Testing engine updates before they release on Windows clients
Symantec Endpoint Protectioncontains several engines that carry out parts of its functionality. These engines are binary files (.dll or .exe) and are delivered with the security definitions. Symantec updates the functionality of these engines to enhance
Symantec Endpoint Protection's capabilities and to respond to new threats.
While Symantec updates virus definitions several times a day, the engine content is updated on a quarterly basis. Symantec provides the engine updates using LiveUpdate.
Symantec provides a special server lets you download and test the engine content before you roll out the content to your production environment. Symantec releases these updates on the Early Adopter server (EAS). Engine updates are released a few weeks before the engines are available for general release on the public LiveUpdate server.
You download the engine updates using the EAS, try them in a lab environment, and let Symantec know of any conflicts you encounter. This process lets Symantec fix these conflicts ahead of the general release.
Use the following process to test engine updates:
Step 1: Create a group of test computers to receive content
The most accurate test of engine compatibility is with the production systems that do real work. Create a permanent testing group by selecting a set of client computers to receive EAS content using the following criteria:
- Identify the various types of critical systems within your environment. These systems may vary from each other by hardware, software, or function. For example, you might identify retail systems such as a gold desktop image, point-of-sale systems, and web servers, among other critical systems to test.
- Use multiple systems of each type as some software conflicts may manifest only intermittently. Choose the production systems that already have the installed software that you normally use and that perform a representative load of work.
- Configure the test client computers that receive the early release content like the production computers that you do not test. Both the clients that you test and do not test should have the sameSymantec Endpoint Protectionfeatures installed and use the same policies.
If you prefer not to use production computers for testing with the EAS, you may use lab-based systems. In this case, you may want to write the automation that exercises the functions of the systems under test and simulate load.
For customers with a small number of client computers, all you need is one
Symantec Endpoint Protection Managerand one
Symantec Endpoint Protectionfor Windows client.
Step 2: Configure test computers to receive prereleased content from the Early Adopter server
For the test group, configure LiveUpdate to download the content from the Symantec Early Adopter server by performing the following steps.
To configure a site to download content from the Symantec Early Adopter LiveUpdate server
- In the console, clickAdmin>Servers.
- UnderServers, right-clickLocal Site, and then clickEdit Site Properties.
- UnderLiveUpdate Source Servers, clickEdit Source Servers.
- In theLiveUpdate Serversdialog box, clickUse the Symantec LiveUpdate server for prereleased content, and then clickOK>OK.
To configure the managed clients to use the prerelease Symantec Early Adopter LiveUpdate server
- In the console, open a new LiveUpdate Settings policy, and clickPolicies>LiveUpdate.
- UnderWindows Settings, clickServer Settings>Use a LiveUpdate server>Use the Symantec LiveUpdate server for prereleased content.
- ClickOK, and assign the policy to the test group.
As long as your LiveUpdate Settings policy gets content from the EAS, the test clients continue to receive the prereleased versions of the content.
For non-test groups, keep the LiveUpdate Settings policy configured to the LiveUpdate server that you normally use. After the engines are available for general release, all client computers receive LiveUpdate content, depending on how you configured your client computers to receive it.
For more information, see:
Step 3: Configure test and non-test computers to a particular engine version
Configure several LiveUpdate Content policies so that:
- The test group receives the latest version of the security definitions and engines. This group downloads all future content revisions with the prerelease engine version in it.
- The non-test groups receive an existing, safe version of the engine.You can also lock on an engine version. With this option, clients continue to receive the latest security definitions that are associated with a particular engine, but not the latest engine version. See:After you are satisfied that the test group functions normally with the prereleased content, you manually choose the next engine version for these non-test groups.
Step 4: Set up notifications for new engine releases (optional)
To get notifications for planned engine releases that LiveUpdate downloads to the
Symantec Endpoint Protection Manager, do one of the following tasks:
- Add a notification for when new content has been downloaded toSymantec Endpoint Protection Manager. Notifications for new content include new engine releases as well as security definitions. You receive notifications only if one or more LiveUpdate Content policies that specify a content revision by engine version are locked due to an available engine update.To view notifications, on theHomepage, in theSecurity Statuspane, clickView Notifications.Updates on the EAS are as frequent as on the regular LiveUpdate server. If you feel that you receive these notifications too often, configure the notifications to not appear.For more information, see:
- Premium Support Customers can log on here to the Customer Subscription Portal. See:
Step 5: Monitor the test computers after engine content is released
After Symantec publishes an engine update to the EAS, begin monitoring the computers that you configured to receive this content. Monitor the following items:
- Verify that the test computers run the prerelease version of the engine updates. See:
- Uptime and available resources on the servers and other critical infrastructure using tools such as Microsoft System Center Operations Manager.
- The applications that run on the client computers to ensure that they continue to perform as expected.
- TheSymantec Endpoint Protectionclient status to ensure that it remains connected to the management server and is protected. See:
In addition, run the client after you modify the policies or run a scan to ensure that the computer functions as expected.
If you notice any unexpected behavior or suspect a software conflict exists with the engine update, contact Support for assistance. Usually, if Symantec confirms that there is a software conflict before the beginning of the phased rollout, Symantec reschedules the publishing, and works with you to correct the issue. Symantec then republishes an updated engine to EAS.