Endpoint Protection

 View Only

  • 1.  CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 18, 2015 01:35 PM

    So my little test environment did not have enough machines to exhibit this message from the Dev SEPM, but once I installed 12.1 RU6 on my production SEPM (it's been about a week now) I started getting this message from the SEPM along with a listing of the machines requesting full downloads (usually about 30 machines).

    So my questions:

    What does this alert really mean?

    It's not really affecting my SEPM's at all (performance wise), should I be concerned about the alert?

    Will increasing my content revisions help the situation?

    Is this all part of the movement toward the 1.5 core defs?

    Will the alerts eventually subside once all the machines have "caught up" with the latest definitions?

    Sorry for all the questions, but so far this is the only unknown I have with an otherwise awesome RU6.

    Thanks for your time!

    -Mike



  • 2.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 18, 2015 01:38 PM

    See here

    Network load alert: requests for full definitions

    Alerts the administrators when too many clients request a full definition set, and to potential network bandwidth issues.

    The Network Load: Requests for Full Definitions notification is enabled by default

    http://www.symantec.com/docs/HOWTO80846

    Not sure how you have policy setup for clients and where they should get definitions or perhaps they have corrupt defs...



  • 3.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 18, 2015 01:59 PM

    Thanks for the link Biran, unfortunatly it does not really get me the information I'm after...let me revise my questions.

    Yes, I understand that I can silence the issue by checking the "Prevent clients from downloading full definition packages" box.

    • This is new for RU6, was RU5 sending out full definitions and just not telling me?
    • Can I reduce the number of full downloads (assuming I would want to) by ramping up my content revisions?
    • My SEPM's have more than enough horsepower and bandwidth to handle the requests...do I really care about the alert?

    Thanks again amigo,

    -Mike

    3rd Stanley Cup in 6 seasons!!

     



  • 4.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions
    Best Answer

    Posted Jun 18, 2015 02:08 PM

    It's possible (and likely) any previous version of 12.1 had this happening but there was never an alert for it. Just now they introduce it.

    Not sure what you're revisions are at but with the new content structure you should be fine setting to 90 revisions.

    Not sure if it has as much to do with the SEPMs as it would with the network. If all 30 clients are on the same subnet then you could have a bandwidth problem. If they're dispersed then it's probably not a big deal.

    ;)

     



  • 5.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 18, 2015 02:15 PM

    Ah...that helps!!

    90 revisions is where I'm currently set.

    Prolly 12 different subnets from the last alert which had 30 machines.

    I'd say I'm good to go...although it would be nice to keep full downloads enabled, and just squelch the alert.

    You da man!



  • 6.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 18, 2015 02:29 PM

    :)



  • 7.  RE: CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

    Posted Jun 19, 2015 04:24 AM

    >> Once I installed 12.1 RU6 on my production SEPM (it's been about a week now) I started getting this message from the SEPM along with a listing of the machines requesting full downloads (usually about 30 machines).

    I had the same here.

     

    >> Will increasing my content revisions help the situation?

    Most probably not. See following remark.

     

    >> Will the alerts eventually subside once all the machines have "caught up" with the latest definitions?

    Yes most likely. This is what happened here. When you check the report on type "Computer Status" and select "Protection Content Versions" you see a selection of 8 components, all having dozens of different version numbers live in your environment.

    1. To me it appears that pre-12.1.6 updates of engines and definitions for all components EXCEPT Antivirus were flawed. Not coming through via SEPM. Sometimes, I was able to run LiveUpdate on the client to get updates of engines and/or definitions that they couldn't get from the SEPM. LiveUpdate is a backup-mechanism and should never have to be run, it contacts the symantec servers directly, bypassing SEPM. But even that didn't work on all my clients. Weird. This looks solved now with 12.1.6.

    2. A second thing I presume, is that 12.1.6 has another component that wasn't there before. So every (12.1.6) client needs a full download for these components before it can start using delta's. These are the only 3 "items" that I got this critical alert for:

    = SEPC SMR Definitions 12.1 RU6

    = SEPC SRTSP Settings

    = SEPC Virus Definitions Win64 (x64) 12.1 RU6

     

    So my advice:

    1. absorb the alerts during upgrade if you can (it looks like so);

    2. if not, spread the upgrades, either by using the "Upgrade Schedule" in the "Client Install Package"s to distribute the upgrades over more days; or;

    3. do bit by bit; e.g. do not use the "Instal Package" in large client groups, but create a new group called "Do SEP Maintenance" with the 12.1.6 install package and move (or copy if you use AD synced groups) clients batch by batch to the maintenance group (and back again after their upgrade).