Video Screencast Help

Configure liveupdate to run on client computers - Part 1

Created: 30 Jul 2013 • Updated: 13 Mar 2015 | 4 comments
Chetan Savade's picture
+14 14 Votes
Login to vote

Hello,

This article will demonstrate how to configure liveupdate to run client updates.

Some time customers may get confuse with these settings, they may feel these settings are applicable between SEP client and SEP Manager communication but it's not true.

It's very important to go through the following note which is available at the start of the page.

Important note: Enable the scheduling of automatic downloads from liveupdate servers. The schedule settings do not control downloads from the default management server, from Group Update Providers, or from third party content management tools. Downloads from the default management server depends upon heartbeat interval and selected mode. (Push mode or Pull mode)

1) Enable Liveupdate Scheduling:

  1. Click Policies and then click LiveUpdate.

  2. On the LiveUpdate Settings tab, right-click the policy that you want, and then click Edit.

  3. Under Windows Settings, click Schedule.

  4. Check Enable LiveUpdate Scheduling.

  5. Specify the frequency

You can select this option as per business requirement, By default it's set to every 4 hours.

Untitled6.png

2) Retry Window:

Untitled5.png

Set the maximum retry allowed after a failed schedule update. If the maximum time is reached before the update has run, the computer will wait for hthe next scheduled time to try again.

If you select any frequency other than Continuously, specify the Retry Window.

3) Download Randomization Option:

If you selected Continuously or Every "XX" hours then this option is grayed out by default.

Check the screen-shot.

Untitled2.png

If you selected Daily or Weekly option then you can configure download randomization options.

For Daily you set it to minimum 1 days & maximum 12 days

For Weekly you can set it to minimum 1 days & maximum 3 days

Untitled4.png

Your network might experience traffic congestion when multiple client computers attempt to download content from a LiveUpdate server. You can configure the update schedule to include a randomization window. Each client computer attempts to download content at a random time that occurs within that window

4. Idle Detection:

Untitled.png

To ease client computer performance issues, you can configure content downloads to run when client computers are idle. This setting is on by default. Several criteria, such as user, CPU, and disc actions, are used to determine when the computer is idle.

If Idle Detection is enabled, once an update is due, the following conditions can delay the session.

  • The user is not idle.

  • The computer is on battery power.

  • The CPU is busy.

  • The disk I/O is busy.

  • No network connection is present.

After one hour, the blocking set is reduced to CPU busy, Disk I/O busy, or no network connection exists. Once the scheduled update is overdue for two hours, as long as a network connection exists, the scheduled LiveUpdate runs regardless of idle status

To configure client updates to run when client computers are idle

To configure client updates to run when client computers are idle.

  1. Click Policies.

  2. Under Policies, click LiveUpdate.

  3. On the LiveUpdate Settings tab, right-click the policy that you want to edit, and then click Edit.

  4. Under Windows Settings, click Schedule.

  5. Check Delay scheduled LiveUpdate until the computer is idle. Overdue sessions will run unconditionally.

Reference: http://www.symantec.com/docs/HOWTO55289

5. Options for skipping liveupdate:

Untitled1_1.png

To save bandwidth, Symantec Endpoint Protection clients can be configured to only run scheduled LiveUpdates from the Symantec LiveUpdate server if one of the following conditions is met

  • Virus and spyware definitions on a client computer are more than two days old. Maximum duration can be 31 days.

  • A client computer is disconnected from Symantec Endpoint Protection Manager for more than eight hours.  Maximum hours can be 24 hours

Following KB's can be helpful as well:

Randomizing content downloads from a LiveUpdate server

http://www.symantec.com/docs/HOWTO55174

Configuring the LiveUpdate download schedule for client computers

http://www.symantec.com/docs/HOWTO55287

Configuring client updates to run when definitions are old or the computer has been disconnected

http://www.symantec.com/docs/HOWTO55293

Comments 4 CommentsJump to latest comment

Michael_Dexter's picture

Thank you. That surely helps.

+1
Login to vote
BJHughey's picture

Chetan,

Two questions:

1. If I enable live update for off-network clients, I won't be able to control them if there's a zero-day or a bad set of definitions that they download, correct?

2. If I set the SEPM up in the DMZ (Currently we have one for clients and one for replication/fail over) am I replicating to the server in the DMZ or does it become a stand-alone SEPM?

and a 3rd.

If I setup the SEPM in the DMZ...our computers are all joined to the our domain, can machines that are not attached to our domain access this server?

0
Login to vote
Chetan Savade's picture

Hello,

DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server.  If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP.  This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.

For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed. One way to accomplish this is to install Symantec Critical System Protection. For more information about Critical System Protection, please see http://www.symantec.com/business/critical-system-protection

Q. If I enable live update for off-network clients, I won't be able to control them if there's a zero-day or a bad set of definitions that they download, correct?

--> That's correct but those possibilites are very less however to fight against zero-day threats SEP protection technologies like SONAR, NTP should take care.

2. If I set the SEPM up in the DMZ (Currently we have one for clients and one for replication/fail over) am I replicating to the server in the DMZ or does it become a stand-alone SEPM?

--> I believe as long as you keep the necessary ports open to successfully complete replication, it will be replication partner/failover partner.

Replication Considerations:

By default, the first SEPM in a site is responsible for responding to and processing replication events from other sites.  If there are multiple SEPMs in a site, you can change this setting by editing the Replication Management Server List in the Replication Partner Properties in the Admin > Servers view.

  • If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.

  • If the SEPM in the DMZ is the only SEPM in the Site, then port 8443 will need to be opened on the firewall.

and a 3rd.

If I setup the SEPM in the DMZ...our computers are all joined to the our domain, can machines that are not attached to our domain access this server?

--> I think answer is yes but will have to check more details on it.

Refer these articles:

 Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/docs/TECH178325

Manage remote Endpoint Protection clients when SEPM is behind a NAT

http://www.symantec.com/docs/TECH93033

Communication issues with SEP client installed in DMZ while the SEP Manager is outside DMZ

http://www.symantec.com/docs/TECH146736

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote