Endpoint Protection

Scenario:

There's one main 2003 R2 domain server with say 40 or 50 workstations connected to it.  The server has no internet connection.

Now I know I can manually get the new definitions from here:

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep

And this page describes how to install them:

https://support.symantec.com/en_US/article.TECH102607.html

That's all fine and dandy.  I've already done this, everything is working perfectly.  Now my question is, the next time I want to update, and I inject this file into SEPM on the server, will all the workstations try to download a brand-new 500+MB .jdb file off the server, thus crashng my network (for lack of bandwidth)?  Or will they only try to pull a part of the file for an incremental update?

Thanks

They should only pull down the delta as long as the SEPM has it available.

You can see evidence of this for yourself.

Just take a look at the below logs, these will tell you what files your clients are downloading to perform updates.  If you see full.zip, then they are downloading the big file (for whichever corresponding def type, be that AV, SONAR, IPS or whatever).  If you see xdelta*********_To_*********.dax, then they are downloading the incremental update files.

Go to Monitors -> Logs

Log Type: System

Log Content: Client Activity

Open Advanced Settings

In the Event Source field, put in a filter of: SYLINK

Click Vew Logs

They will only pull a full def file dependant on how regularly you are doing the update and if the machines are constantly online. If you update the SEPM daily and the machines are on daily they will pull the smaller delta files from the SEPM. If the machines are only updated say every week or machines are offline for a number of days they will pull a full def file from the SEPM. 

It's all dependant on the number of revisions available on the SEPM and how regularly you are updating the SEPM manually. 

Thank you everyone for your answers...

GeoGeo:

So is it safe to say that if I'm only on-site once every few months at minimum, they'll be pulling the full 500mb?
 

Hmmm...  Can you think of a way to mitigate the excessive drain on network resources if this happens?  Maybe turn on 5 computers at a time, let them update, then the next 5?

Thanks

Yes, if the client has not been online for a while, it will pull the full file.

This is what I have set up at the moment - https://support.symantec.com/en_US/article.TECH201290.html - it has helped us to manage our bandwidth.

Also randomizon of download helps as well.

Yes that's correct. 

You could also restrict the download ammount if you manually have access to the machines by using the itelligent updater file. download it copy the file to each of the machines double click and it will update the defs. 
https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep

I'd highly recommend you checkl out the logs as I mentioned as a first step.

The downloading of full defs is not exactly a time based thing.  The real defining factor, is wherether or not the SEPM has the def versions the client is moving from, and those it is moving to.  As long as it has an unbroken chain of deltas between the two, then it should be able to generate delta defs for the client.