Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12.1 Clients take up to 2 hours to update virus definitions

Created: 31 Oct 2012 • Updated: 06 Dec 2012 | 16 comments
chris48's picture
This issue has been solved. See solution.

I have set up SEPM 12.1 on a server which manages 365 Clients (about 200-250 are workstations and laptops).  What I have found is that the laptops and workstations are taking a very long time to update their virus definitions (very often between 1 and 2 hours).  This is causing problems as the users often switch the client on for about 30 mins which means it doesn't have enough time to update it's virus defs.

I have put the clients into a the Default group and applied the following settings in the poilicies:

LiveUpdate Policy - this is set to 'Use the default management server

Communication Settings - this is set to 'Download policies and content from the management server' using 'Pull mode'.  I have a Heartbeat interval set to 15 mins and Randomization enabled and set to 7 mins.  The Reconnection Preferences are both checked as well.

If anyone could provide any help with regards to speeding up the update process that would be great,

Thanks

Chris.

Comments 16 CommentsJump to latest comment

.Brian's picture

Do you have any GUPs set up? Perhaps the SEPM is being overwhelmed which is causing it to take longer to hand out defs.

Configuring Group Update Providers

https://www.symantec.com/business/support/index?pa...

About the types of Group Update Providers

https://www.symantec.com/business/support/index?pa...

Managing content updates

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

chris48's picture

Thanks Brian,

We don't use any GUPs as our client base is relatively small.  Everything is managed at site by the SEPM server and the client machines that experience this delay in updates are broadband connected clients connecting through a VPN.

Mithun Sanghavi's picture

Hello,

What version of SEP 12.1 are you running?

What OS are these client machines running on?

Is there a proxy installed?

What bandwidth is the network carrying?

If you having a low bandwidth, check this Article:

https://www-secure.symantec.com/connect/articles/tips-installing-sep-low-bandwidth-environment

Secondly, To understand the root cause of the issue, could you upload log.lue and sylink.log from 1 of the client machines where you feel that the download of definitions are taking time?

Log.lue could be found under - 

On Windows XP and Windows server 2003:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs

On Windows Vista, Windows 7, and Windows Server 2008:

C:\Program Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs

and 

Check this Article on how to collect the Sylink.log files

http://www.symantec.com/docs/TECH104758

I would also recommend you to check these Articles below:

Improving client and server performance

http://www.symantec.com/docs/HOWTO81048

Configuring the disk space that is used for LiveUpdate downloads

http://www.symantec.com/docs/HOWTO80938

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

chris48's picture

Hi Mithun,

I'm running SEP 12.1.1101.401 RU1 MP1 and the clients are all XP.  There is no Proxy installed and they are all connected via a VPN connection over various standard broadband connections.  I wondered about bandwidth, but when we used SAV 10.x and the clients used Liveupdate, it never took this amount of time to update the clients then.

I have looked at your articles but cannot find the Lue.log on the systems I have checked.  Do I need to enable logging or anything like that first?

I have made a couple of changes I have seen from the articles.  One of them is that I have unchecked the 'Use Group Communication Settings' for the Communication Settings policy under Location-Specific Settings (accessible though clicking the Tasks>> button on it's right.  We only have the default location set up with default values.

I have also kept the settings to Pull-mode but changed the heartbeat interval to 15 minutes with 7 minute Randomization.  I thought this would be best for clients who may only go online for 30 mins as they should hopefully stand a better chance of updating.

The last change I have made is to the Liveupdate settings on the server where I have changed the 'Number of content revisions to keep' from 3 to 10.  I knnow the article suggested 30, but I thought this may require more disk space on the clients??  Please correct me if I am wrong.

Thanks for your help and please let me know if you think this is going to help,

Chris

SMLatCST's picture

Hi Chris,

I was going to ask about the nunber of definition revisions retained by your SEPM.

This setting affects the disk space usage of your SEPM only, and does not affect the number of revisions retained on the client, and will likely be contributing to the amount of time required for your clients to update.  With a retention count of only 3, you are essentially keeping only a day's worth of definitions on the SEPM. This means the SEPM will more likely have to provide the full fat virus definitions to your SEP clients, at over 100MB a pop, generating more network traffic than is really necessary.

As you've increased the retentoin count to 10, the SEPM should be able to provide delta definition updates to clients less than 3 days out of date.  Hopefully the reduction in network traffic will improve the 'time-to-update' problems you've been seeing.

On a side note, as per the below article, it is relatively common to see 42 definitions retained, to allow SEPMs to provide delta updates to clients up to 2 weeks out of date:

http://www.symantec.com/docs/TECH92051

chris48's picture

This is an interesteing point I hadn't really understood previously.  I have read the article and have now increased the number of revisions to be retained further to 42.  I will have to wait for a number of days I guess to allow the number of revisions to actually build up over the next couple of weeks and also to allow the clients to reconnect.

Thanks for this advice - I'll report back in due course to see if this has made a significant difference.

Ian_C.'s picture

 'Pull mode'

Changing this to 'Push mode' might also help. You have a small number of clients compared to some of the posts with >100 000 client that I've seen before.

You can also review the (Apache) web logs to see what clients are (trying to) download. Maybe they receive a 'Server busy' response (unlikely due to the number of clients) or the download takes a long time due to slow links?

Please mark the post that best solves your problem as the answer to this thread.
chris48's picture

Hi Ian,

I did have this set to Push-mode originally but changed it some time ago as the clients are desktops and laptops that are often offline.  They are also all broadband connected so, as I understood from previous research, I thought they would be better off in Pull-mode.  This may be incorrectly assumed, so please let me know if this is the case.

I have started to look at the log files under the Apache folder, but not sure exactly what log's are pertinent to this issue.  There are also logs under Tomcat.  I will start to investigate, but in the meantime if you know which logs I should specifically be looking at please let me know,

Thanks

Chris

Ian_C.'s picture

... are often offline. They are also all broadband connected so ...

You understood correctly. I mentioned Push mode simply to speed up communications.

 if you know which logs

I don't, sorry. Waiting for MP2 next week before doing my first install of SEP v12. In the meantime, the documentation tells us about various log files that you can use.

Please mark the post that best solves your problem as the answer to this thread.
Syed saied's picture

HI,

Your all clients are in same location or remote location.

If your client is in remote location then create GUP for update the clients.

Thanks In Advance...

Syed Saied

If the suggestion has helped to solve your problem, please mark the post as a solution

chris48's picture

Unfortunately they aren't.  They are either individual or in groups of no more than 2 or 3 and they all connect in via a VPN connection to the central site where the SEPM server is.  This is why I haven't utilised any GUPs.

Mithun Sanghavi's picture

Hello,

I would suggest you to check this Article:

How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device

http://www.symantec.com/docs/TECH93033

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
chris48's picture

Unfortunately we don't manage our customers routers - they all have their own various broadband routers, some are small ones provided by their ISPs when they order their braodband line in and others use their corporate routers, so this article is not really relevant for us.  I am going to wait and see if the retention period being extended for download revisions helps, and maybe if all else fails configure them to be able to use Liveupdate and run this manually from their clients if they wish.  This latter option may not decrease the time but it will give the end user some control and they will see the progress bar for Liveupdate which should prevent them from closing the client down prematurely.

Ian_C.'s picture

no more than 2 or 3 and they all connect in via a VPN connection

Here are two things to consider.

  1. Do your clients really have to get updates from the SEPM only? Is that VPN permanent? Do all your clients connect centrally to get out onto the internet? If not, why not configure the clients to get updates directly from Symantec who use Akamai to do local geo caching of files?
  2. Have you considered making all your clients GUPs? Depending on your network setup (star & spoke network; flat IP subnet or individual IP sites) this might be an uption. This will increase the time though.
Please mark the post that best solves your problem as the answer to this thread.
chris48's picture

Our VPNs are not permanent unfortunately and when connected to the network they have no internet access as the network is protected from the internet.  Unfortunately they won't have access to any of Symantec's websites so this won't be an option.

I have increased the amount of revisions we retain on the SEPM server and am going to see how this increases performance over the next week or two.

Thanks for your suggestions, but unfortunately our slightly 'isolated' situation from the internet prevents us making use of them.