Endpoint Protection

SEP 11, MR4 MP1a, all the latest. Got there through mostly patches and updates, started with MR2 last year.

With all SAV products, I rigged updates to take place every hour. I used LU once a day, but used a script to download definitions once an hour - if they existed. Sometimes that got me 2 or 3 updates a day, but always ensured my systems were CURRENT to within an hour of what Symantec released.

Now comes SEP. I think I have SEM setup to run LU once an hour to check for all updates except the client, which I deal with my self in packages, etc. - I download the CDs from fileconnect and control versions of the software myself. That way I have some version control and always know what the PRODUCT is sitting at. I keep SEP on the clients and servers and SEM servers typically all running the same version (after some testing, of course)

LU - I'm assume when I go into the structure and set it to run every hour that it's SEM that's doing the downloading of the updates. Then when it gets updates, the clients run LU to get updates from SEM - is that correct?

How do most folks here handle this - with the idea that I always want the latest definitions for EVERYTHING. Being a gov't agency, with some offices sitting in colleges and universities, we're pretty much always at risk. I never want to be "out of date" with any definitins and in fact, don't mind being on the bleeding edge for the defs. (it's the client software that I prefer not to bleed!)

How is your updates setup, and what do you recommend? PERFORMANCE is also an issue, I see LU pegs both the servers and the clients at times.

Hi ShadowsPapa,

If SEPM is set up to run LiveUpdate once an hour, then it will do so. The SEPM itself will run LiveUpdate and, if updates are available, will download these updates and add them to the database of content that the SEPM is able to deliver. Clients will check with the SEPM during their normal heartbeat process and when it is found that the SEPM has newer definitions, the clients will request these and will update within their standard hearbeat cycle. I hope that helps, but what are other folks doing that may help him?

We are just rolling it out now.  The Management Server polls for updates every 4 hours.

Corporate clients have the LU policy to only get updates from the Management Server.

Laptop users will use the corporate policy when attached to the corporate network and a Location Based Policy that allows them to get updates from Symantec when not on the corporate network.    Definition updates only.

As more scenarios develop ( certainly for mobile users) we will have to create more complex combinations of Location Based Policies.

I run LU on each of my SEPM servers every 4 hours and keep 12 content revisions to reduce the amount of bandwidth for client definition updates.  My client heartbeat is set for one hour in pull mode.  I have one primary SEPM server and two replicated servers along with nine GUP's.

Performance is not an issue as I have not seen LU pegging my servers or clients.  I think that the number of content revisions help to reduce bandwidth between the client and SEPM's and GUP's.

Yes, when the SEPM gets the latest definitions and installs them on the manager, when the client's check in, they will download the definitions.

Having the latest definitions is not always the best practice to follow.  Do you remember the 11/21/07 rev 002 definitions that killed the LU process for clients?  Just saying... :-)

toko - thanks for that thought - I tink I need to be working with and LEARNING HOW TO USE the location manager. We have a few notebooks, growing in number quickly, that connect to us a LOT using like college and library wireless and VPN, etc. might be good to get those setup with location awareness and have them update via Symantec servers.

I only do the definitions and protection updates, not the client software updates, via LU. I have that box unchecked. I'd rather download the CDs myself and control that. Actually, having the latest definitions has saved our butts a number of times in places I've worked. It's only hurt once or twice, and that was readily fixed. Nothing bad happened here at 11/21/07 - we were running SAV 10.xxx and it just kept chugging along! I had a script then to check defs every hour, I think I was getting rapid-release if I recall. Anyway, I updated the parent servers via this script (actually the master/primary) and it applied to the servers, the parents, then rolled to the clients. So I guess I wasn't even using LU then at all, in reality!

RickJDS - content revistions - good topic. I do have questions about that. Why does keeping more, or a larger history help? We have no space issues, the SQL database is on a powerful server.

But why would keeping say 3 (default??) be not as good as keeping 12, for example? Maybe I missed something in my reading, or am "just not getting" what that is for.........

I saw another computer REALLY REALLY slow doing EVERYTHING and in the task list was LU  - lucoms~1  and LUCALLBACKPOLICY and one other, it varied 2 to 3 LU related items in the running tasks. It was that way for several minutes even though there were no new definitions and the computer is ALWAYS on so never behind for more than a day on any defs, and the client software isn't included, only defs.........

Content Revisons really only come into play when you have clients that are updating from their management server (SEPM).  Lets get a few points straight first:

1. Symantec release 3 sets of content per day for SEP

2 .The default interval for the SEPM's to run LiveUpdate is every 4 hours

This means (as you can work out) that we are going to download 3 sets of content every day.  By storing 3 sets of content that means we can store 1 days worth of content.  Now, what does that mean for  your clients?

When a client checks in, it tells the server what content version it has.  At the same time, the client also pulls information from the server which tells it what the latest content version is.  If those two versions don't match, the client requests updated content, either from the SEPM, or from the GUP.  At that point, the SEPM has to work out if it can provide the requested content.  In order to provide the requested content, the server MUST have stored the content version that the client is already running AND the content version it wants to move to.  If it has both of these, then it can create a delta for the client.  If it doesn't have both sets of required content, then it CANNOT create a delta and provides the client with the FULL content set - this is currently around 42MB.

So, the content revisions basically control how long a server can create delta's for.  3 sets of content would just about allow the clients to get delta's from one day to the next and will be fine if all clients are LAN connected (since 40MB over the LAN to a few computers is nothing).  However, without too much maths you can quickly see that computers that are turned off over the weekend will need a full content set on Monday morning, since we don't stop producing content over the weekend (like some other vendors do).  With that in mind, 12 represents a good number, since it will take you through the weekend.  If you want to support any large number of remote clients updating from the SEPM, then you should consider increasing this even more.

Hope that helps explain content revisions

That is a great explanation and shows why keeping a bit more content history can help.

In our case, most computers are connected regularly or at all times, but notebooks may be offline for 3 or 4 days, even 2 or 3 weeks, and even some desktops, people do what they want and turn them off, sometimes for days, even though we've insisted that they be left on. So we need to compensate for people who won't follow directions or ignore us, or even cases where through no one's fault, a computer is off for some reason.

I'd better up our content retention. We have the space, not an issue. But 40 meg accross our WAN is an issue! People compain already about speed issues.........

Of course, for those more "remote" machines, you can simply point them direct to LiveUpdate, which will allow them to get delta updates for upto 12 months (the bandwidth usage is likely to be similar to delta's from the SEPM, but if they are just on the internet, it may help there)

I need to setup location awareness for that as the computers - mostly notebooks, may be on our network for most of the time, but perhaps for a few hours or a day or two, be elsewhere.......... and I'll need to study that as I know so little about it........ but it is a suggestion for those who are more remote than others, or have special bandwidth considerations.

I'd group them, but some of them don't stay put! I guess that's sort of the point of having a notebook, though.

We have SEPM checking every 4 hours.

We also have the clients receiving updates from SEPM, as well as once a day from Symantec directly, just in case of communication issues on the WAN, or if the server goes down.

Bill,

As described below SEPM will only download "certified" definitions which is 3 times per day. If you want to download "rapid release" definitions compatible with SEP I modified XDBdown script to do so. PM me if you want it.