Endpoint Protection

 View Only
Back to Library

Configure liveupdate to run on client computers - Part 1 

Jul 30, 2013 09:40 AM

Hello,

This article will demonstrate how to configure liveupdate to run client updates.

Some time customers may get confuse with these settings, they may feel these settings are applicable between SEP client and SEP Manager communication but it's not true.

It's very important to go through the following note which is available at the start of the page.

Important note: Enable the scheduling of automatic downloads from liveupdate servers. The schedule settings do not control downloads from the default management server, from Group Update Providers, or from third party content management tools. Downloads from the default management server depends upon heartbeat interval and selected mode. (Push mode or Pull mode)

 

1) Enable Liveupdate Scheduling:

  1. Click Policies and then click LiveUpdate.

  2. On the LiveUpdate Settings tab, right-click the policy that you want, and then click Edit.

  3. Under Windows Settings, click Schedule.

  4. Check Enable LiveUpdate Scheduling.

  5. Specify the frequency

You can select this option as per business requirement, By default it's set to every 4 hours.

Untitled6.png

 

2) Retry Window:

Untitled5.png

Set the maximum retry allowed after a failed schedule update. If the maximum time is reached before the update has run, the computer will wait for hthe next scheduled time to try again.

If you select any frequency other than Continuously, specify the Retry Window.

 

3) Download Randomization Option:

If you selected Continuously or Every "XX" hours then this option is grayed out by default.

Check the screen-shot.

Untitled2.png

If you selected Daily or Weekly option then you can configure download randomization options.

For Daily you set it to minimum 1 days & maximum 12 days

For Weekly you can set it to minimum 1 days & maximum 3 days

Untitled4.png

Your network might experience traffic congestion when multiple client computers attempt to download content from a LiveUpdate server. You can configure the update schedule to include a randomization window. Each client computer attempts to download content at a random time that occurs within that window

4. Idle Detection:

Untitled.png

To ease client computer performance issues, you can configure content downloads to run when client computers are idle. This setting is on by default. Several criteria, such as user, CPU, and disc actions, are used to determine when the computer is idle.

If Idle Detection is enabled, once an update is due, the following conditions can delay the session.

  • The user is not idle.

  • The computer is on battery power.

  • The CPU is busy.

  • The disk I/O is busy.

  • No network connection is present.

After one hour, the blocking set is reduced to CPU busy, Disk I/O busy, or no network connection exists. Once the scheduled update is overdue for two hours, as long as a network connection exists, the scheduled LiveUpdate runs regardless of idle status

To configure client updates to run when client computers are idle

To configure client updates to run when client computers are idle.

  1. Click Policies.

  2. Under Policies, click LiveUpdate.

  3. On the LiveUpdate Settings tab, right-click the policy that you want to edit, and then click Edit.

  4. Under Windows Settings, click Schedule.

  5. Check Delay scheduled LiveUpdate until the computer is idle. Overdue sessions will run unconditionally.

Reference: http://www.symantec.com/docs/HOWTO55289

5. Options for skipping liveupdate:

Untitled1_1.png

To save bandwidth, Symantec Endpoint Protection clients can be configured to only run scheduled LiveUpdates from the Symantec LiveUpdate server if one of the following conditions is met

  • Virus and spyware definitions on a client computer are more than two days old. Maximum duration can be 31 days.

  • A client computer is disconnected from Symantec Endpoint Protection Manager for more than eight hours.  Maximum hours can be 24 hours

 

Following KB's can be helpful as well:

Randomizing content downloads from a LiveUpdate server

http://www.symantec.com/docs/HOWTO55174

Configuring the LiveUpdate download schedule for client computers

http://www.symantec.com/docs/HOWTO55287

Configuring client updates to run when definitions are old or the computer has been disconnected

http://www.symantec.com/docs/HOWTO55293

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Chetan Savade
Sep 18, 2015 05:14 AM

Hello,

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server.  If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP.  This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see http://www.symantec.com/business/critical-system-protection

Q. If I enable live update for off-network clients, I won't be able to control them if there's a zero-day or a bad set of definitions that they download, correct?

--> That's correct but those possibilites are very less however to fight against zero-day threats SEP protection technologies like SONAR, NTP should take care.

2. If I set the SEPM up in the DMZ (Currently we have one for clients and one for replication/fail over) am I replicating to the server in the DMZ or does it become a stand-alone SEPM?

--> I believe as long as you keep the necessary ports open to successfully complete replication, it will be replication partner/failover partner.

Replication Considerations:

By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites.  If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.

  • If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.

  • If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.

and a 3rd.

If I setup the SEPM in the DMZ...our computers are all joined to the our domain, can machines that are not attached to our domain access this server?

--> I think answer is yes but will have to check more details on it.

Refer these articles:

 Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/docs/TECH178325

Manage remote Endpoint Protection clients when SEPM is behind a NAT

http://www.symantec.com/docs/TECH93033

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

http://www.symantec.com/docs/TECH146736

Migration User
Sep 17, 2015 09:51 AM

Chetan,

Two questions:

1. If I enable live update for off-network clients, I won't be able to control them if there's a zero-day or a bad set of definitions that they download, correct?

2. If I set the SEPM up in the DMZ (Currently we have one for clients and one for replication/fail over) am I replicating to the server in the DMZ or does it become a stand-alone SEPM?

and a 3rd.

If I setup the SEPM in the DMZ...our computers are all joined to the our domain, can machines that are not attached to our domain access this server?

 

 

nwranich
Sep 12, 2013 01:37 PM

Thank you!

Migration User
Jul 31, 2013 10:51 AM

Thank you. That surely helps.

Related Entries and Links

No Related Resource entered.