Unhealthy Status Due to Outdated Definitions

Team: Huntress EDR
Product: Managed AV
Environment: MAV management
Summary:Why is my host show as Unhealthy due to outdated definitions?

Overview

In some cases, a host may be marked as Unhealthy with a substatus of "Definitions Outdated".  In most cases, this is due to a host that has not received a signature update within the last 7 days. However, in a small number of cases, even a manual signature update does not resolve this issue and the host is still marked as Unhealthy.  

This article discusses what actions should be taken in order to understand and identify why the host is still marked as Unhealthy due to an outdated signature.  

Manually trigger a signature update

This can be done either at the Managed AV table view as a bulk action, or it can be done for an individual host:  

Check Network Inspection Version

In some cases, despite doing a manual signature update, the host still appears to indicate that definitions are out of date. In this case, the next item to check is to look at the Network Inspection version:  

If the Network Inspection version is set to 119.0.0.0 and does not appear to be updating even with a Manual Update, then it's important to check the Windows OS build.

If the OS Build is 16299 or earlier, then in most cases upgrading the Windows OS Build will allow the endpoint to obtain a new Network Inspection engine version and subsequently update the Network Inspection signature version.  

For Windows 8.1 machines, currently there is no additional OS build upgrade available. Huntress has identified and acknowledge this for 8.1 machines and is working on a resolution.