Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2440 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV signatures date 06.08.2012

isle-gmbh

Halo,

using Ednpint Security and Control 10.0.

The virus data date from 06.08.2012.

The last update was today (07.09.2012), but I still have the old definitions.

I think this might be a problem.

Nice weekend, O. Schumann.

ISLE GmbH.

[Antivirus und HIPS]

-[ Software]

Sophos Anti-Virus 10.0.7

Veröffentlichungsstatus Full

On-Access-Status Aktiviert

Detection Engine 3.34.0

Erkennungsdaten 4.80G

Datum der Virendaten 06.08.2012

Objekte erkannt 3880695

Erkennungsdateien 385

Version der HIPS-Regeln 9.7.8

Version der HIPS-Konfiguration 1.0.4

Letztes Update 07.09.2012 12:03:11

:29261


This thread was automatically locked due to age.
  • 0

    Hello isle-gmbh (or O.),

    4.80G is correct as probably 385 for the number IDEs (or Erkennungsdateien as we German speakers prefer to say :smileywink:). which is now 396.

    Datum der Virendaten (Virus data date) refers to the date of the libraries ("VDL"). IDEs (which complement the VDLs) contain one or more new or updated definitions and are issued constantly (usually every few hours). The VDLs are consolidated about once a month, i.e. the bigger part of the individual IDEs is then integrated into a library and obsolete entries are removed. The virus data version is incremented (thus we'll probably see 4.81 in the next days). The relevant date is the Letztes Update (Last updated) date, strictly speaking the number of IDEs is what to look for - you can compare your numbers to the ones found on the Download latest virus identity (IDE) files page.

    Christian

    :29317
  • 0

    Danke für die Info. Bin nun beruhigt.

    Ich finde aber, das es in der Software irreführen angezeigt wird. Das sollte man ändern.

    Viele Grüße, Oliver Schumann.

    ISLE GmbH.

    :29329
  • 0

    Hallo Oliver,

    Ihr Einverständnis voraussetzend übersetze ich Ihren Beitrag und antworte auf Englisch.

    Oliver Schumann's response translated:

    Thanks for the Info. Feel at ease now.

    I think however the display is misleading and should be changed.

    First of all it has been like that for a long time (probably "since the beginning") and a change might cause some confusion. Nevertheless - one might argue that the Virus data date information is somewhat redundant as a  Detection data version is issued only once. In addition you will get an alert from Windows Security Center (assuming it is enabled) if the detection data is older than 35 days. The issue date is not available on the IDE page though (you could counter it should) so it 's perhaps a good idea it is there.

    I think the confusion arises from the fact that two actually three dates can be seen in the GUI/taskbar balloon:

    • Last checked for updates in the balloon which is the same as Last updated in the Status pane of the GUI denoting that the last check for updates was successful and its time
    • Last updated in the Product information view denoting the time a check resulted in one or more files to be updated/added
    • Virus data date obtained from vdl.dat denoting the libraries' issue date

    ... one gets used to it ...

    Although this design is occasionally questioned there doesn't seem too much demand for it to be changed (or no one has come up with a satisfactory naming :smileywink:).

    Christian

    :29339
  • 0

    Hi QC, 

    Thanks for all of your good info on this.  I am still a bit confused on the date concepts, from this perspective.  Lets say a VDL was last released on Aug 6, but since then, IDEs have been released every day up to the present (October 15).  If I want to check the endpoint to see whether it is up-to-date or not, isn't the date of the last IDE the relevant date?  If I see that the "virus data date" is Aug 6, I will assume that the endpoint is way out of date (and thus the endpoint is compromised).  The relevant piece of information is the October 15 IDE that was last downloaded.   Also, the relevant information is not the date the IDE file was downloaded to the endpoint, but the date that the IDE file was posted by Sophos.  i.e. if the last IDE the user downloaded was created on Oct 4, but he happened to download it on Oct 15, the date I am interested in is the Oct 4 date.  As far as I can tell, there is no way for me to see that on the GUI.  Am I missing something here?

    :34133
  • 0

    Hello angus,

    the Virus data date corresponds to the Detection data version (e.g. 4.80 or 4.81). Usually it is not much more than one month in the past, but if - for whatever reason - you subscribe to a fixed version (as opposed to Recommended) it is to be expected. Note that protection is not (significantly) reduced as newly issued IDEs will work not only with the latest but also previous versions of data and engine.

    isn't the date of the last IDE the relevant date?

    You are correct that you can only see when IDEs have been downloaded - but at this time the client should have downloaded all IDEs available and not only some of them. What you can see in the GUI is the number of IDEs on the client (which you can compare to the number on the downloads page). If the number is correct then you can be pretty sure the client is up to date (a better indicator is the Up to date status in SEC as it not just compares dates/numbers when it identifies the packages - and of course this requires that the clinet communicates with the console).

    Christian

    :34169