Hi All,

As per above.... i know that if we're using SEPM or GUP it will download deltas...

how if the client directly connect to Symantec server (Internet)? What is the file size?

Regards

yes it downloads incremental updates.

check this link

Difference between a SEP GUP v/s LiveUpdate Administrator

http://www.symantec.com/business/support/index?page=content&id=TECH198160

the Liveupdate Administrator is similar to Symantec Liveupdate ( internet)

Hi Pete,

Thanks for the reply

It's the same sizing as per GUP/SEPM concept?

So basically it's better if we force the client to check internet daily rather than weekly to avoid 'full' download right?

Right sir , 

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

http://www.symantec.com/business/support/index?page=content&id=TECH131528

yes, it has to be checked frequently for content updtes. if not the incremental content size will be big compared to day to day size.

Yes you will avoid full downloads, but even then the updates from internet may be bit bigger than deltas creted by SEPM. If you can and your environment allows it -  SEPM content distribution is always a preferred way to go - it creates smallest overhead on network connections to internet as updates are downloaded only once and then distributed within LAN.

Noted Sebastian and Pete!

Do you have any reference for deltas sizing that can be shared?

(for LU direct to Symantec server/Internet obviously)

Issue here because the users are very mobile (on laptop) but sometimes they are on branches.... and these branches don't have infra for GUP.... so require direct update to internet via small link (1-2mbps line)

Have a look at last post from Mick in the following thread that elaborates bit on that:

https://www-secure.symantec.com/connect/forums/sep-average-update-size

...hard to say though about any specific numbers - as the size can really vary on monthly basis - depending how many virus signatures have been added during the month.

Hello,

Delta is the difference in the signature (virus/ips) definition size of the one that is present on the client to the one that is present on SEPM.

For more indepth understanding, you check the Log.liveupdate (incase of SEP 11.x) and Log.lue (incase of SEP 12.1)

Log.liveupdate could be found under -

Windows 2003: C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate
Windows 2008: C:\ProgramData\Symantec\LiveUpdate

https://www-secure.symantec.com/connect/articles/about-liveupdate-symantec-endpoint-protection-version-121-0

whereas,

Log.lue could be found under -

On Windows XP and Windows server 2003:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo_id>\Data\Lue\Logs
On Windows Vista, Windows 7, and Windows Server 2008:
C:\Program Data\Symantec\Symantec Endpoint Protection\<version number>\Data\Lue\Logs

Look for "estimated file size" and This file size will indicate the total package size that was requested from the SEPM.

NOTE: The value would in bytes, so if full content update will be around 77 MB (77,000,000 bytes).

Again,

What are the sizes of the various packages that are sent between the Symantec Endpoint Protection client and manager?

The following are estimates of the size of packages that are sent between the Symantec Endpoint Protection client and manager:

Heartbeat (with no updates to be exchanged) - When there is no traffic to be exchanged (i.e. no profile to download and no logs to update) then the heartbeat is between 2 KB/s and 3 KB/s.

Policies (i.e. AV/AS, Firewall, OS Protection, Host Integrity) - Typically varies between 20 KB and 80 KB, but can increase if detailed rules are included, or OS protection templates are used. Generally, after you set your policies to suit your network needs, you do not modify them on a regular basis.

IPS Signature Updates - Files range between 50 KB and 100 KB. Symantec supplies updates approximately every quarter unless a specific threat or vulnerability needs to be addressed.

AV Signatures - 50 KB to 100 KB daily for clients, if you assume that the signatures are updated successfully every day.
Logs - Logs are compressed at the client before they are uploaded to the Symantec Endpoint Protection Manager.

Approximately, 800 log entries take up 1KB of file space.

Hope that helps!!

Hope that helps!!

Hi cus000

If you have enough space on the SEPM server you can also increase content revisions stored so that you can reduce the ammount of files downloaded by the machines. So if machines have been offline for a week or so and can communicate/update from the SEPM/GUP they will pull dirrectly from there incremental updates they need dependant on how many you've stored. Saving you having multiple machines connecting out to the internet and reducing internal network usage. 

roughly symantec release 3-4 revisions a day so 21-28 revisions would cover you for a week. These can be stored zipped (to save space but take slightly logger to extract what you need) or unzipped (slightly more space needed on the SEPM server but faster accessing and updating) each revision is roughly between 250-300MB in size so can take up quite a bit of space. 

Admin > Servers > Local Site right click edit properties > LiveUpdate > Adjust content revisions.

By default, the Symantec Endpoint Protection Manager downloads and keeps a particular number of virus definition revisions in its repositories based on the type of install performed:

• Simple or Default: A management server that manages fewer than 100 clients and uses an embedded database. By default, the number of content revisions to keep is three (3).
• Advanced: A management server that manages more than 100 clients, or if you want to customize the configuration. By default, the number of content revisions depends on the number of clients indicated:
  • Between 100 and 500 = three (3) revisions
  • Between 500 and 1,000 = ten (10) revisions
  • More than 1,000 = 30 revisions

This number can be lowered to help reduce the amount of disk space that is used by content revisions. However, the Symantec Endpoint Protection Manager must have previous content revisions stored in order to create a "delta" file, or differential file, capable of updating a client from its version of that content type to the most recent type. Therefore, if you reduce the number of content revisions that the SEPM stores, the clients may download larger deltas or full package downloads depending on their current content revision date.

Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH92225

SEP clients and SEPM will always download the Full definitions from the internet.

The full definition downloaded by SEP client is approx 300 MB

Delta definitions can be downloaded only from SEPM or LUA. The GUP just acts as an intermediate between the clients and SEPM. The GUP doesn't have the capablity to prepare the delta defs by itself.

The delta defs prepared by SEPM is far better than the delta defs prepared by LUA.

The size of the delta defs differs with respect to the difinitions that is already on a client. Hence the delta definition required by each client may be different. They are not always the same.

Eg: A client with yesterdays def needs the differential package between todays def and yesterdays def. But a clients with 3 days old def need a differential package between todays def and 3days old def.

The delta package is always a single file. It is prepared by SEPM only on request from a client. If a second client is requesting a same delta package, the package is reused

Delta package can be created for a client only if the SEPM has a copy of the definition that is currently on the SEP client that is requesting the update. If the SEPM doesn't have a copy of the definition that is currently on the SEP client (that is requesting the update) then the delta package cannot be created and hence a full.zp is sent to that client.

I appreciates all the comment...

i guess some of you have misread or understood my topic....i've no issue with gup or sepm... my concern is sep client which direct download from the internet (via LU to Symantec Server)

Since @pete4u_2002 mentioned that Symantec itself is using LUA to host LU download from worldwide clients....

will any of you able to share what's Symantec incremental setting for their LUA? 

Is it 7 days? i can see Elisha answer in below:

https://www-secure.symantec.com/connect/forums/sep-average-update-size

thanks!