SMSMSE 7.9 Rapid Release requires constant ad-hoc monitoring, Certified defs inadequate

AA-in-CA
AA-in-CA used Ask the Experts™
on
All of our customers run Symantec Mail Security for MS Exchange (SMSMSE) 7.9 to protect their Exchange servers of various flavors.  We've noticed that in the last 6 months, the volume and sophistication of inbound virus/malware content for multiple customers has forced us to switch to Rapid Release defs; if we stay on certified, messages with malicious attachments get through, even if the certified defs are only a day (or less!) old.  That's with heuristics on maximum, and blocking of macro-enabled Office attachments, VBA content, and quarantining of multimedia files.  Is anybody else experiencing this too?  What are you doing to mitigate it?

The other issue is that RR definitions aren't as reliable as certified defs, and sometimes spontaneously (and silently) fail to load.  Once we've noticed that's happened, one of the easier fixes is remoting to the server, manually updating certified defs, then updating rapid release again.  Almost like SMSME Rapid Release gets 'stuck' sometimes, and that 'unsticks' it.  The trick is noticing it's happened in the first place, because SMSMSE itself doesn't consider defs out-of-date until several days have passed, and so won't report on them.  We can't wait several days to know--as I mentioned, certified defs of even the same day are too out of date to provide complete protection.

To that end, we set up a scheduled report with a our PDQ Inventory automation tool, that monitors the modification date on the catalog.dat file in the virus defs folder.  Symantec support explained this is a good way to check the recency of defs programatically (i.e., without having a human check the SMSMSE console's defs date with their eyeballs).  But someone has to keep an eye on the mod date report 7 days a week, multiple times a day, to make sure Rapid Release hasn't silently failed again.  In other words, SMSMSE doesn't appear to have a built-in way to handle this.

Our customers are complaining that they don't understand why SMSMSE has to be monitored 7 days a week, multiple times a day, to make sure it is updating Rapid Release defs correctly.  They say it should just work, without the need for constant checking, or that at least we should only have to monitor 5 days a week during business hours.  How have you addressed this in your customer environments?  How do you suggest we mitigate their concerns?

Thanks for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
In reality signature detection is rapidly becoming obsolete. The AV Vendor must get several samples from their canaries in order to create a signature. Ransomware artists are creating customized ransomware that will have unique signatures.This is designed to make signature detection useless. You have to go by what does this item do and if it fits a pattern of known bad behaviour then block it.
So use the stable versions that doesn't need to be monitored. Educate the users, use ad blockers and constantly check for malicious behaviour

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial