Check which clients are downloading full.zip
Created: 03 Aug 2012 | Updated: 08 Aug 2012 | 11 comments
This issue has been solved. See solution.
Team, is there a way to check which clients are downloading the full.zip file? In SEPM logs somewhere?
I have roughly 25,000 clients so checking the client itself is not an option.
SEPM is at 12.1 RU1
Is this at all possible?
Thanks for any feedback.
-kt
Discussion Filed Under:
Comments 11 Comments • Jump to latest comment
Using Sylink monitor on Client machine will gives us a idea
it should show something similar to
content/{D3769926-05B7-4ad1-9DCF-23051EEE78E3}/110211001/Full.zip
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Swapnil
you can download it from here
http://www.symantec.com/business/support/index?page=content&id=TECH103369
and then upload the logs in txt format
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Swapnil
Checking individual clients is just not an option for me.
There is a cache where the client keeps track of whatever it is currently supposed to be updating from the SEPM.
On older versions of the SEP client (Pre-RU6 MP2) this cache is not cleared when something server side changes, only when the update finishes downloading.
So, in essence, your clients are stuck downloading that until either they are finished, or something clears that cache.
As a test, on one machine do the following:
1) Stop SMC
2) Delete the Luinfo.dat from the [SEP Client Install]\liveupdate
3) Start SMC
check to see if the client re-requests that full.zip.
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Swapnil
Alternate option Configure GUP if its not present in your Network for LU distribution might help
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Swapnil
I don't think that it is possible to check which clients are downloading the full.zip file from In SEPM logs somewhere.
As suggested above from the clients side you can do that uisng the sylink log.
Prachand MCSE-2012 Symantec Technical Specialist (SCTS)
I use Wireshark.
Install it on your SEPM and begin capturing packets. Set a display filter of:
(((frame matches "\.[Ff][Uu][Ll][Ll][.][Zz][Ii][Pp]" ) && (tcp.srcport == 8014)) )
Any clients that show up in the packet list window should be those that are downloading the full.zip file. You can right click on any of the packets and select "Follow TCP Stream" to see the client/server communication. Client is in red and server is in blue.
SEP Knowledge Base
Endpoint SWAT
Great Innovation.
I would give you one more way, open the trace is Network Monitor and apply the filter
description.contains("Full.Zip")
All the clients that show up in the packet list window should be those that are downloading the full.zip file. You can right click on any of the packets and select "Follow TCP Stream" to see the client/server communication.
Prachand MCSE-2012 Symantec Technical Specialist (SCTS)
I wrote a simple Snort signature to detect clients that were corrupt and trying to download the Full.zip multiple times. You can change it just to look for a Full.zip download without a threshhold set.
alert tcp $HOME_NET any -> X.X.X.X 8014 (msg:"Possible Symantec Client Corruption";flow:established,to_server;content:"Full.zip";threshold: type both, count 2, seconds 9000, track by_src;classtype:unknown;sid:1081209192;rev:1;)
Can this signature be formatted for use in the custom IPS section of SEPM?
Yes, there is a way to do this. Export the following log:
Once exported, filter the log thus only showing the Content Update Server within Event Type and filter the Severity to only show Informational logs. Now filter the Event Description column to only show Full.zip ( I used a text filter followed by the contains filter ). After which you will only have the clients which have downloaded the entire Full.zip file. Success!!
Hope that this helps.
Would you like to reply?
Login or Register to post your comment.