Endpoint Protection

I have problem with many of clients downloading very much from SEPM. Some of clients have been loading hundreds of MB / day.

Def's are up to date, but clients are still downloading.

Client versions are 11.0.7000.975 or 12.1.1000.157

SEPM 12.1.1000.157 Ru1

Which loggin should I turn on on SEPM to see what clients are downloading from SEPM.

try logs > client server activity

this will give you information from where the clients download the definitions.

The foll may help.

Symantec Endpoint Protection clients download full definitions from Group Update Provider or from Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH122612

With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

http://www.symantec.com/docs/TECH94916

Hope this helps

i would say enable logging on client side as well to what what is client downloading and the size of the definition.

Call Support get the defs cleared out , as it is very much possible same defs might be getting pushed .

Try configure GUP as NRaj suggested will surely help in controling bandwidth .

Also would like to know in how many remote locations Clients are spread ?

Hi,

Try running utility "Rx4DefsSEP" on 2-3 affected machines & cross check.

http://www.symantec.com/business/support/index?page=content&id=TECH93036&locale=en_US

Agree with Chetan try the exe please might work .

To narrow down which clients are downloading huge MBs from SEPM:

1. Enable Apache Access Logs

1. In a text editor, open the file drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf.
2. In the httpd.conf file, remove the hash mark (#) from the following text string and then save the file:

   #CustomLog "logs/access.log" combined

3. If Client uses HTTPS communication then - open drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf remove the hash mark (#) from the following text string and then save the file:

          #CustomLog "logs/ssl_access.log" ....

2. Enable Apache Error Log - to INFO level

In "httpd.conf" file, replace LogLevel warn to

LogLevel info

3. Restart SEPM server and Apache

Stop and restart the Symantec Endpoint Protection Manager service and Apache HTTP server:

See Stopping and starting the management server service.

See Stopping and starting the Apache Web server.

4. Allow few hours for SEPM to log all download activities.

5. Analyze logs [or upload Apache logs for analysis].

Apache Error log is located under %SEPM install folder%\apache\logs\error-****.log, and will contain client IP's that are download large files, typical log messsage:

e.g: [Mon Jun 06 14:03:48 2011] [info] [client xxx.xxx.xxx.xxx] Thread(3036) TransmitFile done, socket: 00316, bytes xfer: 2854271,Threads ready: 328, url:
GET /content/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}/110603008/.......  HTTP/1.0

Apache Access logs is located under %SEPM install folder%\apache\logs\access-****.log, this file will also contain client IP's that are downloading files and download sizes.

6. After log analysis - revert back above changes to original settings and restart SEPM and Apache service.

Also would like to know in how many remote locations Clients are spread ?

Will you accept 30-35? We have locations with as few as five PC per location, but we have locations throughout the world, being an international airline. This has happened all over the show for us.

Enable Apache Access Logs

This would be using the tools that you have control over. BTW, there are many HTTP log analizers that can summarize the data for you instead of having to manually read the log file line by line.

Our networking team has got some WAN/LAN management software configured that cna tell us which clients are causing the heavy traffic. This would be based on source, destination and traffic type. So, speak to your network team, they might already have answers for you.

hmmm... one thing to check is hdd space

make sure the clients have enough free space,,,,i've seen download looping due to this

Chetan and All, do you know how the client will work if it cannot install def's. Will it try to download same Def's over and over again?

Hi,

There is a possibility that if definitions are older/corrupt then client downloads the def's over and over again.

HM.. is there any way to know if the old virus Def is corrupted ?

You can use Wireshark to filter on PCs that download full.zip. This could be an indication.

thanks Brian,

I guess this is another IDEA to submit to the SEP community :-)