SEP Agents and Content Update

Created: 04 Nov 2012 | Updated: 11 Nov 2012

EssKay Partner Accredited

Hi All,

I have been working on a client that is running SEP 11.0.6a and has 3 x GUP's for content updates (primarily A/V signatures). It has been observed that each Monday as the SEP Agents reconnect after the weekend that it takes the best part of a day to catch up. This has been improved with some closer attention and policy tweaking. However I strongly suspect there is a significant portion of the fleet that is waiting for the GUP retry timeout and defaulting to the SEPM for updates (currently set to 2 hours).

Whilst this practice is presently not impacting the network noticably, as the fleet grows it will become less and less workable. Also, ideally I would like to turn this timeout off entirely!

What I need is a way to identify those endpoints that are retrieving their content direct from the SEPM. This really needs to be able to run from the SEPM and not require queries/observations run on specific endpoints as any "solution" of that manner is simply not feasible with the size of the client. Is there a way to do this?

Regards,

Dean

Quick Look Solution

These articles might also

These articles might also help.

GUP Monitoring tool: http://www.symantec.com/docs/TECH156558

Download from GUP Logs on SEPM: http://www.symantec.com/docs/TECH187283

Filed Under

Tags:

Security, Endpoint Protection (AntiVirus) - 11.x, Endpoint Protection (AntiVirus), Agents, LiveUpdate, Windows, Windows 7

Comments

Brian81

Trusted Advisor

Certified

Nov

2012

See this

See this article:

https://www-secure.symantec.com/connect/articles/u...

You can also check deltas by applying this display filter in wireshark:

frame matches "\.[Dd][Aa][Xx]" && tcp.port==8014

In the SEPM logs, under Monitors set log type to System

Set Log content to Client-server activity

This should give you info as well on what was downloaded

SEP Knowledge Base

Endpoint SWAT

Ashish-Sharma

Accredited

Nov

2012

HI, Check this artical

HI,

Check this artical also

https://www-secure.symantec.com/connect/articles/capturing-network-communication-packets-wireshark-utility

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents

SMLatCST

Partner

Accredited

Nov

2012

SOLUTION

These articles might also

These articles might also help.

GUP Monitoring tool: http://www.symantec.com/docs/TECH156558

Download from GUP Logs on SEPM: http://www.symantec.com/docs/TECH187283

http://www.cstl.com/

Ian_C.

Partner

Nov

2012

Thumbs up to article #187283

Thumbs up to article #187283 as pointed out by SMLatCST.

That is one report run directly on the SEPM console. No SQL queries or client log monitoring required.

Please mark the post that best solves your problem as the answer to this thread.

EssKay

Partner

Accredited

Nov

2012

Hello SMLatCST, I am familiar

Hello SMLatCST,

I am familiar with this tool and have it running. I am still astounded it is not a core part of the product. That said, unless I am missing something this tool does not identify which clients are using or bypassing the GUP's after the timeout has been reached.

Regards,

Dean

Regards,

Dean

Ian_C.

Partner

Nov

2012

this tool does not identify

this tool does not identify which clients are using or bypassing the GUP's after the timeout has been reached

The tool might not identify these clients, but the logs do (as per article #187283) I see four different event types

Cannot reach server
Definition file downloaded from GUP
Failed to download from GUP
Reconnected server

2 & 3 are obvious & I'd say exactly of what you are looking for (clients either using the GUP or not).

1 & 4 It never seems to be clear if that server is the actual SEPM.

Please mark the post that best solves your problem as the answer to this thread.

EssKay

Partner

Accredited

Nov

2012

I only ever seem to see 1 &

I only ever seem to see 1 & 4. Tried this over the past few days.

I can though see connections to each GUP throughout the day from other clients on port 2967.

Any ideas?

Regards,

Dean

Ian_C.

Partner

Nov

2012

Hmmm, interesting. ... see

Hmmm, interesting.

... see connections to each GUP throughout the day from other clients ...

Sounds to me like your GUPs don't know they are supposed to be GUPs

Do your GUPs accept connections on :2967 ?
Can you connect with a browser to http://gup-name:2967/ ?
Have you reviewed the SYLINK files from the client to see if they request http://gup-name:2967/*.dax
Have you reviewed the SYLINK files from the GUP to see that it is serving the files?
Can you see the SharedUpdates folder on the GUP?

Please mark the post that best solves your problem as the answer to this thread.

EssKay

Partner

Accredited

Nov

2012

Yes to all but number 3. I

Yes to all but number 3. I have read though that the "Client Activity" approach applied to 11.x RU7 and above. Given its 11.0 RU6 it is probably not there. There are some plans to go to 12.1 RU2 when it is released, so will revisit then.

Until that upgrade is done I will scrape the IIS log for the data.

Thanks all for the help and assistance.

Regards,

Dean

SMLatCST

Partner

Accredited

Nov

2012

Yup, that's what the second

Yup, that's what the second article is for

http://www.cstl.com/

Simpson Homer

Symantec Employee

Nov

2012

A new tool has been

A new tool has been released by Product Management, SEP Content Distribution Monitor that helps monitor GUP health and status as well as general content deployment. This is a lightweight, stand-alone tool designed to be run directly on the Symantec Endpoint Protection Manager (SEPM) server, and should return a graphical display of the content distribution status.

This monitor works with GUPs that are running 11.0.5 (SEP 11 RU5) or above. There is also a beta release of a tool which works with SEP 12.1 SEPMs and GUPs.

An introduction and tutorial webcast on the use of this tool can be viewed at the following location:

http://www.symantec.com/connect/videos/sep-content-distribution-monitor-introduction