Endpoint Protection

Did a search before posting this but cannot find a related discussion.. so here goes...

Our SEPM LiveUpdate policy is only setup at 4AM daily. But on all computers, it is showing Event ID 7 - New virus definition file loaded. Version: xxxxxxx randomly 3 times a day, at ~4 to 5am, ~12 - 1pm, ~6 - 7pm.

We only wanted to get the clients updated at around 4am once a day. Is there a solution / workaround / fix for this?

Thanks.

Ian Zarzuela

Do you have shared policy for the clients?  Or are they setup individually?  And are you sure the clients are not set to go to the internet for updates instead of the SEPM?

 in SEPM - Admin -Servers - Local Site- Properties - Liveupdate. Make sure you have set it for you 4pm daily.

then SEPM - Policies- Liveupdate -Policy -Server Settings
Make sure only "Default Management server is checked"
Uncheck the second one "Symantec liveupdate server"

>techbeck, yes, we have shared as well as per group non-shared policy.  Some groups are configured to get their update via Group Update Provider.  Previously, it was set to use LiveUpdate, set the time at 4am only, but we started to noticed a network slowdown during 12-1pm and 6-7 pm.  Last week, I un-checked Use a LiveUpdate server and that also disabled LiveUpdate Scheduling.  When I looked at the clients' applicatio nlogs, they are still downloading virus defs 3 times a day.

I alos noticed that each Virus update is now around 116MB per client, look at C:\Program Files\Common Files\Symantec Shared\VirusDefs and check the size of each folder.  Imagine each client getting this update from the server 3 times a day, multiply that by the number of computers we have, around 120 servers and a thousand clients, and the impact on our network.

We're looking for a way to just turn off LiveUpdate services during business hours.

> Vikram, yes, we did that 4 days ago, made sure only "Default Management server is checked".  But based on application logs from some computers, it's still loading virus defs thrice per day.

I would look at what Vikram posted then...

Also check the LUA and make sure nothing is scheduled to DL to distribution servers or other SEPMs during business hours.

Physically check each client folders update settings and make sure you dont have one miss configured someplace.  I had an issue where some clients were set to do weekly scans at 12am when it should be 12pm.  I just screwed up.  Had to check each client group to make sure it was set for 12pm.  Of course, this went away when I finally instituted a shared policy.

you must check "Use LiveUpdate Server" and then set the schedule for 4PM daily in scheme panel. click "OK"
second, open LiveUpdate policy uncheck "Use LiveUpdate Server" and then to click "OK"
only "Default Management server is checked"

if ont, when you set 4PM daily and to uncheck "Use LiveUpdate Server" the schedule can not to apply.

But, i have a question that where are the LiveUpdate policy save in client?

First in LU policy---->server settings assure that  you are selected only two things-- Management server and Group Update Provider for all groups.
Second assure that all clients getting  this policy .This you can find out by matching the policy sl. no. of the corresponding group in the server and the policy in the clients. If you made any chage in the policy this sl. no. will get changed.

HI AravindKM

but what is sl.no? i can't find it in SEPM.  Thanks

Login to SEPM .Go to Clients .Here select the group which you want to know the policy sl. no.In right side click on details.Here you will get this in formation.

  If you want to know the policy sl. no. in the client,open client GUI go to Help and Support----->Troubleshooting --->Management,here you will get this info. 

This policy sl. no. will change if any policy change happens for that group(Time stamp part).

Hi lanZ,

Sorry to let you know that this is not possible if the clients are managed. Managed clients get the updates in every heartbeat.

As a workaround, you can increase the heartbeat interval. I know this is a kind of unacceptable solution.

or

Set up LiveUpdate Administrator in the network, and make the clients to contact the internal LiveUpdate Server instead of the default management server.

 If he set his SEPM to download the updates once in a day he can achieve his goal,right?

Ok AravindKM

i find it.
in Chinese version, the "sl. no. "has been translate into "策略序列号"(Policy Number).
so i don't know what is "sl. no."
thank you for your help

That's a good idea. yes?

I will not say this a solution, but will control the number of updates loaded in a day.

Hi,

All the policies are saved in various dat files stored on the client.

When the client downloads the index.xml file, it will check if the hash value for the policies has changed. If the hash is different, then it needs to download the policies.

Once the client downloads all the XML files from SEPM, they will be parsed and information will be stored in the appropriate files.

https://www-secure.symantec.com/connect/videos/about-communication-between-sep-sepm

Aniket

i suggested it as a workaround.I this this will server his purpose.. 

This is what I did....

I have one SEPM at the main office and all of our branch severs have the updates pushed to them.  The clients at each location knows to get the updates from the local server.

At 2am in the morning I have the SEPM LUA scheduled to DL all the updates and push to the branch servers. 

>Prashant, I will try to change the heartbeat interval and will advise you if that worked.

I finally received an acknowledgement from Symantec Support after filing a case last week.  I was told to run Symantec Endpoint Protection Support Tool on the manager.  In our experience with support, it's going to take a lot of time back and forth.  I will rather try the suggested solutions first.

Thanks to all of you.  If not for this forum, I will be googling and binging all the time for a solution while waiting for Symantec support to respond to my case.

Have a look in this article also
Tips For Installing SEP In A Low Bandwidth Environment