Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How Big are Current Symantec Endpoint Protection Definitions?

Created: 07 Sep 2012 • Updated: 02 May 2014 | 26 comments
Language Translations
Mick2009's picture
+22 22 Votes
Login to vote

One common question from users of Symantec's internal LiveUpdate server, LiveUpdate Administrator 2.x, is "what normal download size can I expect?  How much bandwidth will be consumed, and how much hard drive space?"

The short answer is:

  1. It depends on what products (and product components) are selected, and
  2. What's today's date?

Let me elaborate.....

 

First: "Did You Know...."

LUA is a great product, when it is used correctly.  LUA is not necessary (or recommended!) in every environment, though.  For example: in most Symantec Endpoint Protection deployments, the Symantec Endpoint Protection Manager (SEPM) will download and distribute materials to all of its clients without the need of LUA.

Also note: LUA will mirror exactly what is available on the Internet, but SEPMs have the ability to take the files they have downloaded and process them into smaller "delta" files.  Using a SEPM, the amount of bandwidth necessary to keep SEP clients up-to-date will always be lower than using the files from LUA.  If you have an environment where many remote offices are connected over low-bandwidth WAN links, LiveUpdate Administrator is not the recommended solution for you.  Use SEPM and some GUP's.

 

What Symantec Products are Chosen

LUA 2.x can be configured to download materials for a wide range of Symantec enterprise products.  The total amount of MB for some products is quite small, or content remains the same for several months and requires no new updates.  For other products, the files are large and are constantly updated (requiring several updates daily to stay current).  For this article, I will use the popular Symantec Endpoint Protection (SEP) as an example.

There are two supported versions of SEP at this time: SEP 11 and SEP 12.1.  The definitions required by the two SEP's are not interchangeable.  If both exist in the corporate environment, then configure LUA to download and distribute materials for both versions.

If a brand-new LUA is set up and an initial download needs to be run.....

Current (Sept '12) Size of all SEP 11 files:    11.2 GB

Current (Sept '12) size of all SEP 12.1 files:   3.4 GB

 

After the initial download, note that downloads of SEP 12.1 certified definitions are going to be bigger than SEP 11 definitions, as a whole, because SEP 12.1 has more daily delta definitions (four weeks' worth - once downloaded and distributed, the SEP clients will require large full defs files from the LUA much less often.  Also: these additional 350 MB download per publication due to elimination of hub defs will ultimately save space on the SEP client hard drive- that one update file is all that is needed, instead of two).  After upgrading from SEP 11 to SEP 12.1, it is normal to see SEP 12.1 consume more bandwidth and space than SEP 11 did.

SEP for Mac defs are included in the SEP defs for SEP 11 and 12.1.  If you are using LUA exclusively for keeping Macintosh machines up to date, configure the server not to download any Windows materials.  Conversely: if you have no Mac, configure LUA to download only Windows files.

Current (Sept '12) size of all SEP 12.1 for Mac files:  1.9 GB

 

Both versions of SEP also have Symantec AntiVirus for Linux (SAVFL) on their DVD's: if this SAVFL client is in use in sufficient numbers, then LUA should be configured to download materials for that, too.  Those Linux defs are not included in the SEP definitions. 

Current (Sept '12) size of all SAVFL files:   1.8 GB.

 

I will boil that down into a couple of recommendations:

  • Recommendation Number One: Ensure that with LUA 2.x, you only download what you need.  Some admins configure their server to download and distribute the entire SEP product, even though they have no Macintosh clients that need to be updated, no 64-bit machines and have no SEPMs which come to the LUA's Distribution Center looking for updates. especially with SEP 11, this is a big waste. Be sure to follow the tuning recommendations in Managing LiveUpdate Administrator 2.x Space Usage.
  • Recommendation Number Two: Take efforts to ensure that all SEP clients in the network are upgraded at the same time.  By having a mixture of SEP 11 and SEP 12.1 endpoints, an admin is effectively doubling the amount of room and bandwidth needed.  If all clients are moved up to SEP 12.1 at the same time, the SEP 11 product can be dropped from the LUA server and the burden halved.

    (This also applies to admins who use the SEP 12.1 Symantec Endpoint Protection Manager to keep the clients up-to-date.  If there are both SEP 11 and SEP 12.1 clients being managed, the SEPM will need to download and process both .m25 files for SEP 11 and .m26 files for SEP 12.1.)

 

Why are Download Sizes Different, from Day to Day?

As more and more threats are discovered every day, new signatures to protect against them are added to the certified definitions available from Symantec.  So, the one inevitable rule, when it comes to definitions: the size always increases.

Back in the early days of Symantec AntiVirus 10.1, a full set of definitions required 10 MB of disk space.  As of this writing (September 2012), SEP's full definition file measured about 170 MB for a client and 200 MB for the full .jdb file used by the Symantec Endpoint Protection Manager (SEPM).  These large files will probably seem ludicrously small and manageable within a year. (Check the current sizes to compare!)

For LUA, which downloads all the latest-available files from internet servers, it's normal to see the gradual increase magnified. 

Another reason why today's total bandwidth may be higher than yesterday's: there may have been more certified definition sets released.  SAV 10.1 offered just one certified set of definitions per day.  So, endpoints might have defenses only against yesterday's latest threats, and be wide open to the latest threats seen in the wild.  SEP 11 and SEP 12.1 have Multiple Daily Definitions (MDD's) so that even if a threat was first seen on the Internet that morning, by that afternoon or evening protection will be available.  Each weekday Symantec release two to three full sets of certified definitions. (On weekends, when most businesses have their workstations shut down, it's one set per day.)  Full details on the releases can be found on the Multiple Daily Definitions - Detections Added page.

Final note: once per month, there are large hub definitions which must be downloaded for SEP 11 and SEP 12.1.  These hub defs will result in a spike of several GB for a day or two around the middle of the month.   This is normal.

 

A Real World Example

As a rough indication of one typical LiveUpdate Administrator server: here's some recent data from an LUA server which was configured to download SAV 10, SEP 11 and SEP 12.1 materials.  Depending on the number of MDD's released per day, number of times LUA checked for new updates, and whether or not the large Hub defs were available, total daily sizes ranged from about 1.5 GB to 7.5 GB.

 

07-Aug-12  2.644 GB
08-Aug-12  1.772 GB
09-Aug-12  2.7 GB
10-Aug-12  1.7 GB
11-Aug-12  5.12 GB
12-Aug-12  1.894 GB
13-Aug-12  1.938 GB
14-Aug-12  4.967 GB
15-Aug-12  4.075 GB
16-Aug-12  7.515 GB

(Please consider those figures a very rough guideline - every different company will have different needs and a different configuration.)

 

Final Recommendation

  • Recommendation Number Three: If the LUA server is configured to download and distribute only what is needed but is consuming too much bandwidth or too much space, change the schedule.  Instead of running on a timer (checking every couple of hours to download the very latest MDD's), just schedule one daily download.  This will mean that the endpoints may not always have the very latest definitions, but at least the download and distribution tasks will be able to complete successfully without monopolizing the WAN links.   

 

Recommended Reading

A Helpful LiveUpdate Administrator 2.x Analogy
https://www-secure.symantec.com/connect/articles/helpful-liveupdate-administrator-2x-analogy

Managing LiveUpdate Administrator 2.x Space Usage
https://www-secure.symantec.com/connect/articles/managing-liveupdate-administrator-2x-space-usage

Best Practices for LiveUpdate Administrator (LUA) 2.x
http://www.symantec.com/docs/TECH93409 
 

Using IIS Logs to Check LiveUpdate Administrator 2.x Health
https://www-secure.symantec.com/connect/articles/using-iis-logs-check-liveupdate-administrator-2x-health

 

 Many thanks for reading!  Please do leave comments, below, if you find this analogy helpful or unhelpful. 
 

Comments 26 CommentsJump to latest comment

Ashish-Sharma's picture

Hi Mick2009,

Great Work :)

 

Thanks In Advance

Ashish Sharma

 

 

+1
Login to vote
John Cooperfield's picture

 

Another excellent LUA article, Mick2009.  The attention to LUA is appreciated. I had not noticed that .m26 files are for SEP 12.1.   Voted.

 

If I may plug three of the most-needed suggestions (Ideas) for LUA:

LiveUpdate Administrator 2.x - Improved Update Management   https://www-secure.symantec.com/connect/idea/liveupdate-administrator-2x-improved-update-management

LUA needs a way to do a Repair...LiveUpdate Administrator  https://www-secure.symantec.com/connect/ideas/lua-needs-way-do-repairliveupdate-administrator

LUA 2.x Ability to Manually Replace Files when Distributing  https://www-secure.symantec.com/connect/ideas/lua-2x-ability-manually-replace-files-when-distributing

 

Thank you

John

+1
Login to vote
Mithun Sanghavi's picture

Hello,

This is an Article on for every LUA Administrator to go through..truely awesome. +voted.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
Beppe's picture

Thumbs up, thanks Mick.

Regards,

Giuseppe

+1
Login to vote
pete_4u2002's picture

as always , great info & thumbs up!

+1
Login to vote
John Santana's picture

many Thanks for the article, I'm using LUA v 2.3.2 just for my SAVFL update, so I wonder if this analogy still applies ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Mick2009's picture

Hi John - as of this morning, a complete set of SAVFL materials will weigh in at just under 2 GB.  (This will grown over time, of course)

With thanks and best regards,

Mick

+1
Login to vote
John Santana's picture

Many thanks for the screenshot Mick.

I believe that with LUA v 2.3.2 the disk space is no lnoger an issue for the auto-purge old content.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Ch@gGynelL_12's picture

Great Article. Very Helpful.

Two thumbs up! smiley

 

+1
Login to vote
stratus's picture

 

Hello I am trying to put LUA contents to DC that is hosted in the same machine, is windows 2008 R2 and the DC is IIS 7.5 using https.

The content is not delivered to IIS and the procedure is always fail.

anyone tried to do this before?

0
Login to vote
Mick2009's picture

Hi stratus,

That should work fine.... the following article should provide all the info necessary to set up a DC on windows 2008 R2:

How to configure a Windows Server 2008 as a Distribution Center for LiveUpdate Administrator 2.x content
Article:TECH132545   |  Created: 2010-01-18   |  Updated: 2011-12-07   | 
Article URL http://www.symantec.com/docs/TECH132545 
 

With thanks and best regards,

Mick

+1
Login to vote
Qingyan Lim's picture

Hi Mick, does you explanation above also applies to SEPM? Previously the server was installed both LUA and SEPM which might have cause the serve to consume large bandwidth. After consulting Symantec technician, i had disabled the two services (LUA Apache Tomcat and LUA PostgreSQL) which i hoping that it would stop the LUA for now as i had set SEPM to grab updates from Symantec server over the Internet. The large hub definition which you mentioned, what actually is it for since we are suppose to get daily updates from Symantec as i more concern with the spike of several GB for 1 or 2 days?

+1
Login to vote
John Santana's picture

Mr. Lim,

I also have been told by the Tech support over the phone that combining LUA and SEPM in one host is not supported configuration, does this is the case with you ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Qingyan Lim's picture

Hi John,

I wasn't part of the project team when they did a migration to this current server. I was tasked to contact Tech support last May when the server is taking up too much network bandwidth. It was only then did Tech support spoke to me over the phone to uninstall LUA but eventually it was decided to stop all the services with regards to LUA which are the two that i mentioned. It was till i read about this then realised that it wasn't a good idea to have both LUA and SEPM in one host.

+1
Login to vote
Mick2009's picture

Hi all,

It's not supported to have both a SEPM and an LUA on the same computer.  Here's the official article on the subject.

LiveUpdate Administrator 2.x and Symantec Endpoint Protection Manager on the same computer
http://www.symantec.com/docs/TECH105076 
 

The SEPM functions differently than the LUA server.  It can automatically generate deltas to supply its clients what it needs.  SEPMs do not use Hub defs. 

With thanks and best regards,

Mick

+2
Login to vote
Qingyan Lim's picture

Hi Mick, what alternatives do i have if i don't want to uninstall the LUA? would just stopping the services helps? I read from this post, https://www-secure.symantec.com/connect/forums/endpoint-protection-11-definition-update-size, mentioning about the no. of full def sets that SEPM stores is configured by the option, "Numbers of Content Revisions to Keep". So i was wondering if i set SEPM to check every 12 hours and symantec release definitions 3 times a day (weekdays), would SEPM only download the latest full definition set?

0
Login to vote
Mick2009's picture

It sounds like you are runing out of space on your server-?  You are probably best starting a forum thread dedicated to the issue you are facing.  Members of the Connect community can share their experience there.

If that SEPM has internet access, I'd really recommend uninstalling the LUA.  A SEPM will do an excellent job downloading and distributing definitions to its clients.  LUA is only needed in certain circumstances: unless your network needs LUA, I would leave the job up to the SEPM.

When to use LiveUpdate Administrator
http://www.symantec.com/docs/TECH154896 
 

The way that LUA and SEPM handles past revisions is very different.  Only keep 1 or maybe 2 revisions on a LUA, but as many as your hard drive space can support on a SEPM (up to 30 or 40).

With thanks and best regards,

Mick

+2
Login to vote
Qingyan Lim's picture

Hi Mick, actually like what i said previously, that server is taking up too much bandwidth and wanted to find out what might be the problem. As for the revisions, i thought that if SEPM download just one per day would be enough.

0
Login to vote
John Santana's picture

Hi Mick,

What about if the SEPM is for managing the Windows SEP client while the LUA is for downloading the SAVFL definition for Linux clients ?

Is there any issue in that configuration ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Ambesh_444's picture

Hey mick,

Really good one, Thank u so much..

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

+1
Login to vote
LGL's picture

Hi Mick,

Really good article, thanks!

Just a questions.

You say:

""There are two supported versions of SEP at this time: SEP 11 and SEP 12.1.  The definitions required by the two SEP's are not interchangeable""

Now when SEP12.1 RU2 is released there is an option for that to in LUA. Do I need both SEP12.1 and SEP12.1 RU2 or cover the SEP12.1 RU2 also the SEP12.1?

+1
Login to vote
Mick2009's picture

Thanks, LGL!  &: )

My top recommendation would be to ensure all SEPMs and clients are always running the very latest release: that's SEP 12.1 RU2 at the present moment.  Of course, immediately upgrading is not always practical in the real world so sometimes LUA has to do a double duty...  do ensure that your Symantec Product catalog is up to date:

About Updating the Symantec Product Catalog in LiveUpdate Administrator 2.x
http://www.symantec.com/docs/TECH201472 
 

and do ensure that both SEP12.1 and SEP12.1 RU2 are checked. 

All the best,

Mick

PS: Here are some upgrade resources for SEP 12.1 RU2.  There are a lot of different methods, from auto-upgrade to client-only patches that just need to be downloaded and run once, etc- check out the articles and their links!

Upgrade resources for Symantec Endpoint Protection 12.1
http://www.symantec.com/docs/HOWTO81064 
 

Available Client-Only patches for Symantec Endpoint Protection 12.1 and Symantec Network Access Control 12.1
http://www.symantec.com/docs/TECH202879 
 

With thanks and best regards,

Mick

0
Login to vote
Ambesh_444's picture

Great Show Mick!!!!!!!

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

+1
Login to vote
John Santana's picture

Hi All,

Is this normal to have 1.9 GB SAVFL definition update pulled by the SAVFL Linux client every day ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Mick2009's picture

Hi John,

Nope, that's not normal- the SAVFL client should check every time it is run for new "hubdefs" (big full definition sets) and new "curdefs" (smaller recent update files).  Generally, if the hub defs are already in place it will just download and apply the latest curdef file.  That should be quite manageable in size. 

With thanks and best regards,

Mick

+1
Login to vote
John Santana's picture

Mick, thanks for the clarification, I can now see that the daily update size is around 14- 20 MB so it is make sense after the initial hubdefs download finished.

 

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote