Endpoint Protection

View Only

Correct certified definition .jdb file(s) to download to update SEP 12.1.x from manager SEPM 14.3 on offline network.

support_itsystem posted Dec 16, 2020 04:44 PM

Totally stand-alone I have just set up domain controller running Windows server 2012 R2 essentials with SEPM 14.3 manager. Most of the domain clients are running Windows XP with SEP 12.1.x. Most are 12.1.5337.5000 but a couple due to compatibility issues 12.1.671.4971. A few clients are Windows 7 and just one Windows 10, 1803 I believe. ( I have not yet tried any of the Windows 7 clients or the Windows 10 client with SEPM 14.3 )

The clients running Windows XP have to stay for ever due to the specialist software not being compatible with Vista or any later OS.

The SEPM 14.3 is as far as I can tell communicating with the SEP 12.1.x clients but the definitions are not being updated.

Looking at the folders in \Symantec Endpoint Protection Manager\Inetpub\content\ and ContentInfo.txt my interpretation is that I only have 64 bit definitions.

I pasted the .jdb file pasted into \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming

The file .jdb file I have downloaded from

https://www.broadcom.com/support/security-center/definitions

selected the product Symantec Endpoint Protection 14 in the drop-down selection box

From

File-Based Protection (Traditional Antivirus) and Download definitions at the right of the screen I have download the .jdb file from the section

Symantec Endpoint Protection Manager Installations on Windows Platforms
Supports the following versions of Symantec antivirus software:
Symantec Endpoint Protection 14.3 and later

Right now the file is
jdb/core3sds/vd5b2002core3sdsi64.jdb

Is this the correct file for SEPM 14.3 to process then distribute to the SEP 12.1.x clients ?

If not and I should be downloading a different file either in addition to this or instead of this which file(s) should it / they be ?

For the SEPM 12.1.5 manager currently in use but to be withdrawn I select the product Symantec Endpoint Protection 12.1 then the file from the section

Symantec Endpoint Protection Manager Installations on Windows Platforms
Supports the following versions of Symantec antivirus software:
Symantec Endpoint Protection 12.1
Symantec Endpoint Protection 12.1.2 and later

Right now the file is
jdb/vd5b2002.jdb

However my understanding is that from 4/3/21 this section will be withdrawn. Hence my presumption is that the .jdb file from another section must be downloaded from SEPM 14.3 to process into a suitable format for SEP 12.1.x.

All advice will be appreciated. If any of my explanation is not clear I will try to clarify any points.

Broadcom Employee Scott T posted Dec 17, 2020 11:08 AM

To provide the Virus and Spyware definitions for your 12.1.x clients reporting into your 14.3 SEPM, you would go to the same link you provided (https://www.broadcom.com/support/security-center/definitions), then under the 'Select product:' choose Symantec Endpoint Protection for the 12.x versions in your environment. I chose Symantec Endpoint Protection 12.1.3 (or later). Go to the Downloads: 'Definitions ....' link and get the two .jdb files provided to process on your 14.3 SEPM. Copy and paste each .jdb one at a time, into the same folder you mentioned, \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming

The vd5bxxxxcore3.jdb will process the:

Virus and Spyware definitions Win64 12.1 RU6 (reduced) security definitions / Virus and Spyware definitions Win32 12.1 RU6 (reduced) security definitions

The vd5bxxxx.jdb will process the:

Virus and Spyware definitions Win64 12.1 RU6 security definitions / Virus and Spyware definitions Win32 12.1 RU6 security definitions

Once these are finished you can validate the 12.1 content is available on your 14.3 SEPM by going to Admin>Servers>select Local Site name>Show LiveUpdate downloads:

You can also verify the same on the SEPM by going to Policies>LiveUpdate>LiveUpdate Content>select the LiveUpdate Content policy and open it. goto Windows Settings>Security Definitions>Virus and Spyware definitions>Select a revision>Edit. You should see the Virus and Spyware definitions for Win32 and Win64 versions of 12.1 RU6:

Once you have verified the 12.1.x content is in the policy, make sure you set it back to 'Use latest available' before hitting OK, unless you want to specify a revision.

Now your 12.x clients should get the content needed from your 14.3 SEPM.

support_itsystem posted Dec 18, 2020 09:24 AM

Hello Scott,

Thanks for your reply. I will follow it through.

Based on this article

https://knowledge.broadcom.com/external/article/164751/end-of-support-life-for-endpoint-protect.html

and specifically the statement I have highlighted

What April 3rd, 2021 means to you

Endpoint Protection 12.x clients no longer download updates from Symantec LiveUpdate or an internal LiveUpdate Administrator.
- Endpoint Protection 12.x clients can still obtain virus definitions from a 14.x Endpoint Protection Manager. This setup is not a recommended or supported configuration, and should only be considered to maintain protection while completing the upgrade to SEP 14.
- Intrusion Prevention, Proactive Threat Protection, and all other content are not available for download through any means.

I was though expecting SEPM 14.3 to use a version of the *.jdb files for SEP 14.x to generate content for SEP 12.1.x

From 04/04/2021 while the *.exe files to directly update SEP 12.1.x will disappear will the vd5bxxxx.jdb files continue to be released ?

If not how will Endpoint Protection 12.x clients continue to obtain virus definitions from a 14.x Endpoint Protection Manager ?

Broadcom Employee Scott T posted Dec 18, 2020 12:06 PM

The 14.3 SEPM uses the SEP 14.x *.jdb files only for SEP 14.x content. The SEP 12.1.x *.jdb files are specific to content for 12.x SEP clients. The 12.x content is not generated from the 14.x .jdb files. They are unique to the version. Again, the 14.3 SEPM will distribute 12.x content to 12.x clients, but the .jdb files are separate between 12.x and 14.x .

As per the Support End of Life for Endpoint Protection 12.x, on April 3, 2021 all SEP 12.x content will cease, meaning there will not be any new / updated 12.x content after that date. The functionality for the 12.x clients to download 12.x content from the 14.3 SEPM will remain, but the content will not be any newer than 4/3/2021. 4/3/2021 content for 12.x will be the last date it is updated. Jdb files for 12.x content after 4/3/2021 will no longer be updated and publication for those will cease.

support_itsystem posted Dec 22, 2020 06:11 PM

Hello Scott,

Thank you for your reply.

Exactly as you state once the 12.1.x definitions are downloaded and copied into the SEPM 14.3 incoming folder the SEP 12.1.x clients are updated.

While my first post was back in April 2019 my interpretation of the response at the time was that SEPM 14.x would continue to provide updated definition files to SEP 12.1.x clients with no end date specified. Following on I applied that to my interpretation of the details in this article -

https://knowledge.broadcom.com/external/article/164751/end-of-support-life-for-endpoint-protect.html

Over the next couple of months we will have to implement a solution. One thought is blocking USB ports on all Win XP systems with transfers done from a Win 7 system with a shared drive to the XP systems. Particularly now with most staff in a separate offices spread around the building to minimise Covid-19 transmission that though is not very practical. Better from a user perspective would be a NAS with two LAN ports one on the internal network and the other on the internet network. What we have to understand though are the data security risks.