Endpoint Protection

Hi everyone, I'm trying to understand the following phrase (from LiveUpdate Administrator Installation Guide):

Note: Even with a single content update revision, LiveUpdate Administrator can typically provide incremental content updates to connecting clients that have content outdated for up to 12 months.

I know how SEPM works to provide delta-update: summarizing, if the client has a definition older than the oldest one present on SEPM, delta-update cannot be provided and the client should download full definition.
This in SEPM.

How can LUA provide incremental content update (for me, delta-update) up to 12 months with 1 definition only?

Any help and explanation in easy way to understand this logic would be greatly appreciated . Thanks 

Any 1 ? ??

The LUA doesn't offer incremental updates it will be a full def download but you can set the config to purge the downloads and database using the config to store defintions that can be accessed. When the LUA downlaods it checks what it has already downloaded and then downloads only the extra elements it needs on top of what it has to try and reduce the ammount that it downloads. 

So that entry in the guide seems to be trying to explain the incremental way the LUA downloads it's own updates e.g. If you cleared the LUA and started from scratch the intial download for everything would say be about 16GB then the LUA checks what it has already and downlaods incremental updates to bring itself up to date so the next days download woulf be ablut 4GB. Hope that helps. 

Thanks for the reply Geo , Actually I asked this question from the prespective of SEP endpoints please read the below line carefully again.

" Note: Even with a single content update revision, LiveUpdate Administrator can typically provide incremental content updates to connecting clients that have content outdated for up to 12 months "

Here is it taking about LUA providing definations to EP endpoints that it will provide clients incremental definations even if they are outdated for 1 full year.

Am I missing or not understandng something clearly ?

Thanks and Regards 

Single Content Downloaded to LU admin on 16-12-2015

Now if a client who was offline from past 1 year when it comes online, Luadmin can update this client.

Rafeeq for example if the client came back after one year obviosly it will get a full update.zip which will be of the most recent date right ? so what's the point and benifet using LUA here ?

Thanks for your reply Rafeeq. Actually we have lots of ATM machines that are distributed all over the country with slow WAN links. Now we have also enabled multiple GUPs in the envoirement and for content revisions we have set the value to 180 ( This is the maximum we can go on SEPM) to provide delta updates to these geographically distribured ATMs having very slow WAN links which doesnt come online very often for months to get defs from GUPs due to certain limitations beyond my control. This is one of the reason which lured us to try and use LUA to see if it addresses this problem of very minimum update package.

This line really caught my attention "" Note: Even with a single content update revision, LiveUpdate Administrator can typically provide incremental content updates to connecting clients that have content outdated for up to 12 months "

Keeping the above statement into consideration , for example if they client came back online after 5 months would it grab full.zip from LUA or it will be an incremental update ? in this case of incremental update what would be the approximate size of this package ?

Any help would be really appreciated. Thanks 

Luadmin can update this outdated 6 months client only with Incremental updates, 

Luadmin has the machanism of providing incremental updates which SEPM dosen't ( as far as I know)

If its was with SEPM then it would provide full.zip based on the number of content revision stored.

Hi SymSpec,

From current experience and running multiple different environments with LUA's this doesn't happen. I don't know if this is a new feature but all the LUA's I've tested don't do this 

Although the best practice guide makes reference to it also
https://support.symantec.com/en_US/article.TECH93409.html

NOTE: These numbers are based on a 2-10 KB TRI file + 450 KB delta definition package. Which is typical for SEP 12.1 Clients for Windows clients that are 1 revision out of date. If clients are further out of date, or require a full definition set, the bandwidth utilized will be significantly higher (As high as 180MB per client). The amount of internal bandwidth used by clients updating from an LUA server will be identical to the external bandwidth required for the same client to update from the public LiveUpdate servers.

So Rafeeq what I am understanding is within this time frame of 1 year whenever the client comes online it will always take incrremental updates from the LUA . Can you tell me what usually is the approximate size of this icremental update for example if client is running definations that are 4 months older ? Some rough estimate ?

Thanks and Regards 

Mick has a nice article on this

https://www-secure.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

Thanks for sharing the link but the information is nearly 3 months older and that to for a older version so  I fear that perhaps it is not accurate keeping into consideration today's envoirement. Regards 

You can trust Mick :) , I do.

Rafeeq let me correct its not 3 months instead 3 years the Tech note was released back in 2012 so I am not very much sure.  Thanks 

Hi SymSpec,
I know this link is from 2012 also but it does clearly state a symantec employee saying the LUA can update with deltas
https://www-secure.symantec.com/connect/forums/liveupdate-administrator-and-sepm-together

From all the bandwidth testing we've done though I've yet to see this working 

Hello,

Why not look at the Experts Articles as below - 

A Helpful LiveUpdate Administrator 2.x Analogy

https://www-secure.symantec.com/connect/articles/helpful-liveupdate-administrator-2x-analogy

How Big are Current Symantec Endpoint Protection Definitions?

https://www-secure.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

Managing LiveUpdate Administrator 2.x Space Usage

https://www-secure.symantec.com/connect/articles/managing-liveupdate-administrator-2x-space-usage

Knowledgebase Articles for Liveupdate Administrator (LUA)

https://www-secure.symantec.com/connect/articles/knowledgebase-articles-liveupdate-administrator-lua

The above articles would provide you all the information you would ever need about LUA.

Regards,

Hi,

LUA can store 12 months data but you need huge amount of disk space for that. Because it can store 1 year old data so can provide incremental content update for 12 months old client as well.  

So even if we somehow manage to get enough space on LUA to store one year worth of definations ultimately each client that comes online within this span of time will essentially download an incremental package that will be around 200 MB for each client ( assuming full.zip is of 400 MB) so we cannot reduce this incremental update size to as low as delta upgrade few MBs when serverd from either a SEPM or GUP server.

ultimately the delta served by the LUA will get bigger and bigger the time difference between the definition on the client and current definition available on LUA is longer. and the delta's served by LUA is slightly bigger than that of the delta served by the SEPM for the same time difference on the client and SEPM/LUA.

on after thought honestly how many computer are going to be out network for that long ? and even other wise why cant you create a location awareness settings allowing the mobile client to get its definitions directly from symantec live update servers ?

Hi Praveen thanks for your reply. Actually below is the scenerio which is luring us to use LUA which might smoothens up the things.

Actually we have lots of ATM machines around 1k that are distributed all over the country with slow WAN settalite links. Now we have also enabled multiple GUPs in the envoirement and for content revisions we have set the value to 180 ( This is the maximum we can go on SEPM) to provide delta updates to these geographically distribured ATMs having very slow WAN links which doesnt come online very often for months to get defs from GUPs due to certain limitations beyond our control. This is one of the reason which lured us to try and use LUA to see if it addresses this problem of very minimum update package size.