENT table after upgrade. Both client monikers are for IPS signature content, but one is used for pre 14.0 MP2 with the IPS def info when the upgrade proceeds, another one is used for 14.0 MP2 with latest IPS def info received from SEP agent.

With default setting for IPS signature out-of-date Notification, such as 7 days after, the moniker for pre 14.0 MP2 with old IPS def info will be filtered by Notification as out-of-date, even though the real moniker for 14.0 MP2 actually has the latest IPS signature content.

Resolution:

This issue will be resolved in SEPM 14 RU1 MP1 and 14.2. Until the time of their release, you can use the following workaround:

  1. Run the following two SQL queries:

    select * from SEM_CONTENT
    where CLIENT_MONIKER = '{55DE35DC-862A-44c9-8A2B-3EF451665D0A}' AND AGENT_ID IN 
    (SELECT SA.AGENT_ID from V_AGENT_INCL_GROUP_ID SA with (NOLOCK) 
    LEFT OUTER JOIN SEM_CONTENT C ON C.AGENT_ID=SA.AGENT_ID and C.SEQUENCE <> SA.CIDS_DEFSET_VERSION
    LEFT OUTER JOIN PATTERN PAT ON C.PATTERN_IDX=PAT.PATTERN_IDX
    WHERE PAT.PATTERN_TYPE = 'DEUCE_SIG' and SA.DELETED='0' and C.DELETED = 0 and SA.AGENT_TYPE='105');
     

    select * from SEM_CONTENT
    where CLIENT_MONIKER = '{55DE35DC-862A-44c9-8A2B-3EF451665D0A}' AND AGENT_ID IN 
    (select SC.AGENT_ID from SEM_CONTENT SC LEFT OUTER JOIN PATTERN PAT ON SC.PATTERN_IDX=PAT.PATTERN_IDX 
    where PAT.PATTERN_TYPE='DEUCE_SIG'
    GROUP by SC.AGENT_ID HAVING count(SC.AGENT_ID) > 1);
     

  2. If the two queries return different results, open a case with Symantec Support and provide a backup of your database for further investigation. If the results of the two queries are identical, run one of the queries again, replacing select * from SEM_CONTENT  with  update SEM_CONTENT SET DELETED=1

  3. Last, but not least, run the query again, replacing update SEM_CONTENT SET DELETED=1  with  delete from SEM_CONTENT

    {SUBSCRIBE.EN_US}