Endpoint Protection

 View Only

How to analyze Debug logs from GUP to determine which clients are taking definitions from GUP 

Dec 16, 2009 08:41 AM

One of the most effective ways to determine if a client is taking definitions from the GUP is to analyze the debug logs taken from the GUP. When you enable debug logging on a client, debug.log is created in the SEP installation folder.

 

The plugin that takes care of GUP is called GUProxy. When you open the debug.log, you can look for GUProxy in the log.

 

You can locate the event sequence for clients requesting definitions from GUP. You will also notice that the clients will send separate requests for every URL they need to download. You can determine which clients are taking definitions from GUP. If you have a lot of clients taking definitions from a GUP, you can increase the size of the log file to accomodate the increased amount of information.

increase debug size.JPG



Following are the events that are happening at the client:


1. Client contacts SEPM to get the latest content. Receives the latest index file.

2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.

3. After receiving this request, SEPM will start preparing the delta definitions.

4. When SEPM completes the delta creation, it will make those deltas available in IIS [ SEPM\Inetpub\content\ ] folder.

5. SEPM will send the download URL for this delta to the client.

6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.

 

GUProxy: accepted socket 1820 for 10.26.16.74 port 3157 
GUPROXY - GUProxy HTTP in - GET /content/{C60DC234-65F9-4674-94AE-2158EFCA433}/91206022/xdelta912
GUPROXY - GUProxy File - /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/91206022/xdelta91205021.dax
GUPROXY - GUProxy mangled file - #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax
GUProxy - Add request into download queue.


7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.


  - #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax 

GUPROXY - GUProxy - Contacting the SEPM server at - cwndcw01.reynoldspkg.rpg.local

GUProxy - SO_RCVBUF is [8192]

GUPROXY - GUProxy Response - HTTP/1.1 200 OKContent-Length: 142197Content-Type: application/x-S

GUProxy - Recving content of [0X00022893] Bytes

GUProxy recved content of [0X00022893] Bytes in [2] seconds, speed is about [0X00011449] BPS or [0X00000235] kbps
 

8. When GUP finishes downloading the definitions from SEPM, it will save it in the cache and send it to the client.


GUProxy content cached - sending to client

GUProxy send content to the client all right

 

You can notice that in this snippet, the request was sent for  [C60DC234-65F9-4674-94AE-62158EFCA433] which is the moniker for 32 Bit Antivirus Definitions

 

Following is a snippet of log where you can notice that GUP determines that the requested content is present in the cache and uses the same to serve the request from the client:


12/07 19:13:03 [1804:2992] GUProxy: accepted socket 1756 for 10.26.16.48 port 3026

12/07 19:13:03 [1804:2144] GUProxy: Begin to handle accepted socket 1756

12/07 19:13:03 [1804:2144] GUPROXY - GUProxy HTTP in - GET /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip

12/07 19:13:03 [1804:2144] GUPROXY - GUProxy File - /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip

12/07 19:13:03 [1804:2144] GUProxy content cached - sending to client

12/07 19:13:03 [1804:2144] GUProxy send content to the client all right.
 

 

 

You can notice that in this snippet, the request was sent for  [812CD25E-1049-4086-9DDD-A4FAE649FBDF] which is the moniker for Symantec Security Content A1 - MicroDefsB.CurDefs

 

Statistics
0 Favorited
2 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
txt file
debug log analysis.txt   3 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords

Comments

Apr 05, 2018 01:41 AM

Hello Team ,

 

We have on going issue were 600+ clients are requesting for full.zip which are updated till 2nd april .

 

Now when client is already updated till 2nd april it should request only incremental definitions which are missing .

 

And that we have imported on SEPM as jdb for missing dates but then to on todays report we found  600 client requesting for full.zip .

 

Please advise .

Jan 18, 2013 06:43 AM

Hi Aniket,

I just enabled the the debug in sep -help and  support-debuglogs-edit log and log caputred in C:\program files\symantec\symantec end point protetcion. I viewed the logs but its different and the logs which u attached is different can u explain how to find the same log in GUP server it will be very helpful for me thanks.

 

 

Jul 08, 2012 05:26 PM

NickB, you are correct.

The SEP client loads the GUP component, but they act independantly of each other. That is also why sometimes the GUP will distribute updated content, yet the SEP client on the same machine will be out of date.

Thanks for posting this so clearly

Jul 06, 2012 09:32 AM

>>> content revisions are limites to 25. Then what will happen ??

that means SEPM can generate delta for clients which are outdated for ~9 days ( 9 days and 3 revison hence 27 revison for delta generation)  

 

clients are configured to GUP with bypass period of 1 hour.

if the clients cannot communicate with the GUP then it will go tto SEPM for updates.

Jul 06, 2012 09:14 AM

if client is off for 1 month period, will it request full update or delta update ??

 

it depends on the SEPM content revisions, whether SEPm will be able to provide delta to GUP/Client

  >>>  content revisions are limites to 25. Then what will happen ??

Does it get the required update from GUP or SEPM manager server ???/

it depends on the LU configuration from client, if you have set client to get updates from GUP and not from SEPM, the content will be downloaded from GUP

>>> clients are configured to GUP with bypass period of 1 hour.

Jul 06, 2012 08:47 AM

if client is off for 1 month period, will it request full update or delta update ??

 

it depends on the SEPM content revisions, whether SEPm will be able to provide delta to GUP/Client

 

Does it get the required update from GUP or SEPM manager server ???/

it depends on the LU configuration from client, if you have set client to get updates from GUP and not from SEPM, the content will be downloaded from GUP

Jul 06, 2012 08:44 AM

if client is off for 1 month period, will it request full update or delta update ??

Does it get the required update from GUP or SEPM manager server ???/

Dec 17, 2010 11:11 AM

I have been working with Symantec AV and SEP for a number of years and am responsible for troubleshooting all problems in my organization (15,000+ clients).

I recently had an issue with clients receiving updates from my GUP. I woukld like to offer further information on the process. I would like to note I am using location awareness.

It seems that the the client that is designated as a GUP has a separate commumication process with the management server in order to receive the updates that it will provide for its clients. And without getting too technical, after analyzing the 2 debug files I activated, this is what I found.

The GUP client portion is totally clueless that it is in fact a GUP, it will go through the same process of locating a GUP and/or management server just like every other client (non-GUP).

The GUP itself will communicate with the assigned GUP (itself) through the IP address for itself. Unaware that it is actually communicating with itself (the GUP).

Interesting is the fact that these two functions are totally independent. And when you first designate a client as a GUP, while reviewing the 2 debug files (1 for the GUP, 1 for the client), you will see the GUP initialize and create the approprite folders and request and download the updates from the mangement server.

Then you will see the GUP client request and download the updates from the GUP (the same client - itself).

Without adding too much technical detail, I hope this is helpful.

Nick

Aug 01, 2010 09:33 AM

Good one

Mar 16, 2010 04:51 AM

Hi,

 

GUP can download definitions for the clients only from the SEPM. It can update itself from internet, but, it can not share those updates downloaded from the internet with the cients.

Here's what I understand about the procedure for the GUPs to take the definitions:

1. Client contacts SEPM to get the latest content. Receives the latest index file.
2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.
3. After receiving this request, SEPM will start preparing the delta definitions.
4. When SEPM completes the delta creation, it will make those deltas available in IIS [ Inetpub\content\ ] folder.
5. SEPM will send the URL for this delta to the client.
6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.
7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.
8. As the delta is available at GUP, client will receive from the GUP.

So, to answer your question, a GUP will have the definitions from SEPM, only when it receives a definition request from a client.

Which GUP to  select, has been discussed in the earlier comments.

Let us know if you have any questions. This discussion is really getting interesting as we are discussing all the details about the GUP configuration.

 

Here are a few articles that can help you out:

 

https://www-secure.symantec.com/connect/articles/configuring-group-update-providers-symantec-endpoint-protection-110-ru5

 

https://www-secure.symantec.com/connect/articles/whats-new-group-update-providers-ru5-release-symantec-endpoint-protection-110

 

https://www-secure.symantec.com/connect/videos/group-update-providers-part-1

https://www-secure.symantec.com/connect/videos/group-update-providers-part-2

Best,
Aniket

Mar 15, 2010 02:52 PM

hi Aniket,

This is my first post, not sure whether i have posted in the right area.


Regards.
Lewis

Mar 15, 2010 02:49 PM

Hi Aniket,


My question is related to GUP.

Assuming one machine is designated as an GUP, it is obvious that GUP takes the update from SEPM.

Scenario
=======
On my SEPM the liveupdate policy is defined as taking from "Management server" as well as "symantec live update server".

If the client fails to connect to the Managment server it can take live updates from the internet ie: symantec liveupdate server.

Now this policy is applied to GUP as well, as GUP is alos consider as client to SEPM (correct me if i am wrong). so if GUP fails to download content from management server, it should take the update from the internet.

My direct question is can GUP take updates from the internet if for some reason it cannot connect to the Managment server.

Regards,
Lewis

Dec 22, 2009 02:13 AM

Nice information. 

Dec 16, 2009 09:44 AM

well written....kudos :) 

Dec 16, 2009 09:44 AM

Very Helpful,
Thanks a lot.

Dec 16, 2009 09:35 AM

Nice Article Aniket... 

Related Entries and Links

No Related Resource entered.