How Big are Current Symantec Endpoint Protection Definitions?
One common question from users of Symantec's internal LiveUpdate server, LiveUpdate Administrator 2.x, is "what normal download size can I expect? How much bandwidth will be consumed, and how much hard drive space?"
The short answer is:
- It depends on what products (and product components) are selected, and
- What's today's date?
Let me elaborate.....
First: "Did You Know...."
LUA is a great product, when it is used correctly. LUA is not necessary (or recommended!) in every environment, though. For example: in most Symantec Endpoint Protection deployments, the Symantec Endpoint Protection Manager (SEPM) will download and distribute materials to all of its clients without the need of LUA.
Also note: LUA will mirror exactly what is available on the Internet, but SEPMs have the ability to take the files they have downloaded and process them into smaller "delta" files. Using a SEPM, the amount of bandwidth necessary to keep SEP clients up-to-date will always be lower than using the full-sized files from LUA. If you have an environment where many remote offices are connected over low-bandwidth WAN links, LiveUpdate Administrator is not the recommended solution for you. Use SEPM and some GUP's.
What Symantec Products are Chosen
LUA 2.x can be configured to download materials for a wide range of Symantec enterprise products. The total amount of MB for some products is quite small, or content remains the same for several months and requires no new updates. For other products, the files are large and are constantly updated (requiring several updates daily to stay current). For this article, I will use the popular Symantec Endpoint Protection (SEP) as an example.
There are two supported versions of SEP at this time: SEP 11 and SEP 12.1. The definitions required by the two SEP's are not interchangeable. If both exist in the corporate environment, then configure LUA to download and distribute materials for both versions.
If a brand-new LUA is set up and an initial download needs to be run.....
Current (Sept '12) Size of all SEP 11 files: 11.2 GB
Current (Sept '12) size of all SEP 12.1 files: 3.4 GB
After the initial download, note that downloads of SEP 12.1 certified definitions are going to be bigger than SEP 11 definitions, as a whole, because SEP 12.1 has more daily delta definitions (four weeks' worth - once downloaded and distributed, the SEP clients will require large full defs files from the LUA much less often. Also: these additional 350 MB download per publication due to elimination of hub defs will ultimately save space on the SEP client hard drive- that one update file is all that is needed, instead of two). After upgrading from SEP 11 to SEP 12.1, it is normal to see SEP 12.1 consume more bandwidth and space than SEP 11 did.
SEP for Mac defs are included in the SEP defs for SEP 11 and 12.1. If you are using LUA exclusively for keeping Macintosh machines up to date, configure the server not to download any Windows materials. Conversely: if you have no Mac, configure LUA to download only Windows files.
Current (Sept '12) size of all SEP 12.1 for Mac files: 1.9 GB
Both versions of SEP also have Symantec AntiVirus for Linux (SAVFL) on their DVD's: if this SAVFL client is in use in sufficient numbers, then LUA should be configured to download materials for that, too. Those Linux defs are not included in the SEP definitions.
Current (Sept '12) size of all SAVFL files: 1.8 GB.
I will boil that down into a couple of recommendations:
- Recommendation Number One: Ensure that with LUA 2.x, you only download what you need. Some admins configure their server to download and distribute the entire SEP product, even though they have no Macintosh clients that need to be updated, no 64-bit machines and have no SEPMs which come to the LUA's Distribution Center looking for updates. especially with SEP 11, this is a big waste. Be sure to follow the tuning recommendations in Managing LiveUpdate Administrator 2.x Space Usage.
- Recommendation Number Two: Take efforts to ensure that all SEP clients in the network are upgraded at the same time. By having a mixture of SEP 11 and SEP 12.1 endpoints, an admin is effectively doubling the amount of room and bandwidth needed. If all clients are moved up to SEP 12.1 at the same time, the SEP 11 product can be dropped from the LUA server and the burden halved.
(This also applies to admins who use the SEP 12.1 Symantec Endpoint Protection Manager to keep the clients up-to-date. If there are both SEP 11 and SEP 12.1 clients being managed, the SEPM will need to download and process both .m25 files for SEP 11 and .m26 files for SEP 12.1.)
Why are Download Sizes Different, from Day to Day?
As more and more threats are discovered every day, new signatures to protect against them are added to the certified definitions available from Symantec. So, the one inevitable rule, when it comes to definitions: the size always increases.
Back in the early days of Symantec AntiVirus 10.1, a full set of definitions required 10 MB of disk space. As of this writing (September 2012), SEP's full definition file measured about 170 MB for a client and 200 MB for the full .jdb file used by the Symantec Endpoint Protection Manager (SEPM). These large files will probably seem ludicrously small and manageable within a year. (Check the current sizes to compare!)
For LUA, which downloads all the latest-available files from internet servers, it's normal to see the gradual increase magnified.
Another reason why today's total bandwidth may be higher than yesterday's: there may have been more certified definition sets released. SAV 10.1 offered just one certified set of definitions per day. So, endpoints might have defenses only against yesterday's latest threats, and be wide open to the latest threats seen in the wild. SEP 11 and SEP 12.1 have Multiple Daily Definitions (MDD's) so that even if a threat was first seen on the Internet that morning, by that afternoon or evening protection will be available. Each weekday Symantec release two to three full sets of certified definitions. (On weekends, when most businesses have their workstations shut down, it's one set per day.) Full details on the releases can be found on the Multiple Daily Definitions - Detections Added page.
Final note: once per month, there are large hub definitions which must be downloaded for SEP 11 and SEP 12.1. These hub defs will result in a spike of several GB for a day or two around the middle of the month. This is normal.
A Real World Example
As a rough indication of one typical LiveUpdate Administrator server: here's some recent data from an LUA server which was configured to download SAV 10, SEP 11 and SEP 12.1 materials. Depending on the number of MDD's released per day, number of times LUA checked for new updates, and whether or not the large Hub defs were available, total daily sizes ranged from about 1.5 GB to 7.5 GB.
07-Aug-12 2.644 GB 08-Aug-12 1.772 GB 09-Aug-12 2.7 GB 10-Aug-12 1.7 GB 11-Aug-12 5.12 GB 12-Aug-12 1.894 GB 13-Aug-12 1.938 GB 14-Aug-12 4.967 GB 15-Aug-12 4.075 GB 16-Aug-12 7.515 GB
(Please consider those figures a very rough guideline - every different company will have different needs and a different configuration.)
- Recommendation Number Three: If the LUA server is configured to download and distribute only what is needed but is consuming too much bandwidth or too much space, change the schedule. Instead of running on a timer (checking every couple of hours to download the very latest MDD's), just schedule one daily download. This will mean that the endpoints may not always have the very latest definitions, but at least the download and distribution tasks will be able to complete successfully without monopolizing the WAN links.
A Helpful LiveUpdate Administrator 2.x Analogy
Managing LiveUpdate Administrator 2.x Space Usage
Best Practices for LiveUpdate Administrator (LUA) 2.x
Using IIS Logs to Check LiveUpdate Administrator 2.x Health
Many thanks for reading! Please do leave comments, below, if you find this analogy helpful or unhelpful.