Hi,

When we send the scan command to the clients from the SEPM ,will there be bandwidth issues in the network ?

How does the scan command work ? If we do a daily scan on the servers during office hours ,will there be any impact on the network and performance of the servers ?

thanks

When we send the scan command to the clients from the SEPM ,will there be bandwidth issues in the network ?

Yes when you run Command all sep client connect your sepm server and received update so that time high bandwidth issue are occured.

How does the scan command work ? If we do a daily scan on the servers during office hours ,will there be any impact on the network and performance of the servers ?

Yes tha time your system are running very slow you can scan your system on non pick hours.

You can check this articles for create scan.

How to schedule a scan from the Symantec Endpoint Protection Manager console

sending cmd will not impact its just the xml file which gets downloaded

Yes running scan will have some impact. better to do during off hours

You need to right click on the group and select run command on group and select scan. thats it. :)

Commands issued by Symantec Endpoint Protection Manager are executed by clients at next heartbeat

Ok ... when we run the scan command or schedule the scans on the servers from SEPM ,the clients will pickup the command (during this there could be some network utilization and do the scan on the client ,but how will it impact the network performance ?

Could you please help me understand this

Thanks again

Hi

When there are no new client-side logs to upload to the management server, or policy or content to download from the server, the size of the Symantec Endpoint Protection client heartbeat is between 3KB and 5KB. When all client protection technologies are enabled and the maximum level of client logging is enabled (with the exception of packet-level firewall logging, which is not recommended in production environments), the size of a typical heartbeat is between 200 KB and 300 KB.

http://www.symantec.com/business/support/index?page=content&id=TECH191617

There is no network impact beyond the usual heartbeat traffic (logs, policies, commands, etc).

The whole process kinda goes like this:

1. Issue scan command from SEPM
2. Client picks up command on next heartbeat
3. Client runs scan locally
4. Client updates SEPM with scan progress on subsequent heartbeats (i.e. if the scan command has been received, if the scan is in progress/has completed, scan results)

This is just normal log data, and is little different from the results of normal scheduled scans.

Sending a command from SEPM to SEP clients is just few KB, nothing you will be able to notice.

Hi,

Thank you for posting in Symantec community.

Daily scan on server is really not needed unless it's a business requirement.

Definitely it will impact on the performance depending upon scan settings.

Thanks you all for the information it was really helpful .

"maximum level of client logging is enabled (with the exception of packet-level firewall loggingwith the exception of packet-level firewall logging) "  how to check this is enabled or not  in our environment ?

Except for the servers ,user desktops have all the technologies enabled on them.

"When there are no new client-side logs to upload to the management server "

Does clients also upload the info to SEPM ,what type of data is that and how much bandwidth could those use ?

Our environment is in Push install mode and we have more than 700+ clients . which one is recommended ,push or pull mode ?

Thanks

Hi,

The client picks up the command and scan starts locally .After that client updates SEPM with scan progress on subsequent heartbeats .

If the heartbeat interval is low (in our case it's 5 minutes)  and in push mode , how much approx bandwidth will the above updating process take. Will that client communicate the updates to SEPM every 5 mins and be a major impact or not much. ?

Just wanted to make sure beacuse ,i am planning to start a daily scheduled scan on our servers.

how are scheduled scans different from ,push command scans ?

The below article decribes the differences bewteen PUSH and PULL mode:

http://www.symantec.com/docs/HOWTO80782

In PUSH more, the heartbeat essentially becomes moot, as the client maintains an open session to the SEPM once contact is established.  This constant connection generates a lot more network load than PULL mode.  PULL mode comms is normally recommended for most environments:

http://www.symantec.com/docs/TECH92051

The actual scans themselves are the same between the scheduled and on-demand ones.  The only difference is the way they are initiated (or if you choose the custom ondemand scan).

• Scheduled ones are defined in the Virus and Spyware Protection policy's Scheduled Scan section
• On-demand ones are initiated by you issuing a scan command from the SEPM
• Custom on-demand scans are initiated by the scans command from the SEPM, but runs the scan defined in the "Administrator On-Demand Scan" section of the Virus and Spyware Protection Policy

Not much its all very minimal.

Because it will not have to update anyting every 5 mins, just checking with SEPM only :) 

scheduled scans run locally on the box once the policy is downloaded from SEPM.

it will kick off on the scheduled time.

On a whole for every heartbeat interval the client checks for the updated definitions,new packages,scan commands. Is that right ?

If the interval is 5 minutes ,will that generate heavy traffic or minimal traffic ? what could be the size of the packets if they have virus definitions every day ?

Updates are delta with SEP 11 and higher

Every day new defs and sizes differ, here is a quick guide to that

http://www.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

Thanks Rafeeq for the link ... that's a very good article .

when i saw the LiveUpdate settings (Policies -->Liveupdate --> LiveUpdate-->LiveUpdate Settings)

Attached the screenshots.

it is set as use default management server. It means SEPM is the LUA right ?  or LUA is defferent from management server ?

How to check at what times it's gettings the windows defintion updates ?

Thanks .

SEPM can get update from internet or from Luadmin  those settings are under 

admin -servers tab.

======================================

Clients can update SEPM, LUadmin or using internet

the window what you are seeing are for clients. These option will be enabled when you select Symantec Liveupdate server

You cannot scheduled LU between SEPM and client, it happens during hearbeat only.

Thanks for the update.

In admin -->  servers tab we have this (attached the screenshot)

Number of content revision to keep : Are these the defintion updates to keep in the database ?

Every 4 hours the symantec server looks for the updates from the internet and stores the udpates in the symantec server .. right?

So ,it means we don't have the LUA option .. right ?

"These option will be enabled when you select Symantec Liveupdate server " : Symantec liveupdate server means our internal symantec server/management server or the original symantec server.

bit confused ..sorry to ask  many questions

Thanks again

I hope this would be your last question on this topic :)

Liveupdate option for SEPM is under admin -servers tab.

Under liveupdate you have source servers , you need to click on edit. there are two options

1) Symantec LU using internet

2) Luadmin.

This option is for SEPM and not for clients.

===================================

Number of content revision to keep : Are these the defintion updates to keep in the database ?

Yes

===================================

 These option will be enabled when you select Symantec Liveupdate server " : Symantec liveupdate server means our internal symantec server/management server or the original symantec server.

--> this is Symantec liveupdate server (liveupdate.symantec.com ) using internet.

================================

Thanks Rafeeq ...

Where can we find the content revisio files in the server.

No. Of content revisions to keep =30 means ,in the server ( on the local drive) the content updates will be stored right ?

where to find those files in the local drive  ?

Thanks

c:\program files(x86)\symantec\symantec endpoint protection manager\inetpub\content\

{535...} for 32 bit AV defs

{07B...} for 64 bit AV defs

A copy is also stored into the DB.

Hi, 

SEPM to SEP client communication will be in less KB's.

Regards

Ajin

Can we delete those files keeping only the latest defintion files ?

A copy is also stored in DB means ? DB is also stored in the local drive right ?

thanks

Hi

Sending update command will not affect the bandwidth as its only in KB

Regards

No, you may not manually delete them. Just change the related setting in the SEPM console and the old content will be purged automatically, you've been told about it some posts above.

Yes, the DB is also stored locally if you use the embedded one, you have nothing to do directly on it, use the settings in the SEPM to control its content.

How does the schedule scan (weekly scan) work.

1)After the schedule scan starts,the scan will run locally on the client computer ..right ?

how much bandwidth does the schedule scans take ?

Could you please let me know the sequence of operations during the schedule scan ?

Thanks

Please open a support case, they will answer all the queries wrt to scan...

Hello,

1)After the schedule scan starts,the scan will run locally on the client computer ..right ?

Correct

2) how much bandwidth does the schedule scans take ?

Zero

3) Could you please let me know the sequence of operations during the schedule scan ?

- At scheduled time X, a scheduled scan starts

- During the scheduled scan, all files in system are scanned for viruses (except those in the scan exceptions) and what can be fixed is fixed

- At the end of the scan, a report with the result of the scan is sent to the SEPM (very small data).

Thanks Beppe.