Endpoint Protection

Team, is there a way to check which clients are downloading the full.zip file? In SEPM logs somewhere?

I have roughly 25,000 clients so checking the client itself is not an option.

SEPM is at 12.1 RU1

Is this at all possible?

Thanks for any feedback.

-kt

Using Sylink monitor on Client machine will gives us a idea

it should show something similar to

content/{D3769926-05B7-4ad1-9DCF-23051EEE78E3}/110211001/Full.zip

you can download it from here

http://www.symantec.com/business/support/index?page=content&id=TECH103369

and then upload the logs in txt format

Alternate option Configure GUP if its not present in your Network for LU distribution might help

I don't think that it is possible to  check which clients are downloading the full.zip file from In SEPM logs somewhere.

As suggested above from the clients side you can do that uisng the sylink log.

I use Wireshark.

Install it on your SEPM and begin capturing packets. Set a display filter of:

(((frame matches "\.[Ff][Uu][Ll][Ll][.][Zz][Ii][Pp]" ) && (tcp.srcport == 8014)) )

Any clients that show up in the packet list window should be those that are downloading the full.zip file. You can right click on any of the packets and select "Follow TCP Stream" to see the client/server communication. Client is in red and server is in blue.

Checking individual clients is just not an option for me.

I wrote a simple Snort signature to detect clients that were corrupt and trying to download the Full.zip multiple times.  You can change it just to look for a Full.zip download without a threshhold set.

alert tcp $HOME_NET any -> X.X.X.X 8014 (msg:"Possible Symantec Client Corruption";flow:established,to_server;content:"Full.zip";threshold: type both, count 2, seconds 9000, track by_src;classtype:unknown;sid:1081209192;rev:1;)
 

Great Innovation.

I would give you one more way, open the trace is Network Monitor and apply the filter

description.contains("Full.Zip")

All the  clients that show up in the packet list window should be those that are downloading the full.zip file. You can right click on any of the packets and select "Follow TCP Stream" to see the client/server communication.

Yes, there is a way to do this.  Export the following log:

• Log type: System
• Log content: Client Activity

Once exported, filter the log thus only showing the Content Update Server within Event Type and filter the Severity to only show Informational logs.  Now filter the Event Description column to only show Full.zip ( I used a text filter followed by the contains filter ).  After which you will only have the clients which have downloaded the entire Full.zip file.  Success!!

Hope that this helps.

Can this signature be formatted for use in the custom IPS section of SEPM?