Norton AV Updates

ToxicPaddy

Dunno if this is the right place to put this, but mods please feel
free to move it to wherever is appropriate.

Thanks,

Tox

**************************************************

Ok guys,

Bit of a problem here that someone maybe be able to help me
with, a mate of mine works in a small company who have no IT
dept simply because they cant justify the cost of a permanent IT
person on site.

They have a support contract with a reseller who sold them all
their equipment and set it all up for them. The has been a
disaster from day one simply because the reseller are a bunch
of gimps and couldnt scratch their own balls without instructions.

Yesterday this company was hit with the W32.Mimail virus.

Even though they are supposed to have full Norton AV protection
installed by these gimps. However when they comfronted them
about it, the reseller claims that Norton only releases AV updates
once a week and as such there is a chance that a Virus will get
into their system.

Is this true about Norton?

Do they only release a AV update once a week?

Ive never worked in a company that used this AV software so
im not too sure, but to be honest that sounds like a load of bollox
to me...

Any ideas?????

Tox

fjon

The standard virus definitions are usually released every Wednesday. If a virus is to have been released that is found to be very widespread (for instance Welchia) the virus definitions are released as soon as they are available. Minimum time between virus updates is two hours.
In the case you describe it may be a case of LiveUpdate being set up to only download updates once a week (or were the updates downloaded automatically?)

zAbbo

I work on a 50 user network, what i done was install the AV software on all machines, and use the server as a mirror for the av update site, get the server to connect every day to the updates site, get every machine to connect to the server for its updates every day, if there is no update or there is a problem it will try again.

The thing with weekly updates is if u miss one it waits a whole week. In our place ive seen virus definitions 2 months out of date before i starting mirroring.

Im using McAffee on the server which allows me to save a copy of the update file to the HDD while it updates, cuts down on net usage. We still get virii but they are detected and deleted

vibe666

if they weren't gimps they would have installed norton AV Corp. edition which will do updates on the fly from a single server and then distribute it to all the workstaions on site (that way it's only downloaded from norton on a single machine and that shares it out to the others. updates are available as soon as norton release them corp will download and install them as and when necessary as long as it is configured correctly (once an hour should be fine).

most likely they would have just installed the standalone version which will check periodically and only download they updates as they are released (as was stated in the previous post) which could theoretically leave you open to virii. however this is a calculated rick by norton as the regular (weekly) updates are for virii which have a low propbability of infection/spreading and shouldn't cause a problem.

you'll find a list of what is considered high risk on norton's site. these patches are releases as soon as norton has them, to reduce the chance of spreading.

to tell what version of norton you have, you can check the icon by the clock.

standalone has an icon that looks like a computer (kinda custard coloured though) and the corp version has an icon that looks like a diagonal gold/yellow bar.

corp can act as a standalone version too, so you might want to check if the corp version is sitting on a server doing your updates for you.

if you have a permanent connection to the net you can set either version to check for updates on a daily basis if you like, so don'yt worry too much.

personally, it does sound like these guys are cowboys though, you'd be better off with a decent PC hobbyist doing your maintinence!

Cake Fiend

Edit: some people have posted some of the stuff I wrote in this while I was typing it, also the Corporate edition suggestions are good providing the company can make the outlay for it.

From the Symantec website:

How often are virus definitions posted?

During "non-alert" situations, Symantec Security Response posts virus definitions to the LiveUpdate servers once per week (usually Wednesdays). However, during "alert" situations, virus definitions are posted to the LiveUpdate servers as soon as they have completed full quality assurance testing.

In addition to the weekly definitions that are distributed by LiveUpdate, virus definitions are made available for (optional) manual download on a daily (Monday through Friday) basis using the Intelligent Updater.
.
.
.
If Symantec Security Response detects a virus in the wild that is spreading rapidly, we release LiveUpdate packages immediately to fully protect our customers.

TBH the issue here isn't negligence on the part of the reseller, nor is it with Norton for (possibly) taking up to a week to release an update (although in the case of MiMail, which is now a Category 3 threat according to Symantec, I'd imagine they would have released an update pretty sharp).

First of all, Symantec can only create antiviral updates when they themselves hear of a virus. Which means a new virus can infect thousands of machines before Symantec even know about it, never mind develop a cure. It's faintly possible the company was infected before there was even a cure to be released.

Second, according to the Symantec site, the worm is transmitted through email as a html file or, more recently, an executable file contained in a zip file. This means that whatever moron first opened an infected file disregarded a couple of basic safety precautions, namely downloading an attachment of an unsolicited mail from an unknown sender and deliberately opening an unknown (and fairly suspicious to be honest) file from said unknown sender. Christ, they'd even have to unzip it first unless they were running XP.

I think that before this company wants to go pointing the finger at someone else, they first need to take a look at their internal IT security training (or lack thereof). All it takes is a quick memo to explain basic email safety.

fjon

Yeah, I agree with vibe - the corporate edition would have been a much better idea. One thing to consider is that the reseller probably used the standalone version because it was OEM and cost a helluva lot less than the corporate.
By the way, the updates that are available to download manually - Intelligent Updater (these are updated every two hours) are here:

http://www.symantec.com/avcenter/defs.download.html

ToxicPaddy

Originally posted by fwk
In the case you describe it may be a case of LiveUpdate being set up to only download updates once a week

This is exactly the case, even though when they were queried about this by one of the guys in the company, they told him
that this would be plenty and wouldnt need to check any more
frequently than that.... 2 weeks later the company gets hit by
a virus..

Personally, I think they should dump this reseller and their
maintenance contract on the basis that they are incompetent and
shouldnt need any other reason than that.

Although i know with contractual red tape etc this may not be so
easy..

Would setting the Live Update to check on a daily basis created
andy serious problems? I doubt it personally, but like I said Ive
never really administered Norton AV and as such dont know it
too well..

Tox

Cake Fiend

Well the updates are never more than a few hundred kilobytes, so if there's any sort of decent internet connection in place it shouldn't cause any problems.

ToxicPaddy

They have DSL or ADSL (not sure which) and it seems to have a
high enough contention ratio but they still manage to get fairly
decent download speeds, so thats not a problem..

Tox

BigEejit

We have an old desktop running ePolicy Orchestrator (our EPO server) from Norton .... the clients have the EPO agent installed (as a service) and they all point to the EPO server for updates.

The server then contacts/pings ftp.nai.com (at a user specified interval) and if it detects a new superdat it downloads it. It also checks all the running agents at a user specified interval and restarts VirusScan / Netshield if they are stopped and installs latest superdats when it has them.

All done from one central box .... nice and handy. No idea how much it costs, but it wasnt a lot compared to the havoc that could be caused by a virus

[Edit] I should have mentioned that there are 100 - 150 machines running the agent [/Edit]

ando

sometimes liveupdate does not complete or fails to start, but those problems are usually due to dial up not staying alive or being to slow etc. In these cases I'd get the client to download manually the definition file every tuesday and thursday, but since this is on Dsl, it should be downloading itself unless it has not been setup right