SEP 12.1 Clients take up to 2 hours to update virus definitions
I have set up SEPM 12.1 on a server which manages 365 Clients (about 200-250 are workstations and laptops). What I have found is that the laptops and workstations are taking a very long time to update their virus definitions (very often between 1 and 2 hours). This is causing problems as the users often switch the client on for about 30 mins which means it doesn't have enough time to update it's virus defs.
I have put the clients into a the Default group and applied the following settings in the poilicies:
LiveUpdate Policy - this is set to 'Use the default management server
Communication Settings - this is set to 'Download policies and content from the management server' using 'Pull mode'. I have a Heartbeat interval set to 15 mins and Randomization enabled and set to 7 mins. The Reconnection Preferences are both checked as well.
If anyone could provide any help with regards to speeding up the update process that would be great,
Thanks
Chris.
Hello, I would suggest you to
Hello,
I would suggest you to check this Article:
How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device
http://www.symantec.com/docs/TECH93033
Hope that helps!!
Comments
Do you have any GUPs set up?
Do you have any GUPs set up? Perhaps the SEPM is being overwhelmed which is causing it to take longer to hand out defs.
Configuring Group Update Providers
https://www.symantec.com/business/support/index?pa...
About the types of Group Update Providers
https://www.symantec.com/business/support/index?pa...
Managing content updates
https://www.symantec.com/business/support/index?pa...
SEP Knowledge Base
Endpoint SWAT
Thanks Brian, We don't use
Thanks Brian,
We don't use any GUPs as our client base is relatively small. Everything is managed at site by the SEPM server and the client machines that experience this delay in updates are broadband connected clients connecting through a VPN.
Hello, What version of SEP
Hello,
What version of SEP 12.1 are you running?
What OS are these client machines running on?
Is there a proxy installed?
What bandwidth is the network carrying?
If you having a low bandwidth, check this Article:
https://www-secure.symantec.com/connect/articles/tips-installing-sep-low-bandwidth-environment
Secondly, To understand the root cause of the issue, could you upload log.lue and sylink.log from 1 of the client machines where you feel that the download of definitions are taking time?
Log.lue could be found under -
On Windows XP and Windows server 2003:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs
On Windows Vista, Windows 7, and Windows Server 2008:
C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs
and
Check this Article on how to collect the Sylink.log files -
http://www.symantec.com/docs/TECH104758
I would also recommend you to check these Articles below:
Improving client and server performance
http://www.symantec.com/docs/HOWTO81048
Configuring the disk space that is used for LiveUpdate downloads
http://www.symantec.com/docs/HOWTO80938
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Hi Mithun, I'm running SEP
Hi Mithun,
I'm running SEP 12.1.1101.401 RU1 MP1 and the clients are all XP. There is no Proxy installed and they are all connected via a VPN connection over various standard broadband connections. I wondered about bandwidth, but when we used SAV 10.x and the clients used Liveupdate, it never took this amount of time to update the clients then.
I have looked at your articles but cannot find the Lue.log on the systems I have checked. Do I need to enable logging or anything like that first?
I have made a couple of changes I have seen from the articles. One of them is that I have unchecked the 'Use Group Communication Settings' for the Communication Settings policy under Location-Specific Settings (accessible though clicking the Tasks>> button on it's right. We only have the default location set up with default values.
I have also kept the settings to Pull-mode but changed the heartbeat interval to 15 minutes with 7 minute Randomization. I thought this would be best for clients who may only go online for 30 mins as they should hopefully stand a better chance of updating.
The last change I have made is to the Liveupdate settings on the server where I have changed the 'Number of content revisions to keep' from 3 to 10. I knnow the article suggested 30, but I thought this may require more disk space on the clients?? Please correct me if I am wrong.
Thanks for your help and please let me know if you think this is going to help,
Chris
Hi Chris, I was going to ask
Hi Chris,
I was going to ask about the nunber of definition revisions retained by your SEPM.
This setting affects the disk space usage of your SEPM only, and does not affect the number of revisions retained on the client, and will likely be contributing to the amount of time required for your clients to update. With a retention count of only 3, you are essentially keeping only a day's worth of definitions on the SEPM. This means the SEPM will more likely have to provide the full fat virus definitions to your SEP clients, at over 100MB a pop, generating more network traffic than is really necessary.
As you've increased the retentoin count to 10, the SEPM should be able to provide delta definition updates to clients less than 3 days out of date. Hopefully the reduction in network traffic will improve the 'time-to-update' problems you've been seeing.
On a side note, as per the below article, it is relatively common to see 42 definitions retained, to allow SEPMs to provide delta updates to clients up to 2 weeks out of date:
http://www.symantec.com/docs/TECH92051
http://www.cstl.com/
This is an interesteing point
This is an interesteing point I hadn't really understood previously. I have read the article and have now increased the number of revisions to be retained further to 42. I will have to wait for a number of days I guess to allow the number of revisions to actually build up over the next couple of weeks and also to allow the clients to reconnect.
Thanks for this advice - I'll report back in due course to see if this has made a significant difference.
'Pull mode' Changing this
Changing this to 'Push mode' might also help. You have a small number of clients compared to some of the posts with >100 000 client that I've seen before.
You can also review the (Apache) web logs to see what clients are (trying to) download. Maybe they receive a 'Server busy' response (unlikely due to the number of clients) or the download takes a long time due to slow links?
Hi Ian, I did have this set
Hi Ian,
I did have this set to Push-mode originally but changed it some time ago as the clients are desktops and laptops that are often offline. They are also all broadband connected so, as I understood from previous research, I thought they would be better off in Pull-mode. This may be incorrectly assumed, so please let me know if this is the case.
I have started to look at the log files under the Apache folder, but not sure exactly what log's are pertinent to this issue. There are also logs under Tomcat. I will start to investigate, but in the meantime if you know which logs I should specifically be looking at please let me know,
Thanks
Chris
... are often offline. They
You understood correctly. I mentioned Push mode simply to speed up communications.
I don't, sorry. Waiting for MP2 next week before doing my first install of SEP v12. In the meantime, the documentation tells us about various log files that you can use.
HI, Your all clients are in
HI,
Your all clients are in same location or remote location.
If your client is in remote location then create GUP for update the clients.
Thanks In Advance...
Syed Saied
If the suggestion has helped to solve your problem, please mark the post as a solution
Unfortunately they aren't.
Unfortunately they aren't. They are either individual or in groups of no more than 2 or 3 and they all connect in via a VPN connection to the central site where the SEPM server is. This is why I haven't utilised any GUPs.
Hello, I would suggest you to
Hello,
I would suggest you to check this Article:
How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device
http://www.symantec.com/docs/TECH93033
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Unfortunately we don't manage
Unfortunately we don't manage our customers routers - they all have their own various broadband routers, some are small ones provided by their ISPs when they order their braodband line in and others use their corporate routers, so this article is not really relevant for us. I am going to wait and see if the retention period being extended for download revisions helps, and maybe if all else fails configure them to be able to use Liveupdate and run this manually from their clients if they wish. This latter option may not decrease the time but it will give the end user some control and they will see the progress bar for Liveupdate which should prevent them from closing the client down prematurely.
no more than 2 or 3 and they
Here are two things to consider.
Our VPNs are not permanent
Our VPNs are not permanent unfortunately and when connected to the network they have no internet access as the network is protected from the internet. Unfortunately they won't have access to any of Symantec's websites so this won't be an option.
I have increased the amount of revisions we retain on the SEPM server and am going to see how this increases performance over the next week or two.
Thanks for your suggestions, but unfortunately our slightly 'isolated' situation from the internet prevents us making use of them.
Hi Please follow the link
Hi
Please follow the link below
http://www.symantec.com/business/support/index?pag...
Regards
Would you like to reply?
Login or Register to post your comment.