All of our customers run Symantec Mail Security for MS Exchange (SMSMSE) 7.9 to protect their Exchange servers of various flavors. We've noticed that in the last 6 months, the volume and sophistication of inbound virus/malware content for multiple customers has forced us to switch to Rapid Release defs; if we stay on certified, messages with malicious attachments get through, even if the certified defs are only a day (or less!) old. That's with heuristics on maximum, and blocking of macro-enabled Office attachments, VBA content, and quarantining of multimedia files. Is anybody else experiencing this too? What are you doing to mitigate it?
The other issue is that RR definitions aren't as reliable as certified defs, and sometimes spontaneously (and silently) fail to load. Once we've noticed that's happened, one of the easier fixes is remoting to the server, manually updating certified defs, then updating rapid release again. Almost like SMSME Rapid Release gets 'stuck' sometimes, and that 'unsticks' it. The trick is noticing it's happened in the first place, because SMSMSE itself doesn't consider defs out-of-date until several days have passed, and so won't report on them. We can't wait several days to know--as I mentioned, certified defs of even the same day are too out of date to provide complete protection.
To that end, we set up a scheduled report with a our PDQ Inventory automation tool, that monitors the modification date on the catalog.dat file in the virus defs folder. Symantec support explained this is a good way to check the recency of defs programatically (i.e., without having a human check the SMSMSE console's defs date with their eyeballs). But someone has to keep an eye on the mod date report 7 days a week, multiple times a day, to make sure Rapid Release hasn't silently failed again. In other words, SMSMSE doesn't appear to have a built-in way to handle this.
Our customers are complaining that they don't understand why SMSMSE has to be monitored 7 days a week, multiple times a day, to make sure it is updating Rapid Release defs correctly. They say it should just work, without the need for constant checking, or that at least we should only have to monitor 5 days a week during business hours. How have you addressed this in your customer environments? How do you suggest we mitigate their concerns?
Thanks for your help!