Introduction
This is the fourteenth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in October 2019.
With the cross-referencing trick illustrated in this article, you will swiftly be able to determine if your Symantec products have the definitions necessary to combat a new threat.
There is also mention of funny cat photos. The Internet was invented to facilitate the sharing of cat pictures.
What Are You Talking About, Mick2009?
Every new set of definitions that are released by Symantec Security Response has a unique numerical designation called a Sequence. Every Rapid Release set has one, every Certified set of definitions has one- everything. Each new sequence includes all detections that has gone before it. So: the higher, the better.
Virus Definition Update FAQ
http://www.symantec.com/docs/TECH103326
Here's an illustration of where this can get confusing: let's say I have just identified a suspicious file on one of my office's computers and submitted it to Security Response for examination. I have then isolated the computer from the network (pulled its network cord) to keep the potential threat from spreading or the hacker from exfiltrating all the .jpgs of my co-worker's cat that are on this workstation. (Why so many personal pictures on a business machine, anyway-? Isn't their smartphone a better place for snaps of Bobbins-?)
Before I can finish my lecture about the proper use of company property, Security Response have confirmed that my submission was indeed malware and sent a CLOSING mail with details, "Protection available in Rapid Release Sequence Number: 178940 or greater."
I need Sequence 178940 or higher in order for a scan to detect and remove that newly-discovered threat- good news! But looking through the Symantec Endpoint Protection 12.1 client GUI, though, the only Sequence numbers I can find look competely different: how do I know if this computer is protected by the definitions on there?
I've Seen That Somewhere Before, Though....
The Sequence listed there under Troubleshooting is actually the date and version, minus the first two digits. 160627001 is 2016-06-27 001.
This is displayed in more "user friendly" way on the main SEP 12.1 GUI: 27 June 2016 r1.
Yes, this is completely different Sequence. The Sequence Number from the Closing mail is not displayed anywhere in the SEP client GUI.
Now It All Makes Sense
Luckily there is are online resources where the Sequence number from the Closing mail is listed side-by-side with the human-readable date-and-revision information. The first is on Security Response's page about Certified Definitions - Detections Added.
Checking that, I can see that the Sequence Number of the June 27 2016 revision 1 definitions on this client are too low to detect this new threat. That date and revision corresponds to Sequence 178934. I need Sequence 178940 or higher, remember. Running LiveUpdate will check for new Certified definitions, but a set which includes the necessary protection is not expected for several more hours. (Usually, there are three Certified sets each weekday.)
I could keep that infected computer isolated until Certified definitions become available, but that is not necessary. I can check on Security Response's page of Rapid Release Definitions - Detections Added to see if the protection with Sequence 178940 or higher is available. Hey, I am in luck!
Rapid!
Definitions which will clear the infection are available via http.
- Tip Number One: Download the very latest! You don't need the exact sequence from the Closing mail- anything higher will do.
- Tip Number Two: There's a little newdefs.txt file which will provide a human-readable description of the latest Rapid Release definition set's date and revision.
This article will help to deploy this Rapid Release protection throughout the organization:
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article URL http://www.symantec.com/docs/TECH102607
Or the "RR defs" (as they are popularly known) can be applied to a single client:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article URL http://www.symantec.com/docs/TECH104979
Now is the time to check the definitions have been applied by the new date displayed in the SEP GUI (cross-reference that on the Rapid Release Definitions - Detections Added to confirm a high enough Sequence) and then scan away!
The threat is soon detected and eliminated, and the computer can safely be joined to the network. I'm back in business! The day-to-day enterprise of emailing funny cat pics around can continue without further interruption.
Conclusion
Many thanks for reading! Bobbins and I hope this article helps. Please leave comments and feedback below.