SMSMSE 7.9 Rapid Release requires constant ad-hoc monitoring, Certified defs inadequate

All of our customers run Symantec Mail Security for MS Exchange (SMSMSE) 7.9 to protect their Exchange servers of various flavors.  We've noticed that in the last 6 months, the volume and sophistication of inbound virus/malware content for multiple customers has forced us to switch to Rapid Release defs; if we stay on certified, messages with malicious attachments get through, even if the certified defs are only a day (or less!) old.  That's with heuristics on maximum, and blocking of macro-enabled Office attachments, VBA content, and quarantining of multimedia files.  Is anybody else experiencing this too?  What are you doing to mitigate it?

The other issue is that RR definitions aren't as reliable as certified defs, and sometimes spontaneously (and silently) fail to load.  Once we've noticed that's happened, one of the easier fixes is remoting to the server, manually updating certified defs, then updating rapid release again.  Almost like SMSME Rapid Release gets 'stuck' sometimes, and that 'unsticks' it.  The trick is noticing it's happened in the first place, because SMSMSE itself doesn't consider defs out-of-date until several days have passed, and so won't report on them.  We can't wait several days to know--as I mentioned, certified defs of even the same day are too out of date to provide complete protection.

To that end, we set up a scheduled report with a our PDQ Inventory automation tool, that monitors the modification date on the catalog.dat file in the virus defs folder.  Symantec support explained this is a good way to check the recency of defs programatically (i.e., without having a human check the SMSMSE console's defs date with their eyeballs).  But someone has to keep an eye on the mod date report 7 days a week, multiple times a day, to make sure Rapid Release hasn't silently failed again.  In other words, SMSMSE doesn't appear to have a built-in way to handle this.

Our customers are complaining that they don't understand why SMSMSE has to be monitored 7 days a week, multiple times a day, to make sure it is updating Rapid Release defs correctly.  They say it should just work, without the need for constant checking, or that at least we should only have to monitor 5 days a week during business hours.  How have you addressed this in your customer environments?  How do you suggest we mitigate their concerns?

Thanks for your help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPRetiredCommented:
In reality signature detection is rapidly becoming obsolete. The AV Vendor must get several samples from their canaries in order to create a signature. Ransomware artists are creating customized ransomware that will have unique signatures.This is designed to make signature detection useless. You have to go by what does this item do and if it fits a pattern of known bad behaviour then block it.
So use the stable versions that doesn't need to be monitored. Educate the users, use ad blockers and constantly check for malicious behaviour
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.