Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Endpoint Protection : The Heartbeat Process

Created: 27 Jun 2012 • Updated: 03 Jul 2012 | 7 comments
Language Translations
Mithun Sanghavi's picture
+9 9 Votes
Login to vote

Hello,

This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM).

NOTE: This steps below are applicable to both SEP 11.x and SEP 12.1 products.

HEARTBEAT PROCESS

1.      SEP client reads sylink.xml to determine first available SEPM according to priority.
2.      SEP client connects to SEPM.

  • If session cannot be established within 30,000 milliseconds, check-in process terminates until the next heartbeat interval.

3.      SEP client performs an HTTP GET of index.dat from the SEPM and compares it against the client copy for any deltas.

  • Content differences will check against LiveUpdate policy for current location.

4.      SEP client performs an HTTP GET request to obtain URLs to download files.

  • URLs will correspond to the SEPM or GUP depending on LiveUpdate policy.
  • If SEPM is specified, content will download over TCP 8014 (recommended web site port).
  • If GUP is specified, content will download over TCP 2967.

5.      SEP client uploads log files to SEPM.
6.      SEP client uploads LAN sensors and learned application logs to SEPM.
7.      SEP client disconnects from SEPM.

  • When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
  • When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

HEARTBEAT SIZE

When there are no new client-side logs to upload to the management server, or policy or content to download from the server, the size of the Symantec Endpoint Protection client heartbeat is between 3KB and 5KB. When all client protection technologies are enabled and the maximum level of client logging is enabled (with the exception of packet-level firewall logging, which is not recommended in production environments), the size of a typical heartbeat is between 200 KB and 300 KB.

Comments 7 CommentsJump to latest comment

NMG's picture

Thanks for sharing

0
Login to vote
LeeD's picture

Wonderful Article

Thank you,

Dorothy

0
Login to vote
visible_sol's picture

How to ste the communication time?

0
Login to vote
Mithun Sanghavi's picture

Hello,

I would suggest you to check this Thread (which you have asked):

https://www-secure.symantec.com/connect/forums/how-set-client-communication-time#comment-7846031

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
Mithun Sanghavi's picture

Hello,

Users following this Article may also be interested in this Article:

About Accelerated Heartbeat in Symantec Endpoint Protection (SEP) Clients.

http://www.symantec.com/docs/TECH93724

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
AjinBabu's picture

Nice One 

Regards

Ajin

0
Login to vote
R6S's picture

Grt article sir...!!! 

0
Login to vote