Endpoint Protection

Hello everybody.
I want to ask simple question about deploy virus definitions and updates.
how LUA and sep manager send definitions? I mean about network traffic.  How Sep manager send Virus definitions to 100 clients? same time or by turn?
Thanks.

Hi Fatih,

With SAV, a technology called VDTM was responsible for supplying the latest updates from servers to all of the client computers.  Threads, etc, could be configured to determine how many clients were updated at once.  In SEP 11, the clients use LiveUpdate to connect to the SEPM (or to a LUA 2.x Distribution Center, if that is how they have been configured.)

Administrators can configure clients' LiveUpdate policy to control when it connects to retrieve updates, how often to retry, randomizations, and so on.  The number of network connections between SEP clients and their SEPM can be controlled through those settings.  Full details are in the product's .pdf files.  The following article may help, too:

Symantec Endpoint Protection Manager - LiveUpdate - Policies explained

Thanks and best regards,

Mick

 

As far as I know..when the SEPM downloads the definitions it publishes it on its IIS website..then the client pull the definition from the IIS website.
Hearbeat has nothing to do with content updates.
All clients connect at once to retreive the updates.

LUA work similarly.
Once you distribute the definitions that means you are publishing the definition on
http:\\server name\clu-prod
then the SEPM/Clients pull the definitions from the LUA.

Adding further ,

Clients have 2 methods to connect push or pull.

Irrespective of these methods once the defs are available at SEPM , those will be pushed to the clients ( meaning: clients will be notified to take it)

this is how it happens.

During the communication  period, if the server has new definitions / profile update for the agent, it disconnects the connection with the agent. When the agent disconnected from the server, it will contact the server immediately to get the new profile /updates,

If you have ever observed the sylink log, you will see somethign like moniker updates, these are published in IIS content updates and the manager will send the link to the clients, once its updated, manager knows about the udpate via logs..

Thank you for answers.
I want to explain more.
For example I install sep client to 10 machines. and they are in pull mode.
When install finished these 10 machine will comminicate with SEP manager (or LUA)
And Sep will said "you need new updates" than send these 10 machines immediately? for example if one client need update 5 Mb than 10 computer this will be 50 Mb. Sep try to send updates each machines same time? if this is true sep try to send 50 mb data.

I want to know this because sometimes our network was slow. ( ex: monday)
I asked to my self "these client was close in saturday and sunday, therefore every client try to take new updates"

Am i rigth?
I hope i can explain my thinking.
Thank you and Best Regards.

Yes it should be for all the clients at once. it should be 50MB, most of the times its just delta (incremental udpates)
SAY
11: sepm has latest updates

11:01 -->SEPM disconnects all the clients

11:02-----> Clients now try to connect to SEPM (heart beat)

11:03--->SEPM now notifies the clients that they have an update, sends out the URL ( IIS - Content)
u can see this in sylink file

  •Request download URLs if contents are needed
•Download update files after posting logs

11:04 ---> all the clients will now try connecting to IIS.. to download defs.

let me know if you have any questions.

 

That's why monday when computers was start will be slow connection because SEP clients take updates rigth?
Thank you.

You are correct :)

let me know if you have any questions :)

the propagation of  defintion updates is based on the configuration that you setup weather is this a pull mode or a push mode and randomized.

Thank you Rafeeq.
That is need to I heard  :)
have a nice day.