Updating Symantec AntiVirus Definitions On An Hourly Basis

Posted by Dan on Sep 23, 2005 @ 9:51 AM

My boss wanted to make sure that on one of our servers we were updating our Symantec Anti-Virus definitions on an hourly basis. By default the Symantec Anti-Virus Client will only allow you to do a LiveUpdate once per day. Fortunately, there's a command line tool called VPDN_LU.exe which you can run to do silent updates.

Here are the command line options for the VPDN_LU.exe tool:

/fUpdate
Filter out definitions updates
/fVirusdef
Filter out new AntiVirus definitions updates
/s
Retrieve definitions and product updates in silent mode.

Here are some example usages:

vpdn_lu.exe /fUpdate /s
Retrieve virus definitions silently.
vpdn_lu.exe /fVirusdef /s
Retrieve product updates silently.
vpdn_lu.exe /s
Retrieve product updates and definitions silently.

I've configured our server to silent update just the AntiVirus definitions once an hour (on the top of the hour) using the Windows Scheduled Tasks tool. Using the Symantec AntiVirus I've set up a "Full LiveUpdate" to run at 3:30am—which we determined was a good time to do a full update in case the server needs to reboot after it's run it's update.

NOTE:
I'd recommend only checking for new AntiVirus definitions on an hourly basis. If you also check for product updates, your server may attempt to reboot itself and that could be problematic. Also, I'm not condoning running AntiVirus updates on an hourly basis, it's probably overkill for most situations. However, if it's requested of you, here's what you need to do.

To schedule an hourly update, just follow these steps:

  1. Open up the Windows Control Panel.
  2. Double-click on the "Scheduled Task" folder.
  3. Go to "File > New > Schedule Task".
  4. Name your task something useful like, "Symantec AntiVirus Updates - Hourly".
  5. Double-click on your new task to edit it's properties.
  6. In the "Run" field, enter: "C:\Program Files\Symantec AntiVirus\VPDN_LU.exe" /fUpdate /s
    7. NOTE:
    If you did not install Symantec AntiVirus into it's default location, you'll want to specify the correct path to your install.
  7. In the "Start in" field, enter: "C:\Program Files\Symantec AntiVirus" (or the correct path to your Symantec AntiVirus install.)
  8. In order to avoid problems running the updates in the background, you'll want to run this task under an account that will have the necessary permissions to do the updates. Make sure the "Run as" box specifies a user profile with the necessary permissions to access the Internet and read/write to the Symantec installation folder.
  9. Next, click on the "Schedule" tab.
  10. Under "Schedule Task", set the option to "Daily"—this should be the default setting.
  11. Under "Start time:" enter: 12:00am.
  12. Click the "Advanced" button.
  13. Click the "Repeat task" checkbox.
  14. Under the "Every" entry, enter in: "1 hours" (or whatever interval you want in either hours or minutes.)
  15. Under "Duration" enter: "23 hour(s) 59 minute(s)"
  16. Click the "If the task is still running, stop it at this time" checkbox field.
  17. Click "Ok" to close the "Advanced Schedule Options" box.
  18. Click "Ok" to save your new task.
  19. Right-click on your new task and select "Run" to test your new event.
  20. To ensure that it's running correctly, open up the Symantec AntiVirus client.
  21. In the navigation tree pane, expand the "Histories" branch.
  22. Select the "Event Log" node.
  23. You should now see a list of each LiveUpdate action. Make sure that your test run appears in the Event Log. If everything was set up correctly, then you should start seeing new entries in the Event Log every hour. If not, double check these steps to make sure you didn't miss anything.
NOTE:
At a quick glance, Norton AntiVirus does not appear to ship w/a command line tool to allow silent LiveUpdates. There may be a tool to do it, but I just haven't researched it.
Categories: JavaScript, SQL, Technology, HTML/ColdFusion, Flex/Flash, Java

11 Comments

  • Mark W. Breneman's Gravatar
    Mark W. Breneman
    I was under the impression that Symantec only "published" updates to the Virus Defs daily. I know that Symantec often goes several days with out publishing new defs. Interesting...
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    Generally speaking, they have one official release date (accordingly to a friend that works on the LiveUpdate team) and then seem to publish updates about every other day.

    I'm not advocating checking that frequently. Personally, I feel it's overkill in our situation. However, my boss wanted it done this way. He's very worried about a Sev 3 or 4 virus hitting the wild and wants to make sure the server was updated as quickly as possible--especially if we're not in a position to be able to update the box manually.

    I did do some research/monitoring and there's very little overhead in doing just a silent LiveUpdate on the Virus Definition files. Takes about 10-15 seconds for the whole routine when nothing new is available, and it uses very little resources.

    The bottom line is, if you need more flexibility in your LiveUpdate, this entry will allow you to customize your schedule a little more than what the built-in Symantec scheduler will allow.
  • Mark W. Breneman's Gravatar
    Mark W. Breneman
    Dan, I'm not bashing here, just challenging my own long held beliefs and trying to learn more.

    What type of server is this?
    File or Webserver?
    Public or Private?
    Have you increased the virus scan to run hourly as well?

    I don't run anti-virus software on any of my webservers, streaming server or Mail server. I do run a weekly virus scan on our in-house file server.

    I would normally say that the server is the most unlikely computer on the network to get infected. (No user, no email clients etc..) But, with more worms showing up, I may have to stop thinking like this.

    Although worms take advantage of holes in the server software. I would say patching those holes is higher on my to do list. After the server is compromised when NAV sees it may be too late. I know some server admins that if they have a virus they rebuild the server to make sure they don't have any issues in the future. I tend to think along these lines when it comes to my webservers.

    I also assume you have the windows auto update to run nightly as well.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    Mark,

    >Dan, I'm not bashing here, just challenging my own long held beliefs and
    >trying to learn more.

    No problem!

    >What type of server is this?
    >File or Webserver?

    It's an "Intranet" server, but accessible from the public Intranet. We use it for a number of things.

    >Public or Private?

    It's a dedicated server leased from a well known hosting provider. Well we've locked things down from a "web" front, we don't control the infrastructure at the ISP, so we don't know what type of other machines might have permissions to the file system.

    >Have you increased the virus scan to run hourly as well?

    We're running realtime scans, but excluding files like the SQL database files, etc. I still just do daily scans of the server. The realtime scan engine should catch any virus that is being loaded into memory or written to the drive.

    >I don't run anti-virus software on any of my webservers, streaming server
    >or Mail server. I do run a weekly virus scan on our in-house file server.

    Most people don't. However, since this is an "Intranet" app, contractors/employees have the ability to upload documents to the server for file storage/library capabilities.

    >I would normally say that the server is the most unlikely computer on the
    >network to get infected. (No user, no email clients etc..) But, with more
    >worms showing up, I may have to stop thinking like this.

    I've yet to be affected by a real "virus", but in my past jobs I've always been in a much more controlled environment. However, in my new environment we have many people working remotely from different locations and we can't always assume that every precaution is taken when uploading files to the server. (Not to mention, I can't be sure what other boxes at the ISP might have permissions to my server.)

    >Although worms take advantage of holes in the server software. I would say
    >patching those holes is higher on my to do list. After the server is
    >compromised when NAV sees it may be too late. I know some server admins
    >that if they have a virus they rebuild the server to make sure they don't
    >have any issues in the future. I tend to think along these lines when it
    >comes to my webservers.

    Worms are a bigger issue for sure, but Symantec will normally stop most worms once known about. I try to stay on top of all security advisors and monitor the server to make sure it's staying up-to-date and patch.

    >I also assume you have the windows auto update to run nightly as well.

    Yes.
  • Brian's Gravatar
    Brian
    A better alternative to scheduled tasks is http://www.visualcron.com">VisualCron. http://www.visualcron.com

    regards,

    Brian
  • Brian's Gravatar
    Brian
    Get your UNIX/LINUX CRON CRAP out of here...
  • tom's Gravatar
    tom
    Here's a site with a www.electronicsconsumerguide.com">free norton antivirus download.. It's good for a year!
    www.electronicsconsumerguide.com">www.electronicsconsumerguide.com
  • Bevan's Gravatar
    Bevan
    Make sure you are aware of the symantec system centre and the available options you have with "continuous live update" This is a good way to schedule updates to a maximum of every 15mins ensure you are using SAV CE 10.1.6.6000 as earlier versions have issues with continuous live update! Alternatively, check out the rapid release options for releases as soon as they are available.
    http://entkb.symantec.com/security/output/n2003100...
  • Dan's Gravatar
    Dan
    Hey I have a question and was hoping maybe you could help. I recently went from Norton Antivirius which I bought the yearly subscription to and switched to Symantec Antivirus Corporate Edition. I get this free through my university and my Norton was up. In norton there was a way to have the computer wake itself from standby to run a scheduled scan. Im using a notebook not a server but i assume the process would be similar to the one you listed above. I have tried to add a scheduled task under control panel but I cant figure out how to make it scan.

    Thanks for any help you can give me,
    Dan
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Dan:

    I honestly have no clue. I'd imagine there probably is a way to wake up the laptop, but I'd recommend checking out Symantec's online Knowledge Base.

    Sorry I couldn't be of more help, I've just never had the need to do what you're trying to do.
  • Tom's Gravatar
    Tom
    There should be a configuration option while setting up a custom or scheduled scan within the Symantec client that will "wake-for-scan" or "wake-for-update" in "Advanced" or "options". I would have to look at the program again but I've actually just set this up on one of the production servers that only run during the week and not on weekends. On saturday/sunday i have it set to wake at 7am and download new updates and run a scan. The server already has a shutdown time of around 7pm.  It should ask you for credentials to login when set up.

Comments for this entry have been disabled.