Endpoint Protection

Since 3/4 I upgraded 2 SEPMs from 11.7 with IIS to 12.1 with apache. With this setup we have about 27 GUPs. With 11.7 the SEPM console was always useable and the websconsole was used by over 100 people throughout the day at different times. WIth 12.1 the on server SEPM console is slow and doing anything takes about 2 hours. Just to login takes 45 minutes usually. The web console rarely works. It may work for a few mintues right after I reset the SEPM services but thats about it. With 11.7 we always had our definitions update once a day and then distribute out. With 12.1 we are now at 8 days since the last successfull defintion updates (5/8). With 11.7 we seemed to alwaysh ave the right number of clients listed in there with 12.1 the clients are not seeming to clean out at all.

Our setup is two sepms on the same subnet as the SQL server and the SQL server is where the SEPM DB is housed. There was some raid degredation but that has been resolved and the SEP DB has been verified to be okay by the SQL tools AND the internal dbvalidator tool.

So since all of this is validated I went ahaed and reran the Management server configuration wizard.

All is good.there as well.

I have done this to try and fix the updating issue -

http://www.symantec.com/business/support/index?page=content&id=TECH166923

and

http://www.symantec.com/business/support/index?page=content&id=TECH171060

with this second one I used

12.1.2015.2015 (RU2) it should be 3.3.100.15

From

http://www.symantec.com/business/support/index?page=content&id=TECH181305

So we killed out liveupdate, killed all definitions, reinstalled liveupdate, fixed liveupdate to the SEPM, and redownloaded all the definitions. This did work then but now it is not and I don't feel this is a reasonable thing to have to do each time this is failing.

We are looking to add a few more GUPs to our environment to help with the SEPM load but right now the itme it takes me in the console its rediculous to ask me to spend what would take me about 6 hours per GUP (between login, location configuration, moving of the GUP server to the proper group, and the creation of the proper liveupdate setup).

Right now we are at only about 4k clients that are at 12.1 ru 2 so we still have a long way to go to get everyone to 12.1 to use the other GUP configuration offerings in the liveupdate configuration.

I have no clue where to start with the console slowness which is my number 1 pain point right now.

This is more to do with the server than the GUP setup. Looking at the SEPMs, how are the hardware specs, do they meet the min reuquirement?

If you use process explorer are you able to see what processes are taking up the most CPU/RAM?

Yes we meet minimium specs. 2 SEPMS hitting one SQL server both 32 bit with 4 megs ram and quad core configurations. 

According to backline this is a memory leak. We had the sep clients on the SEPM totally removed from the servers and we had both the SEPM and the SEPM webserver disabled and reboots the servers they stayed at only 500 megs usage. Then we turned on the SEPM and they slowly started creeping up to the 4 gigs use on the server and NEVER DROP. The problem is even with low to no load on the SEPM its not releasing this memory useage and drpping back down until I do a server reboot. E.G. we had no updates at all we were behind over 2 weeks in updates. We had very few logs to go back and fourth and it was still spiking.

So what Symantecs recommendation was to turn on liveupdate without the sep client installed and right after the reboot then liveupdate actually worked now I have machines updating but they are updating VERY slow. I still think there is a GUP problem with 12.1 somewhere because I hae a GUP that is at 5/23 with a checkin every 2 hours. I have SEP clients wiht checkins every 8 hours.

The GUP itself is not updated but DOES have 5/26 content on it (we update once a day) but when I look at the location that uses this GUP as the update point (which is local and should update all clients before I get in in the morning) we only have 1.2% at 5/26 we only have 5/25 at 32.6% and we still have a large number of machines back at 5/22  (some like my own even with a new sylinkdrop and reboots and ensuring full connectivity to the GUP are at 5/8) this is why I am so gung ho on these GUPs because I have a site I see the shared update content of today in the GUP but the GUP itselfs defintions are not 5/26 they are 5/23 and the site pointed to the GUP has defintions all over the place.

This to me is saying the GUP is not doing its job of updatingthe site and thus is making the machines use the SEPM and overloading it for updates (which when it already had a known memory leak is a bad thing.)