This article describes how to update Symantec Endpoint Protection (SEP) with the latest virus definitions and other content updates.
For protection against the latest threats, it is very important to ensure that antivirus definitions, IPS signatures and other content is always up-to-date. There are several different methods of configuring an environment's update architecture. The best method for a particular environment depends on the number of clients, amount of bandwidth available, and ability of the computers to connect to Symantec's Internet-based LiveUpdate source servers.
You can update content in the following ways:
About configuring a site to download updates
The default behavior and best practice in most cases is to have sites download updates from the Symantec LiveUpdate server. When you configure a site to download updates, the updates are downloaded by one or more management server, called Symantec Endpoint Protection Manager (SEPM), and placed in the database. The Symantec Endpoint Protection Manager then uses these definitions to distribute updates to clients.
In most Symantec Endpoint Protection deployments, the Symantec Endpoint Protection Manager will download and distribute materials to all of its Windows clients efficiently.
About configuring the management server to run LiveUpdate from an internal server
In certain environments, it is desirable to have an internal LiveUpdate server on the network rather than obtain updates from the Internet source servers. LiveUpdate Administrator 2.x (LUA 2.x) may be preferable in:
- High-security "air-locked" environments
- Environments with many different Symantec products
- On corporate networks where all updates must be tested prior to widespread deployment
- In environments with 10,000 endpoints or more
- In environments with many Macintosh or Linux clients
These clients cannot receive definitions directly from the Symantec Endpoint Protection Manager, and must either download from internal or external LiveUpdate source servers or through configuring the Symantec Endpoint Protection Manager server to act as a reverse proxy: Enabling Mac and Linux clients to download LiveUpdate content using the Apache web server as a reverse proxy
There are additional cases in which it is preferable to use LiveUpdate Administrator. For more information, see:
- When to use LiveUpdate Administrator
- LiveUpdate Administrator Best Practices
- The Connect forum article A Helpful LiveUpdate Administrator 2.x Analogy
For details on how to configure a site to download updates from an internal LiveUpdate server, see Setting up an internal LiveUpdate server.
About site replication and content updates
If you configure sites on your network for replication from another site, the content updates (for example, Virus and Spyware Definitions) that are in the database of the primary site can be configured to replicate as part of the database. In this case, you only need to configure updates on the primary site.
If you choose to use product updates as well as content updates, you should not replicate product updates between sites, because these updates can be quite large, and one exists for every language that you select. For more information, please see Setting up sites and replication and Specifying which data to replicate.
About updating definitions for Symantec Endpoint Protection Manager using a JDB file
If a Symantec Endpoint Protection Manager cannot run LiveUpdate or has no access to Internet or internal source servers, it is possible to update the server's Virus and Spyware Protection (antivirus) definitions by manually applying a file made for this purpose. For details, see Download .jdb files to update definitions for Endpoint Protection Manager.
Please note that the .jdb file only contains Virus and Spyware Protection definitions and does not provide updated content for the firewall and other features for the Symantec Endpoint Protection clients.
For information on how Symantec Endpoint Protection client computers are updated, please see Choose a distribution method to update content on clients.
Configuring how groups of clients download updates
In order to configure the behavior of a client group, you use LiveUpdate client policies, which you create in the Symantec Endpoint Protection Manager. There are two kinds of LiveUpdate client policy: LiveUpdate Settings policies, and LiveUpdate Content policies. The following table shows what each type of policy controls, and to what products each applies:
|Policy type||Controls||Applies to|
Viewing and changing the LiveUpdate Content policy that is applied to a client group
LiveUpdate Content policies are applied to groups and to all locations in groups. Therefore, the policy does not appear with other policies under locations in the console.
To view and change the LiveUpdate Content policy that is applied to a group
- In the console, click Policies > LiveUpdate, and create at least two LiveUpdate Content policies.
- Apply one of the policies to a group.
- Click the Clients tab, and then click the group that you want to view.
- While still on the Clients tab, in the right pane, click Policies, and under Location-independent Policies and Settings, under Settings, click LiveUpdate Content Policy Settings.
- From the drop-down menu, specify the LiveUpdate Content Policy to use for the group, and then click OK.
About Group Update Providers (GUPs)
When you create a LiveUpdate Settings policy, you have the option of specifying a Group Update Provider (GUP). The Group Update Provider provides updates to clients in the group, and any subgroups that inherit policies as set on the Clients tab. If you have clients in a group at a remote location that have bandwidth issues over the WAN, make a client in the group the Group Update Provider. The Group Update Provider must be a member of the group to which it provides updates. The Group Update Provider also lets you offload processing power from the Symantec Endpoint Protection Manager if you need that option.
When you configure a Group Update Provider, you specify a host name or IP address and a TCP port number. The default TCP port number is 2967, a port that was used in Symantec AntiVirus 10.x and Symantec Client Security 3.x network communications. If your Group Update Provider computer receives IP addresses with DHCP, you should either assign a static IP address to the computer, or type the host name. If your Group Update Provider computer is at a remote location, and if that remote location uses network address translation (NAT), type the host name.
For more information on GUPs, see:
- About the types of Group Update Providers
- Best Practices with Symantec Endpoint Protection Group Update Providers
About Third-party Management (TPM)
TPM refers to the management of Symantec Endpoint Protection client content updates using a distribution mechanism other than the Symantec Endpoint Protection Manager. A Symantec Endpoint Protection Manager is still required to download and package content from LiveUpdate, as well as for generating policy files. The only thing TPM actually replaces is the transfer of policies and content to the Symantec Endpoint Protection client. See Using third-party distribution tools to update client computers for details.
Configuring a local client to download updates
If a client is unmanaged ("self-managed"), or if a LiveUpdate Settings policy for managed clients allows, several options exist for downloading updates on individual clients.
Running LiveUpdate manually
Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow manual updates have the LiveUpdate button enabled in the Symantec Endpoint Protection window. Clicking this button will launch a utility that downloads the latest content update.
Unmanaged clients and clients that are configured by a LiveUpdate Settings policy to allow changes to the LiveUpdate schedule can be configured locally to download updates at specific times.
To configure the LiveUpdate schedule, please see How to schedule LiveUpdate on an Unmanaged (self-managed) client
Using Intelligent Updater (IU)
It is possible to update the Virus and Spyware Protection definitions (and Intrusion Prevention (IPS) definitions (Windows only) on managed or unmanaged Symantec Endpoint Protection clients using a standalone tool. See Use Intelligent Updater to update definitions for Endpoint Protection for details.
This document is available in the following languages: