Endpoint Protection

 View Only

  • 1.  Preferred retention period of virus definitions in servers

    Posted Jul 14, 2015 04:02 PM

    Hi friends,

    I'm using symantec AV 12.x. Facing low disk space issue most of the server due to the virus definitions as generated in the following path,

    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs. I need a proper retention period of those definitions that I can delete old definitions to avoid the space crunch issue in servers. I'm excpecting a solution that will not affect a smooth functionality of SEP in servers. 

     

    Regards,

    Jaril 



  • 2.  RE: Preferred retention period of virus definitions in servers

    Posted Jul 14, 2015 04:30 PM

    SEP 12.1 client keeps only the latest definitions and deletes the rest on client computers.

    Existance of old definition (because they are marked for deletion rather than being deleted then and there) and thereby causing low disk space issues is a known issues is a know issue in SEP cleint versin prior to 12.1 RU2. This issue has been fixed in SEP 12.1 RU2.

    I would suggest you to upgrade the SEP clients to the latest version (or atleast to 12.1 RU2) to resolve the low disk space issue caused by existance of multiple definition revisions on SEP 12.1 clients.



  • 3.  RE: Preferred retention period of virus definitions in servers

    Posted Jul 14, 2015 04:34 PM

    I would suggest getting to 12.1.6 as the whole content structure has been rebuilt to save on space.

    Upgrade or migrate to Symantec Endpoint Protection 12.1.6

    Do your clients remain online most of the time or are they mobile. If always on network you coukld probably get away with setting to 7 revisions (roughly 2 days worth of content). If they go out muich further they would then be pulling down the full content revision.

    When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?



  • 4.  RE: Preferred retention period of virus definitions in servers

    Posted Jul 14, 2015 04:34 PM

    Related links:

    http://www.symantec.com/docs/TECH182556

    and

    http://www.symantec.com/docs/TECH199676

    Issue: Old definitions require a reboot in order to be removed

    Symptom: Old definitions appear to require a reboot in order to be removed. This is usually due to a scan running at the time of the update.

    Fix ID: 2692127

    Solution: Updated the Common Client component to resolve a condition where the scanner held the virus definitions open, which prevented an update.



  • 5.  RE: Preferred retention period of virus definitions in servers

    Broadcom Employee
    Posted Jul 15, 2015 09:58 AM

    Hi,

    If you select 500 or fewer clients during the Symantec Endpoint Protection Manager installation, then by default Symantec Endpoint Protection Manager stores three LiveUpdate content revisions for each content type. If you select 500 to 1,000 clients, Symantec Endpoint Protection Manager stores 10 revisions by default. If you select more than 1,000 clients, then Symantec Endpoint Protection Manager stores 30 revisions by default. For example, if you select 500 or fewer clients, the Symantec Endpoint Protection Manager stores three revisions.

    To reduce disk space and database size, you can reduce the number of content revisions that are kept on the server. You should be aware, however, that reducing the number of content revisions also affects a server's ability to make deltas between content updates. A delta is an update that contains only the incremental changes since the last full content revision. Delta files are typically much smaller than full update files.

    The more content revisions that you keep, the greater the ability of the server to create deltas between content revisions. The number of content revisions that you keep is particularly important if you have some client computers that are offline for days at a time. Symantec typically releases 3 to 4 virus and spyware content revisions per day. Keeping at least 10 revisions ensures that the computers that disconnected on a Friday can use a delta to update on Monday morning. Delta updates take less time and bandwidth than downloading a full content revision

    Go through the related articles as well: Maintaining the database

    http://www.symantec.com/docs/HOWTO55337

    Configuring the disk space that is used for LiveUpdate downloads

    http://www.symantec.com/docs/HOWTO55224

    But if possible upgrade to the latest verison of SEPM becuase SEP 12.1 RU5 has content storage optimization feature & it will decrease disk space usage drastically.

    Content Storage Optimization feature:

    As part of the upgrade to SEPM 12.1 RU5, the SEPM converts all of the content from full definitions to delta definitions. This process is resource intensive and may take an extended period of time. After this process is completed, the SEPM will use significantly less disk space.

    In a typical enterprise setup where 30 content revisions stored, the SEPM upgrade process must reduce 55GB of full content to under 2GB of delta content. This process requires significant resources to complete and is impacted by the performance of any available CPUs, CPU cores (physical/logical/hyperthreading), memory, and disks (I/O). On a server that performs multiple roles, stores larger numbers of content, or is otherwise resource constrained, this process may take a longer duration to complete.

    Refer this article to find more info: The LiveUpdate content optimization and content storage space optimization steps take a long time to complete when upgrading to Symantec Endpoint Protection Manager 12.1 RU5

    http://www.symantec.com/docs/TECH224055



  • 6.  RE: Preferred retention period of virus definitions in servers

    Posted Jul 16, 2015 12:29 PM

    Hello Jaril,

    Any updates on this?