Video Screencast Help

Antivirus Definition Update Failures

Created: 28 Oct 2013 • Updated: 28 Oct 2013 | 9 comments

Hello friends,

We are Using Symantec Endpoint Protecion Manager Version 11.0.6005.562

I have been a fresher and new to learning Symantec, so pardon me for my mistakes and please guide me how to troubleshoot, as am nowhere reaching for the solution.

The architecture lead suddenly told that there is a network flood due to symantec management and sent a screenshot of netstat, later they reudced the bandwith to 2Mb and since from that day we are facing the issue of Antivirus Definition Update Failures . They have adviced to manage it with only 2mb of allocation and my knowledge is very bad to handle it further.

1 )What should be the bandwith? How to calculate that

2)How to manage it? I have read about the pull method, will that be helpful?

3) Can i create datacenter wise client group and set the timings (that only on that duration the management server will contact the client group and give the latest definations ) How can that work?

To be very honest, i don't even know if my questions are logicals or not?

Many Thanks in advance.
-Noel 

Operating Systems:

Comments 9 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Moved to the Antivirus Security Forums for more visibility and check this thread with similar query - 

https://www-secure.symantec.com/connect/forums/designing-sepm-80000-clients-multi-site-deployment

In your case, I would suggest you to go through the articles below - 

How to update virus definitions and other content with Symantec Endpoint Protection and Symantec Network Access Control

http://www.symantec.com/docs/TECH102467

Troubleshooting Content Delivery to the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH106034

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

LiveUpdate and content troubleshooting for the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH105924

Regards,

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mithun Sanghavi's picture

Hello,

In case you have Low Bandwidth, check these Articles:

Tips For Installing SEP In A Low Bandwidth Environment

https://www-secure.symantec.com/connect/articles/t...

How to: Setup a Group Update Provider (GUP)

http://www.symantec.com/business/support/index?pag...

Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

http://www.symantec.com/business/support/index?pag...

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

greg12's picture

According to screenshots, your SEPM is up to date, so the issue must be between SEPM and clients.

The best way to minimize network traffic is to prevent full downloads of antivirus content (~ 270  MB). This can be done by storing enough content revisions on the SEPM.

If you let your SEPM look every 4 hours for new definitions (this is default setting and recommended), you'll get 3 new content revisions per day most of the time. Now every client whose content is older than one day ( = 3 contents) has to download the full content package; otherwise, the SEPM is able to build so called delta files for the client that are dramatically smaller (in some cases smaller than 1 MB).

So check the number of antivirus content revisions that the SEPM stores:

Admin > Local Site > Edit Site Properties > LiveUpdate > Disk Space Management for downloads

Check "Number of content revisions to keep". In small environments the default value is 3. That is not enough in most cases. For example, to cover a complete week, you have to save 21 revisions.

But keep in mind that a lot of revisions are wasting disk space. 21 revisions are needing  up to 32 GB (!) in the file system. (And the revisions are steadily growing ... in a year they are perhaps at 40 or 45 GB.)

To your questions:

1 )What should be the bandwith? How to calculate that

2 Mbit/s are not much for a 270 MB package, however it should be fine with delta files.

2) How to manage it? I have read about the pull method, will that be helpful?

Depends on your environment. If the bandwidth limitation continues, pull method with a generous heartbeat (e.g., 15-20 minutes) may balance the traffic better. If you use push method, take a generous value for Download Randomization so that the clients don't download almost simultaneously when they get the message of new content from the SEPM.

Perhaps GUPs are an option for you. Here is a GUP FAQ:

https://www-secure.symantec.com/connect/articles/sep11-frequently-asked-questions-file

And here are two excellent videos explaining them:

https://www-secure.symantec.com/connect/videos/group-update-providers-part-1
https://www-secure.symantec.com/connect/videos/group-update-providers-part-2

3) Can i create datacenter wise client group and set the timings (that only on that duration the management server will contact the client group and give the latest definations ) How can that work?

You cannot schedule the content download from SEPM; it's controlled by pull mode (heartbeat)  or push mode (instantaneous download). It's only possible to schedule the content download from an internal or external LiveUpdate server (Symantec's or your own LiveUpdate administrator -- but that's an awe-inspiring tool with a steep learning curve).

HTH!

noelintrovert's picture

Thank you greg12

 & Mithun Sanghavi

 
I can't just stop thanking you guys man :)

I have started using GUP in our environment, and few servers has been elected, but there are some probs.

I would like to explain the scenario here.

We have atleast 237 servers as below, and Manassas alone has the internet connectivity of 2MB

Manassas - 15
Germany - 39
UK - 91
Netherlands - 32
France - 30
Finalnd - 30

I made a selection from every region to become a GUP server as below

GUP selected.jpg

Below are the fullforms of abbrevation for better understanding:

UK - UKSW (Swindon) UKRTH (Rotherham) UKLOS (Southbank) UKLCY (london city) UKBRT (toltec)

NL - NLAMA (Amsterdam) NLAML (Level 3)

FR - FRSDA (Paris) FRCLI (Clichy)

DEFR1 & DEFR2 - Germany  FIESP& FIEHL - Finland

Below are the Selected GUP servers by the SPEM
GUP reflected.jpg

We can clearly see that from all region it has selected one GUP serve,r except for Finland.
I want all my UK clients to take update from UK GUP server
all NL client servers to take update from NL GUP server and so as for Germany.

Below are my questions:
1) On GUP server i see "MasterClientHost" Value data as empty
Registry.jpg

 What will confirm that this is an active GUP server ?

2) What will confirm that the clients have started taking updates from GUP server ?

3) I have recently saw an increase in dispace, i know this is due the client packages are being downloaded tp SPEM, still what do u suggest is there a need to increase the disk space, we have 35GB HDD attached to it

disk space.jpg

4) Is 2MB bandwith okay as i have also told you about our whole scenario ?

5) When does TCP port 2967 becomes active, do u have any videos ?
 

I know i might have asked pretty dumb questions here, but would love if u can provide the inputs.

greg12's picture

If I understand you correctly, your clients from different regions are connecting to a single GUP while you want them to connect to their respective local GUPs.

I assume you are using the "Multiple GUP" feature (the missing registry key indicates this). This feature may cause unexpected behavior. If all GUPs defined in the Multiple GUP list are in the same subnet, the clients will connect to the same GUP in most cases. Best explained here:

http://www.symantec.com/docs/TECH139867

The easiest way to solve the problem is to create a group structure reflecting your regions. In every LiveUpdate policy of these groups, set a different Single GUP.

To your questions:

1) On GUP server i see "MasterClientHost" Value data as empty. What will confirm that this is an active GUP server ?

If MasterClientHost is empty, it may indicate you are using the multiple GUP feature. See link above. Active GUPs are listening on port 2967 (check with netstat) and have a cache folder (in SEP 11: <Drive>:\Program Files\Symantec\SharedUpdates).

2) What will confirm that the clients have started taking updates from GUP server ?

See John Q.'s posting below. Unfortunately I don't know if it works on SEP 11 as well:

https://www-secure.symantec.com/connect/articles/how-can-we-check-which-content-sep-121-clients-are-downloading-gup

Alternatively, in the local Client system log you should find "Download content from GUP". Or you enable sylink debugging on clients:

http://www.symantec.com/docs/TECH97190

3) I have recently saw an increase in dispace, i know this is due the client packages are being downloaded tp SPEM, still what do u suggest is there a need to increase the disk space, we have 35GB HDD attached to it

The client packages are not the biggest issue. Old packages can be deleted. However, try to save as many content revisions as possible to prevent full downloads (~270 MB). My personal rule of thumb for the size of one single revision is as follows:

(270 MB + (1.9 x 270 MB)) x 2

The zipped 270 MB packet will be unzipped on the SEPM (cannot be prevented), that's the 1.9 factor. And you have to double the result because SEPM will produce 32-bit and 64-bit content revisions. Of course you have to consider that these 270 MB are steadily growing. In a year they may be 350 MB.

4) Is 2MB bandwith okay as i have also told you about our whole scenario ?

Which connection has 2 Mbit/s in your environment? If, say, the SEPM is in Manassas and all regions have a maximum of 2 Mbit/s to this SEPM it may be ok if you save enough content revisions on your SEPM. If your GUP scenario is working, it should be enough because full downloads are seldom. BTW, you can throttle the bandwidth in the GUP settings.

5) When does TCP port 2967 becomes active, do u have any videos ?

Se 1).  No other videos, as far as I know; keep in mind that the videos mentioned in my post above are for SEP 11 only. When you'll upgrade to 12.1, you will face a slightly different GUP behavior and extended features.

To check GUP and download behavior, you could try the (unsupported) SEP Content Distribution Monitor:

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

A. Wesker's picture

Hi,

If you're using GUP, do not set a value lower than 384Kbytes/sec for the download between them and the SEPM, otherwise they will fail in situation where a full.zip for AV/AS is required (unless you're keeping a huge amount of LU contents on your SEPM to minimize this kind of situation).

Kind regards,

A. Wesker

noelintrovert's picture

@ greg12

"The easiest way to solve the problem is to create a group structure reflecting your regions. In every LiveUpdate policy of these groups, set a different Single GUP."

I have tried this setting, created different client groups for different regions. below is the example

1) France group and selected one france server as a single GUP through a new policy and assigned to this group.

2) Applied the same over other groups too, none of them are working. It has selected GUP servers but it's not working,

The GUP servers has the entry of MasterClientHost "GUP server hostname"
It also has the shared folder as : ( SEP 11: <Drive>:\Program Files\Symantec\SharedUpdates).

There were 240 servers, console now reflects only 104 servers, and the last update was of 2nd November for Windows latest manager version as below screenshot It's all a mess, can't figure out anything.

current status.jpg

I don't know what to do :( the multiple and single GUP might have got mixed, what is happening no idea :(
Sorry for all the trouble, but afraid to take the steps ahead.

Plese help !!

greg12's picture

Hi Noel,

according to your screenshot the SEPM is out of date. Perhaps the content is corrupt, thus it's impossible for the SEPM to add new content. If the SEPM cannot download fresh content, the GUPs cannot do anything. A GUP is a dumb slave of a SEPM.

Content integrity can be checked with SymHelp tool (former Symantec Support Tool -- highly recommended for troubleshooting):

http://www.symantec.com/docs/TECH170752

Here are some KB articles that may help you:

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart
http://www.symantec.com/docs/TECH95790

How to enable IIS logging for Symantec Endpoint Protection Manager in IIS 6.0
http://www.symantec.com/docs/TECH132808

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)
http://www.symantec.com/docs/TECH104539

Symantec Endpoint Protection Manager 11.x is not updating 32 or 64 bit virus definitions.
http://www.symantec.com/docs/TECH104721

HTH!