Virus definition update FAQ

book

Article ID: 151383

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article describes the differences among the available virus definition update types (Rapid Release and Certified definitions).

Resolution

What does “Certified” mean?
Certified sets of virus definitions are fully tested and certified by Quality Assurance (QA) on all supported Symantec security products across all operating systems currently supported by Symantec. The testing includes a large corpus of threat samples to ensure comprehensive detection. Testing also includes an equally large set of clean files to ensure the avoidance of false positive (FP) detections.

Certified virus definitions are optimized for quality, compared with Rapid Release virus definitions, which are optimized for high frequency deployment to customers. See the section below on Rapid Release virus definitions for a more complete explanation of this additional delivery option.

There are several types of definitions which are Certified:


Certified Multiple Daily LiveUpdate
Certified Multiple Daily LiveUpdate is published three times a day except weekend and US holiday and offers the best protection from fast moving threats. These definitions are often referred to as MDD (Multiple Daily Definitions.) Customers using Symantec Endpoint Protection (SEP) can take advantage of this highest frequency of delivery. Other products may update less frequently.

Certified Daily LiveUpdate
Certified Daily LiveUpdate is published once per day and offers a high level of protection from fast moving threats. Many other Symantec products also use these daily certified updates. On mail security and other products at the enterprise's perimeter, it may be recommended to use Rapid Release definitions (see below) to ensure that protection is available against the very latest threats in circulation rather than rely upon the once-per-day Certified Daily LiveUpdate.

Certified Weekly LiveUpdate
Certified Weekly LiveUpdate is published once per week and is considered a legacy level of support and therefore provides a lesser degree of protection compared with the daily and multiple daily frequencies. Given the large number of threats analyzed by Symantec Security Response each day, Symantec suggests that customers update their antivirus detection signatures at least once per day.

Certified Daily Intelligent Updater
Intelligent Updater (IU) virus definitions are a batch of the Rapid Release virus definitions that have undergone full QA testing and certification. The Intelligent Updater is an alternate delivery method for certified daily definitions.

Intelligent Updater Definitions can be obtained here:
HTTP Enterprise: https://www.broadcom.com/support/security-center/definitions/download/detail?gid=sep14
HTTP-Foldered: https://definitions.symantec.com/defs/download/symantec_enterprise/index.html


What does "Rapid Release" mean?
Rapid Release virus definitions are released slightly more than once per hour and are optimized for rapid deployment within an organization during a threat outbreak. They are passed through a somewhat lesser degree of testing than fully certified virus definitions, but they still maintain a relatively high level of quality. The primary risk in using Rapid Release virus definitions, although a relatively small risk, is potential false positive detections on a limited number of legitimate files.

Rapid Release virus definitions are generally used as part of an overall security strategy where fully certified virus definitions are deployed under normal circumstances and Rapid Release virus definitions are deployed during outbreak situations or at the perimeter. Most customers do not use Rapid Release virus definitions as their standard deployment package for desktops, although it is technically possible to do so. Rapid Release virus definitions can more comfortably be deployed as a standard procedure on perimeter devices, such as mail servers and web traffic gateways, as the risk posed by possible false positive detections on these systems only results in blocked traffic rather than disrupted desktop service.

Rapid Release virus definitions are not available through LiveUpdate. (This is the main difference between Rapid Release virus definitions and fully certified virus definitions in terms of deployment options.) Rapid Release definitions can be downloaded by manually and then deployed in an organization.

For details of how to distribute a Rapid Release update throughout a SEP organization, see the article Download .jdb files to update definitions for Endpoint Protection Manager.

There are different .jdb files for SEP 12.1 and SEP 14, and for different types of networks (Reduced-Size Client, Dark-Network Client, etc). Be sure to download and apply the correct .jdb type for your organization!  The Rapid Release Virus Definitions page can help determine which type of file is needed.

Once the SEPM has processed the .jdb file, it will distribute the protection to all managed SEP clients. 


Rapid release Intelligent Updater packages can be found here: https://definitions.symantec.com/defs/download/symantec_enterprise/rapidrelease/index.html

 

 

FAQ

Q: Are Rapid Release definitions available via FTP?
A: FTP has been discontinued and are available in the http-foldered directories listed above. The FTP servers themselves will be shut down on Dec 21, 2019

 

Q: What are the primary differences between Rapid Release definitions and Daily Certified definitions?
A: All new detections are compiled into Rapid Release as they are created. These definitions are released many times a day and represent the most current virus definitions available. Although these signatures have gone through a battery of tests, Rapid Release-quality virus definitions may pose some risks, such as the higher potential for false positives.

 

Q: When and where should I use Rapid Release virus definitions?
A: Symantec recommends using Rapid Release virus definitions:
On an Email or Gateway server, where false positives prove little or no risk.
On Servers and Desktops during a virus emergency, when Certified LiveUpdate definitions may not be available for the very latest threats.

 

Q: Will using Rapid Release definitions increase my network bandwidth consumption?
A: Yes. Rapid Release definitions contain protection against all known threats in one large file. These are equivalent in size to downloading a full set of definitions- several hundred MB. If these large files are downloaded many times per day, the effect on bandwidth can be considerable. Running LiveUpdate to retrieve Certified Daily Definitions or Multiple Daily Definitions will consume far less bandwidth.

 

Q. What are sequence numbers? How can I tell if a set of Certified definitions has a high enough sequence to detect a threat?
A. Each set of definitions released (whether Certified or Rapid Release) is identified by a unique sequence number. This number is used in correspondence from Security Response to indicate the earliest definitions necessary to detect a newly-identified threat. For an illustration of sequence numbers please see the Connect article Sequence Makes Sense.

 

Q: My organization uses a LiveUpdate Administrator 2.x (LUA 2.x) server to download and distribute content within our network. Can LUA 2.x download Rapid Release definitions and supply those updates to our servers and endpoints?
A: No, Rapid Release cannot be used with LUA 2.x at this time. LUA 2.x downloads certified definitions from Internet-based LiveUpdate source servers. It does not download Rapid Release definitions.

 

Q: Those .jdb files are several hundred MB in size! When I drop one onto my SEPM, will it then push several hundred MB to each client?
A: Symantec Endpoint Protection customers can rest assured that the updated SEPM will be able to distribute microdefs delta packages to their SEP endpoints after using Rapid Release packages. The files transferred to each SEP client will be no larger than the usual files sent after the SEPM runs LiveUpdate and receives a certified sequence. All versions of SEP support this capability.