Endpoint Protection

SSC 10.1.6.6 Supporting 1200+ remote windows XP clients - I just got a look at our network utilization for the previous month and it would appear that a larger spike in bandwidth utilization in the afternoon is due to clients all coming to the parent server to download the latest virus definitions at once. I know that you can configure how often the clients will check for definition updates, but is there a server configuration item that will limit the amount of concurrent definition downloads so that we could potentially flatten out this spike (and potentially decrease our monthly usage costs)?

There are a large number of ways you can fine tune the server bandwidth utilisation.

Check this document - http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b8d98400b78a9f018825704d005ef4a5?OpenDocument

 

When the server gets the new def file it pushes it out to the clients.

It does this based on last-check in time, which you can see in the console.

Server thread tuning can help you tune the amount of concurrent updates occuring.

You can then tune the server via the registry to use one thread per subnet.

 

Whether these settings help in your environment, is dependant on your particular requirements.

 

If you give us more info on your environment we can help you out more.

 

Z

Thank you for that document link. I have not previously touched the server tuning options so right now the Number of threads to use during rollout is set to the default of 5. In the environment I am supporting we have many subnets, this number is definitely greater than the maximum recommended number of threads according to the documentation (30) so I am not sure if assigning one thread per subnet is beneficial here or not? The environment is essentially all based on VPN connections into the datacenter per client, currently of which a large majority of these clients operate on a dial up connection so for the most part these clients are disconnected for 99% of the day (connection period is triggered 12am-5am).The SAV server is a Win2k3 Xeon 3050 (2.13Ghz) with 2 GB RAM currently servicing about 1350 clients.

 

I am curious about the "start a rollout every X minutes" setting in the rollout and management options, does this setting basically imply that only 5 clients can update per every 17 minute period? Would enabling the option "Skip clients that are late checking in (and are probably offline)" help minimize bandwidth utilization during the daytime when the dial up clients are offline? What effect does this setting have on a client that is disconnected, will it try to push an update to an offline client within a set time interval? Thanks for any advice/suggestions.