Video Screencast Help

Endpoint Protection 11 definition update size

Created: 12 Nov 2008 • Updated: 23 May 2010 | 11 comments

Hi, 

 

We're running SEPM 11 MR2 and everything is working reasonably well.  But we have about 10 remote sites, most with slow links, and they receive a 60MB update every time the definitions are updated.  Updating each machine at those sites every day is stressing our network.  The server does not download 60MB of updates from Symantec every day so I don't know why it needs to send that much out to the clients every time.  Is there a way to make it just send the incremental updates that have been downloaded? 

 

I've done a lot of searching about this and am about to do some detailed testing of my own but I was hoping that someone would have a solution for this.   Any help will be greatly appreciated!

 

Gordon. 

 

Thanks in advance,

Comments 11 CommentsJump to latest comment

CommerceSNI's picture

I too have witnessed the 60MB downloads right after deployment, this seems to settle down after the clients get what they want from the SEPM. Most of the definition updates are supposed to be reasonably small, like 3.5 MB or less.

 

There are a few strategies to minimize the client downloads such as having a live update server deliver the updates once to each location or using a GUP, then the rest of the clients get updates locally. Plenty of posts here on both of those techniques.

PinnacleCorp's picture

Thank you for the super-quick reply!  Unfortunately, we've had the server and clients in place for at least 6 months now, so it's not a case that they've just been installed and might settle down.  I've checked most of our workstations since the initial post and they all have the last three definition updates on the local disk.  Each of them is 64-65MB.  Two were created yesterday, one was created the day before that.

 

The difference between the two updates yesterday is only a few KB, indicating that yes it's doing the correct thing and updating the client when new definitions arrive, but surely it should just upload these few KB to the clients, not the whole thing, right?

 

I've thought about adding a GUP to some of our other sites but we've only got a few PCs (average of about 4) in each site and many of them are quite old and becoming mroe prone to failure (most of the offices are in a particularly.  If we had large sites where we were sure that one PC wouldn't get moved around, that might be ok, but it's not really feasible in our environment.

 

Will post more details/findings when I have any.

zer0's picture

PinnacleCorp,

 

The first thing you should do is prove to yourself that they are pulling down 60mb+ per day.

I would use wireshark to sniff a typical SEP client to see exactly what is happening. I also use a small tool from analogx to monitor the data sent/received but you can use anything you like.

 

The daily updates are supposed to be around 100kb a day and in my experience they are.

The update size then increases depending on how many days the SEP client is out of date up to a maximum of 10 days. Well, it used to be 10 days with SAV...I need to confirm with SEP, but see no reason for them to change it really.

 

The delta is sent out each day to make up the difference.

You can expand the xdb, vdb, jdb files using winrar and actually have a look at the incrementals and other files.

The most recent jdb is 35371KB so in the worst case scenario of your clients being turned off for 2 weeks they will all get the full update.

 

Also, when you first install a client the defs are out of date immediately so they will get the full def update.

You can add the newest defs by replacing the vdefhub.zip file in the exported and extracted install package.

Full details here - http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/c7a72ad01d122b13882574330072026a?OpenDocument

 

I need to do some more testing around the exact def update statistics...

 

 

 

 

 

 

Paul Murgatroyd's picture

nearly :smileyhappy:

 

Assuming your clients are updating daily, they should be pulling between 150-300KB per day.  Definition sizes and hence delta's have increased a little over the years!  This may be spread over the day though, as by default we release three def sets per day and SEPM is configured to check every 4 hours.

 

On the number of days the client is out of date before it pulls a full set, that no longer controlled by us, but by you.  JDB's do not contain delta files like XDB's do.  SEPM is capable of generating delta's on the fly.  However, in order for it to do that, it needs to have both the starting definition (what the client is currently on) and the final definition (to which the client is requesting to be updated to).  If the SEPM does not have BOTH of these definition sets stored, then it cannot create a delta and the client has to pull the full definition set.  The number of full def sets we store is configured by the option "Number of Content Revisions to Keep" in Admin, Servers, Local Site Properties, LiveUpdate tab.  This is the number of downloads we keep - so if SEPM is checking every 4 hours and we release definitions three times a day, a setting here of 3 is going to mean we are effectively keeping one days worth of definitions - any client older than a day (ie over the weekend) is going to have to download a full def set.

 

Depending on the options you chose when you installed SEPM, this number will be configured differently - if you chose Simple, then this will be set to 3.  If you chose 1000+ clients, this will be set to 30.  If you upgraded from anything prior to MR2, then it will be set to 10 (the original default).

 

So if you are updating your defs three times per day then you can quickly see that

 

3 sets = 1 day

10 sets = 3.1 days

30 sets = 10 days

 

However, if you were only updating definitions once per day:

 

3 sets = 3 days

10 sets = 10 days

30 sets = 30 days

 

I would check these values first, then take a look at your clients to determine what SEPM is doing.

 

GUP's are of course an option, and will cache requested definitions, the machine doesnt have to be super fast for the numbers you are talking about - in our testing a 256MB XP client can update between 30 and 40 machines per minute with delta definitions without a user noticing the impact.

 

hth

 

 

 

 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

zer0's picture

Thanks for that info Paul....I hadnt gotten around to getting down and dirty with the SEP def updates yet.

I will be though, as it is critical to understand the larger your environment.

Also where the links are marginal...

 

Does the GUP keep the same number of revisions as the SEPM?

 

If I am using liveupdate and http can this all be cached through ISA/squid etc?

So in the instance I have a caching proxy at each office location will the defs be cached after the first client grabs them?

 

Apologies for the thread hijack :)

 

cheers

 

Z

Paul Murgatroyd's picture

The GUP is configurable...

 

Pre-MR3, it would keep 100 pieces of content (five pieces could be four delta's and one complete set for a single definition set) for upto 7 days after each piece was requested.

 

Post MR3, it is now configurable for number of days, or size on disk.

 

If you have a caching proxy, then the updates should be cached, yes.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Viachaslau Kabak's picture

it also will be nice to replicate between the servers only delta

it is very huge to replicate 60 Mb for each update

Paul Murgatroyd's picture

but what happens if a server gets a request for a delta it doesnt have?

 

Its going to have to pull the full definition then... and that will take time...

 

As it stands at the moment, a request like that would result in the client pulling the full def set, which it couldnt do either, because the server hasnt got it... hmmm

 

In MR3 we added the ability NOT to replicate content between SITES, but servers in the same site should be local to the database anyway so I can't really see a need for this.

Message Edited by Paul Murgatroyd on 11-14-2008 03:46 PM

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

PinnacleCorp's picture

I've been checking more of my settings to make sure everything is configured correctly. A few things I've noticed: 1. Although the server is set to download LiveUpdate content daily between 5.30am and 6am, it seems to download it several times each day (if the content is available). I've configured this in Admin-Local Site - Edit Site, Site Properties - Live Update. It doesn't do this every day, but quite often there will be more than one folder for each date on a client PC, each of which is 65MB. 2. I did let Wireshark capture data for a whole day but haven't yet been able to see if SEP copied the entire folder across. Is there an easy way I can filter the results or at least decipher the traffic between my computer and the AV server? 3. Although I've set the LiveUpdate content to only keep one content revision, there are 3 folders with the definitions on each client PC, again 65MB each. Is this by design? Is 3 a minimum? I noticed someone else has just posted a similar problem - someone suggested that they might be installation packages - is the server perhaps updating the install package automatically then pushing it out to each client for some reason? Paul - is there anywhere that the update process is explained in the detail you've given so far in your replies, and some examples of how to configure it like that? The manual didn't seem to go into that much detail... In the mean time, thank you all for your replies so far.

Paul Murgatroyd's picture

1. Do you have a SEP client on the server with its own LU schedule?

2. Not really, filter on traffic on the SEPM ports (default for pre-MR3 - 80, post MR3 8014) should help a bit

3. You should be able to set it to 1, but I would have to double check

 

Depends what you want... I've already covered most of the update process in other posts and we have KB's on the support site - what specific details do you want? 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

PinnacleCorp's picture

Hi Paul,

1. No SEP client on the server, just the LiveUpdate component that was installed with SEPM. It does seem to be downloading it once per day but this is even more confusing because some of the clients will have multiple folders for one day.

2. I'll try to analyse the Wireshark data some more this afternoon.

3. The server is set to hold one day's content - is it maybe because the server isn't holding enough of a history that the clients need to download the entire file?

About the LiveUpdate, I'd like to know what exactly it downloads (the new definitions), where it puts it, when it uploads to the clients (or how it decides when to do it), and where it puts it on each client. But, I appreciate that you've probably explained this many times already. I'll have another search for that. If you happen to have a couple of the kb article addresses to hand though, that'd be great.