Endpoint Protection

Ok, here's a question for you.  We have a little over a hundred managed clients.  On SEPM, under policies, server settings, I have "Use the default management server" and "use default symantec liveupdate server" checked.  Above it says if both are checked then the client will retrieve updates from both servers.  I did a wireshark capture when one of my clients was updating its definitions, and it communicated direcly with the server. 

My question is though, if the clients are getting defs from the symantec server, is there any way to set "when" they'll receive these updates?  Because when I click on schedule, I'm enabling "Live Update" Scheduling, and it says above "Schedule settings do not control downloads from the default management server".  If that's so, where can I schedule updates my clients get from the management server, not live update?  I'm just getting familiar with Symantec..

You cannot schedule updates from the default management server to clients. It is done automatically. When clients check in based on their heartbeat, they will receive the command to get an update.

You can only schedule updates from the Symantec LiveUpdate servers, as you've already seen.

Ok.  The only thing that's strange to me is that the "default management server" is within the live update policy settings.  So, by default, the management server pushes out new definitions to clients, because I haven't configured intelligent updater to automatically process definition files, or anything else.  Is the management server getting the new def files from Symantec automatically?

AND, if I want to schedule definitions to be pushed out, I have to use a live update configuration?  Thanks.

Yes, SEPM will get updates from Symantec LiveUpdate Servers

Yes, you can do it this way, just know all clients will go out to LU, which may cause a bandwidth issue.

Ok, I see now.  Thanks for the clarification!

The source where the SEPM gets the updates can be set up in the Admin Tab under Server -> Local Site -> Edit Properties ... this can be either Symantec Internet Liveupdate Server or the internal liveupdate Server - machine with installed Symantec Live Update Administrator.

For the SEPM downloads from Liveupdate Server there is as well a separate schedule.

The only thing that's strange to me is that the "default management server" is within the live update policy settings.

It can see where that would be a little confusing; I suppose a more apt name for the policy would be LiveUpdate/Content Delivery Settings, but that gets a bit wordy.  (Which version of SEP are you using?)

Since the clients will get new content from the SEPM if it is available whenever the clients next check in, I suppose you could alter the SEPM's schedule (as SebastianZ notes above) from the default of every four hours to something like 3pm. (Unfortunately, a multiple-daily schedule, specifying soemthing like "Check at 8am, 1pm and 5pm," is not an available option.) Clients continue to check in and upload logs, but they don't get new content until the SEPM gets it.

However... I don't think I'd do this. SEP virus definitions are updated three times a day, and for security reasons clients should get updates as soon as they can. Also, more frequent updates equal smaller delta files provided to the client, instead of less frequent, larger delta files.

sandra

Well, yesterday I set my group settings to "pull" policies every 24 hours, and I'm looking at a client today and it downloaded new definition files three times between 4am and 10am.  It should be only checking in with the serer at the pull increment I set, correct?

clients should talk to sepm based on the interval for policy or defs downloads.

you might have selected Symantec liveupdate server as well as Download from Management server

On SEPM under Live Update Policy, Use Live update is not checked, third-party management is not checked, only default management server.  Under location-specific settings, I have "pull" selected and to check every 24 hours.  Is there another setting that enables clients to check in to download definitions? 

When I view the event log on a random client, it's pulling event 200 for downloading definitions then event 7 for loading new definition file 3 times in four hours.

They check in based on their heartbeat

Go to Clients page >> select a group >> Policies tab >> Under Settings select Communications Settings

On the page that just opened, look at Heartbeat Interval (middle of page)

Yes, I have heartbeat interval set to 24 hours and randomization to 1 hour.

It will than take the clients 24 hours to check in and pickup the latest policy. Perhaps they just haven't checked in yet to get the updated policy.

Are there any network bandwith considereation or issue for the 24 hours heartbeat setting? Symantec releases 3 definition revisions every day - with 24 hours heartbeat the clients will get only one out of three daily updates or les - which will not provide 100% continuos protection.

To add to this: The delta file (the difference between the old defs and the new) will be larger than if the clients check in more frequently.

Don't forget that setting a 24-hour heartbeat means the data within your SEPM will be woefully out of date, since it relies on what the clients send back to you in its logs to populate its information.

sandra

Yeah, I'll probably decrease the time a little bit.  The larger increment is just going to work better for our environment.

All right, so the problem has returned.  I have many clients updating defs every four hours, when all are set in "pull" mode with a heartbeat of 24 hours.  The reason I had set this is mainly, we're getting event id 42, "registration with virus database failed, autoprotect has been disabled".  The strange thing is I've checked every client, and even though they get this error, they're updating fine with the latest definitions, and autoprotect is running. 

Symantec suggests running Intelligent Updater when you get this error, but the purpose is to update the client when it's failing; but mine aren't, they're just throwing up this error. I ran the updater anyway, but it didn't make a difference.  The reason I want to get rid of these errors is because we have a reporting system for event logs that we can't change.  Any ideas?

To clarify, these event 42 "autoprotect is disabled" errors are happening constantly, and clogging up our internal reporting system.  Even though the clients are updating fine.