Endpoint Protection

Our network security people are complaining that SEP is creating a LOT of unneccessary traffic but we simply cannot find what is causing so much traffic.  We've had multiple tickets open on this particular problem, with Symantec Technical Support, we've throttled the bandwidth, and made all of our servers GUPs, and SEP continues to constantly generate gigs and gigs of traffic (~30 GB), saturating our network.  We (still) do not know what the problem is.

On one of our reporting tools, it has been observed that in 6 hours, SEP created 72,800 status code 500 errors when some of our devices try to connect to the GUP.  It states that the error message is specific to SECREG.DLL on the SEPM server.

I'm reaching out to anyone reading this with similar problems, and to ask if there's any way, once and for all, to fix this problem WITHOUT upgrading to the latest version.  We are talking about a production server, and we CANNOT upgrade this server due to the critical nature of the environment it's installed in, so please do not suggest we upgrade to the latest version.  We need to get this version working.

We are using SEPM version 12.1.4104.4130.  The attached screen capture is from our reporting tool for SEP HTTP errors by URI.

Thank you.

Do you mean the SEPM is generating this much traffic? Have you enabled something like wireshark on it to see the connections being made?

Perhaps there are some clients trying to download full.zip files.

Using Wireshark to detect full.zip downloads on SEP client machines

You'll want to watch for traffic over tcp/8014

What's your maximum disk cache size on the GUPs? The default setting (500 MB) is far too small because one single AV/AS full.zip file is 600 MB already (and constantly growing). Change it to at least 2000 MB:

Clients > [Group] > Policies > LiveUpdate Settings policy > Server settings > Use GUP > Maximum disk cache size allowed for downloading updates

Generally, in the SEPM logs you can check whether the clients or the GUPs are downloading full content or delta files. Here is an excellent article on this topic:

How can we check which content SEP 12.1 clients are downloading from GUP?

#Edit

How many content versions are you saving on the SEPM? The more versions, the smaller is the probability the clients have to download full.zip files. And please don't answer in capitals (I've read your post :-), but an upgrade may help you because 12.1.5 can save far more content versions than the previous versions.

Thanks to all who responded!

The maximum disk cache is set to 1,204 kb out of the box.  This has never been changed but if this is where the problem is, who can recommend a better setting?  We keep 42 definition revisions, and the current setting is still creating huge bandwidth issues.

Default port: 2967

Maximum disk cache: 1024 kb

Delete content updates if unused:  3 days

Maximum number of simultaneous downloads:  10

Bandwidth allowed:  Up to 90 kbps

Setting the Bandwidth allowed resolved one of our bandwidth issues, but this current one is still outstanding.

(Greg12, see no caps!)  :)

May want to increase that disk cache, can you double it?

1024 MB may be too low. If you have a mixed environment (32-bit and 64-bit OSs), you need more space. 2,048 KB or more should be sufficient for now. That's enough for two full-grown AV/AS files and other content stuff and delta files.

In your settings 90 kbps are REALLY low. 600 MB (worst case) would take more than 15 hours for download if I calculate correctly. Have a look at this article:

Symantec Endpoint Protection clients are not able to download antivirus definitions from the Group Update Provider.

You can check the GUP cache folder, it's here (assuming you're using default location):

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<Version>\Bin\SharedUpdates

The big full.zip files are #content#{07B...Full!zip and #content#{535C...Full!zip (64 and 32-bit AV/AS content). Maybe one full.zip file is blocking the other one (600 * 2 > 1024).

BTW, are the clients up to date? If yes, from where are they downloading?

Is the SEPM (NOT the clients) updating every 4 hours or daily?

P.S.: Sorry for the caps ... couldn't resist ;-)

Thanks Greg12 and Brian, I've 'upped' the Maximum disk cache size to 2048 mb.

Actually, the 90 kbps setting for the bandwidth allotment was recommended by Symantec Tech Support a couple of weeks ago.  This was in order to accommodate the lowering of the bandwidth issue we had.  Yes, we realize it will take longer for all of the downloads to complete, but SEP won't be saturating our network with this setting - it will be constant, but not overwhelming.  If the cache size helps to correct our issue, then we can slowly increase it until a reasonable bandwidth setting is reached.

I appreciate all the help you're giving me.  I'll continue to monitor the new settings with our Network Support group and hopefully this will solve the problem.

Is there any inherent danger in increasing this still further?  Would that do anything?

Dan

No inherent danger as I see it.

BTW, with your settings (in particular with 90 kbps) you should guarantee that the SEPM has a complete line of content revisions without gaps, so it should update itself every 4 hours to get the three revisions Symantec is delivering daily.

Otherwise clients that are updating themselves via LiveUpdate (internet) may have a content revision that does not match any content revision on the SEPM (because there is a gap). In this case the SEPM cannot deliver a delta file and will send a full.zip file. Of course it's possible to prevent the clients to download from LiveUpdate servers (LU policy).

Thanks, I'll leave it at 90 kbps until our network people tell me that the bandwidth usage has dropped down to an acceptable level, then keep nudging it higher until it's satisfactory.  I understand it's small, but if this setting helps to prevent the bandwidth issues we've been having I'd rather keep it smaller than normal, even if it takes a long time for the definitions to arrive.

All of the devices in our network connect to the GUP at each location to obtain updates, so it won't be the clients (POS systems and separate workstations) connecting to the Internet or a LiveUpdate server.  So it will be only the GUP that connects to the SEPM for definition updates.