Endpoint Protection Small Business Edition

I am in the process of configuring SEP Manager Small Business Edition 12.1 on a new server.  We currently are running SEPM 11.6 with 11.x clients on all workstations and servers on our network.  The plan is to decommision the current SEPM server and push the new 12.1 client to all machines from the new SEPM server.

So far I have pushed out the new 12.1 client to a few machines sucessfully.  They automatically updated to 12.1 but I noticed Live Update is available.  On the 11.x clients Live Update was greyed out by default and all definitons were pulled from the SEPM.  I do not want 50 machines and servers pulling updates from Live Update individually, that is the point of the SEPM.  Is there just a policy that needs to be set in the SEPM to disable live update?  Thanks.

login inro the console

1. click Policies
2. On Policies page, select LiveUpdate Policy
3. Right-click and click on Edit
4. In the LiveUpdate Policy, click Schedule
5. Uncheck Allow LiveUpdate to run on client computers
6. Click OK

assign this policy to the client

The only option in that policy is "Enable LiveUpdate Scheduling".  I had unchecked this already, so I'm assuming it will just receieve updates from the SEPM with the option of manually running Live Update on the client right?

I dont mind the if the client has the option to manually download from Live Update, just rather have the clients primarily receive the updates from the SEPM to save bandwidth.

Hi,

There are two major SEP products available by Symantec.

1) Enterprise Edition (EE) - Specially used in medium or large scale companies

2) Small Business Edition (SBE)- Supports upto only 100 computers, generally used in small companies.

There are many differences between EE and SBE.

Check this link for more details: http://bit.ly/pQAIoe 

About liveupdate, In EE we have an option to checkmark "Allow users to launch liveupdate manually". If we uncheck that liveupdate tab will become grayed out.

In SBE there is no option to set same settings.

However first clients will contact SEPM to receive update policy. If SEPM failed to provide updates clients will not contact automatically Symantec liveupdate server until and unless user click on liveupdate button.

Hi GBOCK, that is correct, if you have kept the option unchecked, this means the client will take the updates only form the SEPM.

However if you want you can disable the Liveupdate option at the Client side by changing the following registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\

and chnage the values for "AllowManualLiveUpdate" to 0.

This can be done from the GPO so that it can be applied to all the clients...

Cheersss..!!!

AB

Even though the "LiveUpdate" button is enabled on the clients, the clients normally will not conenct to the internet to download LiveUpdates.

Normally clients will download all the content from SEPM, even if the LU button is enabled on the SEP client GUI. Even if users click on the LU button, it is likely to download nothing because the clients should already have the latest LU from the SEPM server (within 4 hours).

So unless you have a special reason to worry about this, I don't think it should be an issue.

Clients will "fail safe" back to the internet LiveUpdate if their AV definitions become old. I forget the exact definition of "old", but if they are over certain date, something like 7 days old (I think), then it will run LU. If this ever happens, it means something is wrong with the connection to SEPM.

Although going to the internet is undesirable, in a situation where SEPM is not working, it might be best to ensure your protected vs. efficient use of bandwidth (obviously this is subjective depending on your condition).

So to recap:

1. Clients will use SEPM to get deltas or full defs as needed, even if the LU button on the client GUI is enabled.
2. If clients are kept up-to-date by SEPM, running the LU button on the client GUI doesn't download content because the client is already up-to-date.
3. If for any reasons the clients are way out-of-date, they will update themselves via the internet. In a health enviroment this should never happen.

Another option:

If this is still an issue for you (and Abhijeet's idea doesn't work), you can setup a local LUA server (LUA = LiveUpdate Administrator). The LUA server has a feature to generate an LU Settings file. You create an LU Settings file that points to an invalid  (127.0.0.1), or valid address (like the LUA server). Then, you take this file and drop it on your clients.

Once the clients have this file, when users click the "LU" button, it will connect to the server you specify instead of the internet LU server. In effect, this is as good as disabling the LU button. To re-enable it, you've got to drop a valid LU Settings file.