You suspect that the virus definitions currently in use by Symantec Endpoint Protection (SEP) clients are corrupt, and would like to roll back to a previous virus definition set. These clients are managed by a Symantec Endpoint Protection Manager (SEPM).  You wish to configure or control the content revisions that clients use.

Please note:

the example below shows reverting AntiVirus definitions to an earlier version.  The procedure works with other SEP components as well (reverting to an earlier release of IPS definitions, etc)

To rollback definitions, the [LiveUpdate Settings] policy -> Server settings -> [Use default management server] must be enabled.

The method described below can also be used to circumvent a confirmed False Positive (FP) until definitions are available that remove the detection.  In the case of False Positives, though, creating a specific exclusion or awaiting new Rapid Release definitions is the recommended approach.  As each set of new definitions includes protection against new threats, reverting to an older revision will always introduce security risk into an organization.

Follow the steps below to roll back virus definitions in Symantec Endpoint Protection Manager:

1. Click Policies
2. Select View Policies
3. Click LiveUpdate.
4. Double-click your current LiveUpdate Content Policy Under the "LiveUpdate Content" tab. The LiveUpdate Content Policy Overview dialog box appears.
5. From the "LiveUpdate Content" section, click Security Definitions.
6. Enable the Select a revision option located in the "AntiVirus and AntiSpyware definitions" section,
7. Click the Edit button. The Select Revision - Antivirus and AntiSpyware definitions dialog box appears.
8. Expand the drop-down list and browse to the appropriate (32-bit or 64-bit) definition set.
9. Click the desired rollback definition date.
10. Click OK.
11. Click OK to close the "Security Definitions" dialog box and return to the "Policies" tab.

Note: Remember to later return to your LiveUpdate Content Policy and change back to the Use latest available option.  Definitions on all endpoints must be kept current in order to protect against the latest threats in circulation.