Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Remote Scan

Created: 30 Oct 2013 • Updated: 13 Nov 2013 | 27 comments
This issue has been solved. See solution.

Hi,

When we send the scan command to the clients from the SEPM ,will there be bandwidth issues in the network ?

How does the scan command work ? If we do a daily scan on the servers during office hours ,will there be any impact on the network and performance of the servers ?

thanks

Operating Systems:

Comments 27 CommentsJump to latest comment

Rafeeq's picture

sending cmd will not impact its just the xml file which gets downloaded

Yes running scan will have some impact. better to do during off hours

You need to right click on the group and select run command on group and select scan. thats it. :)

 

Commands issued by Symantec Endpoint Protection Manager are executed by clients at next heartbeat

 

James007's picture

When we send the scan command to the clients from the SEPM ,will there be bandwidth issues in the network ?

Yes when you run Command all sep client connect your sepm server and received update so that time high bandwidth issue are occured.

How does the scan command work ? If we do a daily scan on the servers during office hours ,will there be any impact on the network and performance of the servers ?

Yes tha time your system are running very slow you can scan your system on non pick hours.

You can check this articles for create scan.

How to schedule a scan from the Symantec Endpoint Protection Manager console

 

Article:TECH106249  |  Created: 2008-01-14  |  Updated: 2010-01-17  |  Article URL http://www.symantec.com/docs/TECH106249

 

suren424's picture

Ok ... when we run the scan command or schedule the scans on the servers from SEPM ,the clients will pickup the command (during this there could be some network utilization and do the scan on the client ,but how will it impact the network performance ?

Could you please help me understand this

Thanks again

Rafeeq's picture

Hi

When there are no new client-side logs to upload to the management server, or policy or content to download from the server, the size of the Symantec Endpoint Protection client heartbeat is between 3KB and 5KB. When all client protection technologies are enabled and the maximum level of client logging is enabled (with the exception of packet-level firewall logging, which is not recommended in production environments), the size of a typical heartbeat is between 200 KB and 300 KB.

http://www.symantec.com/business/support/index?page=content&id=TECH191617

SOLUTION
SMLatCST's picture

There is no network impact beyond the usual heartbeat traffic (logs, policies, commands, etc).

The whole process kinda goes like this:

  1. Issue scan command from SEPM
  2. Client picks up command on next heartbeat
  3. Client runs scan locally
  4. Client updates SEPM with scan progress on subsequent heartbeats (i.e. if the scan command has been received, if the scan is in progress/has completed, scan results)

This is just normal log data, and is little different from the results of normal scheduled scans.

Beppe's picture

Sending a command from SEPM to SEP clients is just few KB, nothing you will be able to notice.

Regards,

Giuseppe

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Daily scan on server is really not needed unless it's a business requirement.

Definitely it will impact on the performance depending upon scan settings.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

suren424's picture

Thanks you all for the information it was really helpful .

"maximum level of client logging is enabled (with the exception of packet-level firewall loggingwith the exception of packet-level firewall logging) "  how to check this is enabled or not  in our environment ?

Except for the servers ,user desktops have all the technologies enabled on them.

"When there are no new client-side logs to upload to the management server "

Does clients also upload the info to SEPM ,what type of data is that and how much bandwidth could those use ?

Our environment is in Push install mode and we have more than 700+ clients . which one is recommended ,push or pull mode ?

Thanks

 

suren424's picture

Hi,

The client picks up the command and scan starts locally .After that client updates SEPM with scan progress on subsequent heartbeats .

If the heartbeat interval is low (in our case it's 5 minutes)  and in push mode , how much approx bandwidth will the above updating process take. Will that client communicate the updates to SEPM every 5 mins and be a major impact or not much. ?

Just wanted to make sure beacuse ,i am planning to start a daily scheduled scan on our servers.

how are scheduled scans different from ,push command scans ?

SMLatCST's picture

The below article decribes the differences bewteen PUSH and PULL mode:

http://www.symantec.com/docs/HOWTO80782

In PUSH more, the heartbeat essentially becomes moot, as the client maintains an open session to the SEPM once contact is established.  This constant connection generates a lot more network load than PULL mode.  PULL mode comms is normally recommended for most environments:

http://www.symantec.com/docs/TECH92051

The actual scans themselves are the same between the scheduled and on-demand ones.  The only difference is the way they are initiated (or if you choose the custom ondemand scan).

  • Scheduled ones are defined in the Virus and Spyware Protection policy's Scheduled Scan section
  • On-demand ones are initiated by you issuing a scan command from the SEPM
  • Custom on-demand scans are initiated by the scans command from the SEPM, but runs the scan defined in the "Administrator On-Demand Scan" section of the Virus and Spyware Protection Policy
Rafeeq's picture

Not much its all very minimal.

Because it will not have to update anyting every 5 mins, just checking with SEPM only :) 

scheduled scans run locally on the box once the policy is downloaded from SEPM.

it will kick off on the scheduled time.

suren424's picture

On a whole for every heartbeat interval the client checks for the updated definitions,new packages,scan commands. Is that right ?

If the interval is 5 minutes ,will that generate heavy traffic or minimal traffic ? what could be the size of the packets if they have virus definitions every day ?

Rafeeq's picture

Updates are delta with SEP 11 and higher

Every day new defs and sizes differ, here is a quick guide to that

http://www.symantec.com/connect/articles/how-big-are-current-symantec-endpoint-protection-definitions

suren424's picture

Thanks Rafeeq for the link ... that's a very good article .

when i saw the LiveUpdate settings (Policies -->Liveupdate --> LiveUpdate-->LiveUpdate Settings)

Attached the screenshots.

it is set as use default management server. It means SEPM is the LUA right ?  or LUA is defferent from management server ?

How to check at what times it's gettings the windows defintion updates ?

Thanks .

LUA Settings.jpg LUA 1.jpg
Rafeeq's picture

SEPM can get update from internet or from Luadmin  those settings are under 

admin -servers tab.

======================================

Clients can update SEPM, LUadmin or using internet

the window what you are seeing are for clients. These option will be enabled when you select Symantec Liveupdate server

You cannot scheduled LU between SEPM and client, it happens during hearbeat only.

 

suren424's picture

Thanks for the update.

In admin -->  servers tab we have this (attached the screenshot)

Number of content revision to keep : Are these the defintion updates to keep in the database ?

Every 4 hours the symantec server looks for the updates from the internet and stores the udpates in the symantec server .. right?

So ,it means we don't have the LUA option .. right ?

"These option will be enabled when you select Symantec Liveupdate server " : Symantec liveupdate server means our internal symantec server/management server or the original symantec server.

bit confused ..sorry to ask  many questions

Thanks again

 

 

LU server.jpg
Rafeeq's picture

I hope this would be your last question on this topic :)

Liveupdate option for SEPM is under admin -servers tab.

Under liveupdate you have source servers , you need to click on edit. there are two options

1) Symantec LU using internet

2) Luadmin.

This option is for SEPM and not for clients.

===================================

Number of content revision to keep : Are these the defintion updates to keep in the database ?

Yes

===================================

 

 These option will be enabled when you select Symantec Liveupdate server " : Symantec liveupdate server means our internal symantec server/management server or the original symantec server.

--> this is Symantec liveupdate server (liveupdate.symantec.com ) using internet.

================================

 

suren424's picture

Thanks Rafeeq ...

Where can we find the content revisio files in the server.

No. Of content revisions to keep =30 means ,in the server ( on the local drive) the content updates will be stored right ?

where to find those files in the local drive  ?

Thanks

Beppe's picture

c:\program files(x86)\symantec\symantec endpoint protection manager\inetpub\content\

{535...} for 32 bit AV defs

{07B...} for 64 bit AV defs

A copy is also stored into the DB.

Regards,

Giuseppe

suren424's picture

Can we delete those files keeping only the latest defintion files ?

A copy is also stored in DB means ? DB is also stored in the local drive right ?

thanks

Beppe's picture

No, you may not manually delete them. Just change the related setting in the SEPM console and the old content will be purged automatically, you've been told about it some posts above.

Yes, the DB is also stored locally if you use the embedded one, you have nothing to do directly on it, use the settings in the SEPM to control its content.

Regards,

Giuseppe

AjinBabu's picture

Hi, 

SEPM to SEP client communication will be in less KB's.

Regards

Ajin

 

 

SameerU's picture

Hi

Sending update command will not affect the bandwidth as its only in KB

Regards

 

suren424's picture

How does the schedule scan (weekly scan) work.

1)After the schedule scan starts,the scan will run locally on the client computer ..right ?

how much bandwidth does the schedule scans take ?

Could you please let me know the sequence of operations during the schedule scan ?

Thanks

Beppe's picture

Hello,

1)After the schedule scan starts,the scan will run locally on the client computer ..right ?

Correct

2) how much bandwidth does the schedule scans take ?

Zero

3) Could you please let me know the sequence of operations during the schedule scan ?

- At scheduled time X, a scheduled scan starts

- During the scheduled scan, all files in system are scanned for viruses (except those in the scan exceptions) and what can be fixed is fixed

- At the end of the scan, a report with the result of the scan is sent to the SEPM (very small data).

 

 

Regards,

Giuseppe

Rafeeq's picture

Please open a support case, they will answer all the queries wrt to scan...