Why are the Security Content dates for Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Manager (SEPM) not progressing beyond 12/31/09?

Symptoms
Security Content dates on the following Symantec products are dated 12/31/09 rev xxx despite being the latest available through LiveUpdate:

• Symantec Endpoint Protection v11.x Product Line
• Symantec Endpoint Protection Small Business Edition v12.x Product Line
• Products which rely on Symantec Endpoint Protection for definition updates (e.g. Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino)

Note: This includes all Security Content updates - including Antivirus definitions, Proactive Threat Protection (PTS) Truscan definitions, and Intrusion Prevention System (IPS) definitions.


The following is a list of the expected behaviors of affected Symantec software with default configurations. If the settings for functionality such as alerts or notifications have been altered from the default values, it is possible that your experiences may vary from those below.

List of Potential Symptoms

Managed Clients:
• End users of managed clients will receive an alert notification that Antivirus/Antispyware definitions are out of date.
  • This notification is configured by default to display when definitions reach 14 or 30 days (depending on the SEP version and policy type utilized by the client) old on the client.
    For more information on this read Symantec Endpoint Protection clients are displaying "Antivirus and Antispyware Protection definitions are out of date." http://service1.symantec.com/support/ent-security.nsf/docid/2008120915074748
• End users of managed clients may receive an alert notification that AntiVirus/Antispyware definitions are missing.
• Managed Clients receiving updates via their Manager will display a definition date of 12/31/2009 rev. xxx.
• Managed Clients receiving updates via LiveUpdate or Internal LiveUpdate will display the correct 2010 definition date.

SNAC Clients:
• Large numbers of agents may be Quarantined as a result of failing Host Integrity (HI) checks based on AntiVirus definition file dates.

Symantec Endpoint Protection Manager (SEPM) Console - Dashboard:
• The SEPM Dashboard by default will display that the definitions are out of date. The default for this setting is “10” days.
• The definition dates listed in the Virus Definitions Distribution section of the Home Page will reference 2010-01-xx rev xxx.

SEPM Notifications:
• If the SEPM Notification for “out of date definitions” has been enabled then it is possible that the prescribed threshold has exceeded and a notification may be triggered.

Group Update Provider:
• This issue does not directly impact this component.

Live Update Administration Server:
• This issue does not directly impact this component.
• LiveUpdate Administrator and LiveUpdate Administration Utility will download daily certified definitions with the correct 2010 date.

Intelligent Updater (IU) Customer Solutions:
• IU definitions will display a normal version date and are not directly impacted by this issue.
• It is important to NOT attempt switching between IU and LU\JDB based updates until this issue has been resolved.

An issue was identified in the Symantec Endpoint Protection Manager (SEPM)/Symantec Protection Center (SPC) which causes Security Content newer than 12/31/2009 11:59 PM to be considered older than content previous to that date/time. Any content with a date of 1/1/10 12:00 AM or newer would be purged from the SEPM if the maximum number of definitions revisions had been reached. Since 12/31/09 rev xxx is considered the latest content available to an unpatched SEPM/SPC, a client would not update to a content revision later than the highest numbered revision available on 12/31/2009. To mitigate this issue, Security Response stopped incrementing the date on SEP Security Content downloaded by SEPM/SPC Servers and instead only incremented the revision number of the content. Symantec released a patch to resolve this issue for SEPM/SPC, but Security Response will continue to provide both a 12/31/2009 rev xxx and 2010 content streams for SEPM/SPC for the time being.

Symantec released a patch that will resolve this issue for Symantec Endpoint Protection 11 and Symantec Endpoint Protection Small Business Edition 12 users. This patch is available via Public LiveUpdate, LiveUpdate, Administrator and LiveUpdate Administration Utility. It can also be downloaded directly from the Symantec FTP server. The vast majority of SEPM/SPC users will already be patched due to automatic LiveUpdates.

Note: If you do not wish to have your SEPM/SPC updated automatically, please see the section below titled: “Preventing LiveUpdate from updating SEPM/SPC” under the SEPM and SPC Workarounds and Information section.


Manual Patch Installation Instructions:

Note: By default no action is required. The SEPM server will download and apply the patch automatically. This takes a total of three LiveUpdate cycles.
The SEPM downloads the patch on the first LiveUpdate session after the patch is made available, updates its Content Catalog on the first LiveUpdate session
after the patch is applied and downloads 2010 dated definitions on the third LiveUpdate session. This occurs without any user interaction over approximately 12 hours (assuming the default 4 hour LiveUpdate interval - 4 hours x 3 LiveUpdate sessions = 12 hours).

If you cannot wait for LiveUpdate to automatically update the SEPM, or have manually disabled the SEPM from updating via patches, read Manually Applying the 2010 definitions patch to Symantec Endpoint Protection Mangager (SEP) http://service1.symantec.com/support/ent-security.nsf/docid/2010011512020748, or view Symantec Endpoint Protection Definition Patch http://www.symantec.com/connect/videos/symantec-endpoint-protection-definition-patch for a video tutorial.

For un-patched SEPMs:

On January 1, 2010 Security Response altered their normal posting procedure of Multiple Daily Definitions (MDD) due to this issue. Symantec released definitions for Symantec Endpoint Protection (SEP) Clients and the SEPM once a day with a date of December 31, 2009. Symantec resumed normal posting of MDD for SEP Clients starting the evening of January 7, 2010 Pacific Time. A timeline for resuming MDD for the SEPM is still being finalized.

Security Response will continue to publish Symantec Endpoint Protection security content with the date 12/31/2009 rev. xxx (incrementing only the revision number) for SEPMs. The last certified definitions set published on December 31, 2009 was “12/31/2009 rev. 041” version. Unmanaged SEP Clients and Managed SEP Clients using LiveUpdate as their Security Content source will show the correct 2010 definition date.

Currently Symantec is still publishing 2009 dated content for AntiVirus and IPS/NTP definitions three times daily. Now that most customers have patched their SEPM and SPC servers to resolve the 2010 definition issue, Symantec plans to move back to the regular definition publishing schedule. This means phasing out the new 2009 dated content.

Here is the schedule for discontinuing the 2009 dated definitions:

1. As of Monday, February 8th (US PST), 2009 dated definitions will be published once per day.
2. As of Saturday, March 13th 2010, Symantec will no longer publish 2009 dated definitions on a regular schedule.
The last set of 12/31/2009 definitions published is: 2009/12/31 r.215 which equates the normal set dated: 2010/03/12 r.022

As such, all customers should allow their SEPM servers to download and apply the patch automatically, or manually patch their SEPM servers before March 13, 2010.


As of Sunday, February 7, 2010, the latest definition revisions for unpatched SEPMS are:
• Virus and Spyware Protection: Thursday, December 31, 2009 rev 189 This includes the same content as Sunday, February 7, 2010 rev 021
• Proactive Threat Protection: Thursday, December 31, 2009 rev 020
• Network Threat Protection: Wednesday, December 31, 2009 rev 015

Note:
It is important to recognize that although new security content updates will show a date of 12/31/2009, they will contain up-to-date content.
Relative definition age can be determined by the revision number.

SEP Client Workarounds and Information:
This section covers information for the Symantec Endpoint Protection Client product.

Client machines will continue to receive the latest protection available without any intervention from the user. Please be aware of the following exceptions:

1. Rapid Release (RR) Antivirus and Antispyware definitions distributed using the Intelligent Updater (IU) and Certified definitions distributed using the IU, or downloaded directly from an Internal or Public LiveUpdate (LU) Server will reflect the actual publication date.
   • Until this issue is resolved, clients updated with one of these IU packages will no longer update from a SEPM unless the LiveUpdate Content Policy is configured to force the client to use a specific update (See Configuring clients to download content from a LiveUpdate Server later in this section for further details).
     
2. Clients using a Symantec Network Access Control (SNAC) Host Integrity (HI) Policy requiring a minimum Antivirus Signature File age may fail their HI Check.
   • Until This issue is permanently resolved, HI policies should be modified to relax minimum Antivirus Signature File age requirements (See the SNAC Workarounds and Information Section for further details).

Configuring clients to download content from a LiveUpdate Server:
Managed SEP clients can be configured to download Security Content updates from an Internal or Public LiveUpdate Server. Clients configured in this manner will display the correct current Antivirus/Antispyware definitions date and revision, but will be unable to download and apply definitions from a SEPM until this issue is resolved, or the clients' LiveUpdate Content policy is configured to utilize a named definition revision.

Note:
Enabling client LiveUpdate will cause an increase in external network traffic as each client connects to the Internet to download virus definitions.

To correct the definition date showing on SEP 11.0.x and SEP 12.0 SBE clients, customers can configure clients to download the latest 'Virus and Spyware Protection' definitions directly from LiveUpdate. These definitions are properly dated as 2010 definitions.

1. Click on the Policies Tab from within the SEPM Console
2. Select LiveUpdate from the View Policies Pane
3. Click on the LiveUpdate Settings Tab
4. For Each LiveUpdate Settings Policy:
   1. Click on the LiveUpdate Settings Policy in the LiveUpdate Settings Tab
   2. Choose Edit the Policy from the Tasks Pane
   3. Select the Server Settings Tab In the LiveUpdate Settings policy Window
   4. Un-check the Use the default management server (recommended) Check Box
   5. Check the Use a LiveUpdate server Check Box
   6. Click OK to close the LiveUpdate Settings policy editor Window

Note:
Once a client has downloaded January 2010 definitions from LiveUpdate, the client should remain configured to download content from LiveUpdate until the SEPM has been patched with a fix for this issue. Once patches are available and this temporary problem has been corrected by Symantec, details will be posted to this KB article.

To prevent SEP clients from receiving FULL definition updates instead of Deltas after the SEPM is patched:
If the SEP clients have been configured to only receive content updates from the SEPM, no action is required. SEP clients will continue to receive delta definitions from the SEPM after it is patched.

If the SEP clients have been configured to receive content updates through LiveUpdate perform the following actions before reconfiguring clients to receive content updates through the SEPM:
1. Continue updating clients through LiveUpdate
2. Once the SEPM has a 2010 cached definition revision matching the 2010 definition revisions used by the SEP clients reporting to it, modify the LiveUpdate Content Policy to point clients back to the SEPM for Content Updates.

For further information on this procedure read Preventing Symantec Endpoint Protection (SEP) Clients from receiving FULL Antivirus/Antispyware definition packages from a patched Symantec Endpoint Protection Manager (SEPM) http://service1.symantec.com/support/ent-security.nsf/docid/2010010821395848.

SNAC Workarounds and Information:
This section covers information for the Symantec Network Access Control product.

There are two methods to prevent SNAC clients from failing HI checks due to outdated definitions:

1. Configure clients to download the properly dated definitions directly from LiveUpdate. Refer to the SEP Customer Workarounds section, workaround number 2 (See Configuring clients to download content from a LiveUpdate Server later in the SEP Client Workarounds and Information section for further details)
2. Increase the "number of days" setting in the client's Host Integrity Policy (See Modifying clients' SNAC HI Policy later in this section). Since the timelines for the fix are not available at this time, the suggested number is 30 days.

Modifying clients' SNAC HI Policy:

Steps to change antivirus/antispyware signature date in HI antivirus/antispyware requirement:

1. On SEPM, click “Policies" then "Host Integrity”, then double click to open a specified HI policy, or click “Add a Host Integrity policy” to add a new one.
2. Click “Requirements”
3. Double click an existing antivirus/antispyware requirement, or click “Add…” to add a new antivirus/antispyware requirement
4. There are several settings under “Antivirus Signature File Checking” (or “Antispyware Signature File Checking” for antispyware requirement). For example, check the option “Specify the oldest age of the signature file” and specify 30 days.
5. Click “OK” button twice.

The steps to change antivirus/antispyware signature date in HI custom requirement:

1. On SEPM, click “Policies" then "Host Integrity”, then double click to open the applicable HI policy, or click “Add a Host Integrity policy” to add a new one.
2. Click “Requirements”
3. Double click an existing HI custom requirement, or click “Add…” to add a new HI custom requirement
4. Click “Add" then " IF..THEN..” (or right click somewhere in “Customized Requirement Script” to add an “IF..THEN..”, or click an existing “IF..THEN..” to edit it).
5. Click “Select a condition:” to open the drop-down list.
6. Select either “Antivirus: Antivirus signature file is up-to-date” or “Antispyware: Antispyware signature file is up-to-date”.
7. There are several settings to check an antivirus/antispyware signature date. For example, check the option “Check if the age in days of the signature file is less than” and specify 30 days.
8. Click “OK” button twice.

SEPM and SPC Workarounds and Information:
This section covers information for the Symantec Endpoint Protection Manager and Symantec Protection Center.

Related SEPM Issues:
Customers may also notice their SEPMs disk space gradually filling up with tmp folders in one of the following locations:

• \Program Files\Common Files\Symantec Shared\SymcData\sesmvirdef32
• \Program Files\Common Files\Symantec Shared\SymcData\sesmvirdef64
• \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content

For information on addressing this issue see the following article http://service1.symantec.com/support/ent-security.nsf/docid/2010010617161948?Open&seg=ent

How to prevent LiveUpdate from updating SEPM/SPC:
It’s possible to prevent LiveUpdate from patching SEPM/SPC and resolving this issue, by creating registry keys on SEPM/SPC machines connecting to LiveUpdate.
This option is intended only for customers who have strict change control policies.

Important: Once this registry key has been created, customers must manually patch SEPM in order to download 2010-dated definitions. Manual patching tools will be posted to this KB article when available.

For 32-bit SEP 11.0.x customers:
On the SEPM machine, create the following DWORD registry key, and set the value to 0
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM\AllowSoftwareLiveUpdate (DWORD) = 0

For 64-bit SEP 11.0.x customers:
On the SEPM machine, create the following DWORD registry key, and set the value to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM\AllowSoftwareLiveUpdate (DWORD) = 0

For 32-bit SEP SBE 12.0.x customers:
On the SPC machine, create the following DWORD registry key, and set value to 0
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SPC\AllowSoftwareLiveUpdate (DWORD) = 0

For 64-bit SEP SBE 12.0.x customers:
On the SEPM machine, create the following DWORD registry key, and set the value to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SPC\AllowSoftwareLiveUpdate (DWORD) = 0

Do not be worried if you see a new LiveUpdate package downloaded to SEPM/SPC after Symantec posts a fix to this issue.
This package updates tracking data for the SEPM/SPC and does not update the server software.

To prevent SEP clients from receiving FULL definition updates instead of Deltas after the SEPM is patched:
If the SEP clients have been configured to only receive content updates from the SEPM, no action is required. SEP clients will continue to receive delta definitions from the SEPM after it is patched.

If the SEP clients have been configured to receive content updates through LiveUpdate perform the following actions before reconfiguring clients to receive content updates through the SEPM:
1. Continue updating clients through LiveUpdate
2. Once the SEPM has a 2010 cached definition revision matching the 2010 definition revisions used by the SEP clients reporting to it, modify the LiveUpdate Content Policy to point clients back to the SEPM for Content Updates.

For further information on this procedure read Preventing Symantec Endpoint Protection (SEP) Clients from receiving FULL Antivirus/Antispyware definition packages from a patched Symantec Endpoint Protection Manager (SEPM) http://service1.symantec.com/support/ent-security.nsf/docid/2010010821395848.

Addendum for Rapid Release Users:
This section covers information on using Rapid Release definitions.

In certain situations, Symantec Support will recommend the use of Rapid Release (RR) virus definitions during an active infection. As the RR Intelligent Updater (IU) definitions are dated normally, they will be removed immediately on a SEPM that has reached its threshold for definition revisions. There are two work-arounds that will allow the use of Rapid Release definitions:

Configuring the SEPM/Managed SEP clients to use Rapid Release Definitions:
This method will allow the SEPM to still serve normal certified definitions without any interruptions as well as Rapid Release definitions.
1. Click on the Admin Tab from within the SEPM Console
2. Click on the Servers Tab
3. Click on the Local Site
4. Click on Edit Site Properties from the Tasks Pane
5. Click on the LiveUpdate Tab
6. Increase the Number of content revisions to keep value by the number of Rapid Release definition sets expected to be needed
   Each additional revision will allow the SEPM to hold one more Rapid Release definition set. A complete 32/64bit Virus Definition set consumes approximately 260MB per cached revision. Ensure you have sufficient disk space to store the additional definitions sets needed. This has the advantage that existing clients can continue to update using deltas, but the server must be able to handle the larger disk space utilization.
7. Click OK to apply these changes.
8. Apply the RR jdb file to the SEPM
9. Click on the Policies Tab from within the SEPM Console
10. Select LiveUpdate from the View Policies Pane
11. Click on the LiveUpdate Content Tab
12. Select the LiveUpdate Content Policy used by the clients requiring RR definitions and click Edit The Policy in the Tasks Pane
13. Select the Security Definitions Tab on the LiveUpdate Content Policy Editor window
14. Locate the Antivirus and antispyware definitions section and click the Edit button
15. Select the correct RR revision from the drop-down list for both 32 and 64 bit Antivirus and Antispyware definitions.
16. Click OK to close the revision selection window
17. Click OK to close the LiveUpdate Content Policy Editor window

Configuring Managed SEP clients to no longer use Rapid Release Definitions:
1. Click on the Admin Tab from within the SEPM Console
2. Click on the Servers Tab
3. Click on the Local Site
4. Click on Edit Site Properties from the Tasks Pane
5. Click on the LiveUpdate Tab
6. Decrease the Number of content revisions to keep value by the same number of revisions this number was increased by to handle addition RR definition sets.
7. Click OK to apply these changes.
8. Click on the Policies Tab from within the SEPM Console
9. Select LiveUpdate from the View Policies Pane
10. Click on the LiveUpdate Content Tab
11. Select the LiveUpdate Content Policy used by the clients currently using RR definitions and click Edit The Policy in the Tasks Pane
12. Select the Security Definitions Tab on the LiveUpdate Content Policy Editor window
13. Locate the Antivirus and antispyware definitions section and click the Edit button
14. Select the latest revision of 12/31/2009 definitions from the drop-down list for both 32 and 64 bit Antivirus and Antispyware definitions.
15. Click OK to close the revision selection window
16. Click OK to close the LiveUpdate Content Policy Editor window
17. After clients have successfully switched to the 12/31/2009 rev xxx definitions, re-edit the LiveUpdate Content Policy use "Use latest available"
18. Run LiveUpdate on the SEPM immediately after making this policy change to ensure the RR defs are removed from the SEPM's definition cache

Addendum for LiveUpdate Administrator Users:
This section covers information on configuring LiveUpdate Administrator to update SEPM with the 2010 definition issue patch.

No changes are required for LiveUpdate Administrator (LUA) users unless:
• The SEPM is configured to download updates through LUA instead of Public LiveUpdate AND
• SEP Clients are configured to download updates from their SEPM.

For information on ensuring SEPM is capable of updating SEP clients with 2010 dated definitions downloaded via LUA read Downloading and hosting the Symantec Endpoint Protection Manager (SEPM) 2010 definitions patch via LiveUpdate Administrator (LUA) http://service1.symantec.com/support/ent-security.nsf/docid/2010010901022848