SEPM & SEP Client bandwidth troubleshooting

Created: 13 Aug 2009 • Updated: 20 Aug 2009
Login to vote
+7 7 Votes
Troubleshooting high bandwidth utilization issues with SEPM & SEP clients.  
 
One of the great things with advances in antivirus definition updates is the use of Delta or xDelta updates. Basically these updates are much smaller than downloading the full definition file for a client and conserving bandwidth. But how do you know your clients are downloading the Full or xDelta definition packages? To my knowledge the SEP client logs do not track which updates are downloaded from the management server. Here is a quick document which can help you determine (and correct the issue) if your SEP clients are downloading the full definitions.
 
Tools you will need for this troubleshooting session:
WireShark http://www.wireshark.org/ 
LogParser   http://www.microsoft.com/DownLoads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en\
 
Install WireShark on your management server. Open WireShark. Click on Capture, Interfaces and click start on the Interface with the most packets detected. 
 
View Inline Image  
Let the packet capture run for approximately 15 – 20 minutes, depending upon the amount of traffic you are seeing. Save the packet capture and copy to your local system that has LogParser installed. 
 
Open LogParser. The command you want will be similar to the following:
 
Logparser “SELECT text INTO C:\temp\output.log FROM C:\temp\packetcapture.pcap WHERE text LIKE ‘%C60DC234-65F9-4674-94AE-62158EFCA433%’” –o:CSV
 
This command is assuming you saved your packet capture file as packetcapture.pcap and copied it to your local system in C:\temp. The C60DC234… is from the following location on the management server: c:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\ContentInfo.txt. This list contains the various definitions that the SEPM has stored and available for SEP clients. In my case the C60DC234… is for the 32-bit version antivirus definition files. 
 
Now go back to your SEPM server (not the console, but the physical server). Open the location F:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}\90806023\
Inside this folder you should see a directory called Full, a full.zip file, and some xdelta####.dax files. These dax files are your incremental updates for SEP.
 
If you only have three .dax files many of your clients are likely downloading the full.zip file, which is normally over 50 MB. Have a couple thousand clients in pull mode getting that update at the same time… it can crush a robust network. From what I have seen, Symantec normally releases three revisions per day. If you server is setup to check every 6 – 8 hours for updates, you will get all three updates. So right there you have three revisions. If your SEP clients are only updating once per day it adds more complexity to the situation. Now, your clients are actually going to need the full.zip the next morning (depending upon when they last updated) because the server may have already grabbed the latest definition files. This puts the clients more than 3 revisions behind what is stored on the server forcing the client to download the full definition file. Think about Monday morning. Every client (if offline all weekend) will need the full definition file. Save yourself the trouble and kick the number of revisions stored on the SEPM server to more than 16.
 
To increase the number of revisions stored in your SEPM infrastructure, follow these steps. Open your SEPM console and login, as a system administrator. Click the Admin item on the left tool panel. Click the Servers, Local Site, Edit Site Properties. (see below graphic)
 
View Inline Image 
When the Site Properties window opens look to the bottom of the screen (see below screen shot). Increase the number of revisions and the check the check box. Save your settings and continue to monitor updates during the next couple of days. It may take up to three days before your network recovers from bandwidth issues. Also make sure your SEPM servers have sufficient space to store all these revisions. Our instance (at 16 revisions) consuming just over 5 GB of data.
View Inline Image
 
  

Filed Under

Tags:

Comments

13
Aug
2009

Nice article . I will try

Nice article .
I will try 2morrow  in my office.

14
Aug
2009

Thanks for the informative

Thanks for the informative data..
this will be very handy indeed...

Nel Ramos

AravindKM
Trusted Advisor
26
Aug
2009

Thank u for the information.

Thank u for the information. But the  pictures is not visible for me.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

06
Oct
2009

Documentation

Hello-

Is there any sort of documentation on the definition update process with SEP11 similar to the post here?

Will a client EVER download a full def update if it is on all day everyday and the mangement server updates its defs every 6 hours and the SEP client is set to pull mode every half hour? Or will they just be incremental always?

Thanks.

06
Oct
2009

In most cases clients should

In most cases clients should update via the delta files.  However there are instances where clients will be forced to download the full definition file. 

1.  A client is installed with an older set of definition files or
2. A client is upgraded (say MR4MP2 to RU5) and the definition files are replaced... really depends upon 'how' you would upgrade
3. A client definition files become corrupted and need to pull the full defintion down.

Those are the only times I can think that the clients would download the full definition file.

05
May
2010

nice article

nice article

21
Sep
2010

Number of Revisions to keep does not equal number of dax files

Thank you for a great article. since i just read it i haven't got around to run a packetcapture.

But i checked the setup in Site Properties and we keep 30 revisions.

Still there's only 4 dax files in Symantec Endpoint Protection Manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}\100920050 witch is our latest 32 bit client antivirus signature catalog

But we have 30 catalogs, one for each update, all with 4 dax files in them.

So will the clients run an incremental update for every 4 updates behind the current revision? Or will they run a full update if they can't find an incremental in the latest update

Something tells me that the "number of revisions to keep" setting is not controlling hos many incrementals to make, but rather how many old definitions you can roll back to.

 

EDIT:

I checked my folders for IPS signatures, and they too keep 30 revisions but the latest update contains only one dax file. Looks like there is a setting for how old signatures we keep incrementals for and not how many?

19
Oct
2010

that seems a bit strange.  In

that seems a bit strange.  In our environment we have nine dax files and we keep 10 revisions.  What version is your SEPM running?

15
Oct
2010

Thanks good info keep it up

Thanks good info keep it up

Regards,

Siddhesh

If this response answers your query, please mark it as a solution

Test your backups to make sure they will get you back up! Because a backup failing is just as bad as failing to backup!

10
Nov
2010

Hi Jeff,

A really great post; thank you.  It is pretty sad that Symantec would not have better default config than this.  I have two branch sites with 3 users each - Monday morning provides what you described... however the full.zip files are 95 Mb!!!!!  It's shameful really.

I have followed your suggestions; however during the process found that I did not have ANY .dax files (despite having the default '3' configuration).  Is this normal?  Perhaps this is why it's constantly downloading the full packages.

Greg

10
Nov
2010

HI Greg,   Have you tried to

HI Greg,

 

Have you tried to up the number of revisions?  You should have at least 1 dax file with a setting of 3.

 

Jeff

11
Nov
2010

Jeff,

Since upping the number of revisions to keep to 16 yesterday, I now have 3 new folders containing content (from yesterday) that each have a .dax file.

It's beyond me why the other older versions don't have any, but as long as it works going forward that is the key!

Thanks for your help.

Greg

10
Nov
2010

Is the revisions setting only

Is the revisions setting only valid if updating directly from SEPM? What about if you use internal LU Servers using LUA 2.x to download and replicate?

10
Nov
2010

The revision setting set in

The revision setting set in SEPM is only applicable if clients are updating directly from the SEPM. 

If you have your clients setup to download from an LUA server check the following.

Login to your LUA

Click Configure button

Click Preferences

Check how often you are purging your updates.  If you are holding less than '3 revisions back' you may be downloading full.zip too often.

 

Cheers.

10
Nov
2010

I've got it set to purge

I've got it set to purge older than 10 revisions back daily in the manage updates folder and weekly in distribution centers.

Does this mean I'm keeping 10 revisions? If so all clients will download full updates if they miss after 2 1/2 days or more (estimating 3 revisions per day)???