Endpoint Protection

Hi,

Since june 2,2009 my SEP server started utilizing high internet traffic that reaches up to 1 Mbps for a continuos 7-to-10 minutes, then repeats again after around 5 minutes (3GB of traffic daily!!). I used Windows TCPview and found the traffic between a process named (LUcomServer_3_3.exe) and (xx.xx.xxx.xx.deploy.akamaitechnologies.com).
I'm using SEP version 11.0.4014 and the default update policy (recommended by SEP) all clients update through the management server.
 
Why is this happening??!

Regards,
Omar

is it 3 GB to Akmai server, its meant for downloading signatures...

Are you running LU administrator on this machine?

Cheers
Pete!

Hi Omar,

                 The issue mentioned by you seems to occur when the virus definitions are either being downloaded or being deployed to the clients. To narrow down on this issue please check the traffic logs and also check the time when the SEPM is configured to pull the definitions from the internet and also the time when the clients download it from the server. If the time configured to download the definitions is during you production hours please change it to sometime when most of the clients are not logged on this would help you reduce the traffic over the  network as well. Please revert in case of further assistance.

Yes around (3GB) Total daily traffic between my server and akamai servers ONLY!!

@Omar: is LU admin too installed on same machine. If yes that could be the cause.

@Sandip: Assuming that the deifnition downloade form Symantec LiveUpdate 9internet) to SEPm is incremental, it should not go beyond few MB's. Even if full download should be around ~50 MB ( considering the JDB file size). 3 GB is crazy , right?

cheers
Pete

This is happening all the time and every 5 minutes, 90% of the traffic received from Akamai. 

how can I check the time when the updates being downloaded as I;m using the default live update policy? 

I'm not sure if LU admin is installed with SEP server automatically, I installed the SEP server as a freash copy without any additional installations.
how can I check??

and note that this issue started on June,2nd before this date everything was running fine!!

hi,
check in add/remove program for the Live update administrator entry to see if its installed.

LU should not be checking every 5 minutes, if thats the case then you might have enabled the continuous Liveupdate ..check remove it from configuration.

cheers
Pete

I have only one entry called "Live Update 3.3 (Symantec Corporation)" ..
 

Finally I found a solution, I think it was a problem with the Live update..
I uninstalled Live update, then started a SEP manager Repair process from the CD and now it's working fine again. 

Finally I found a solution, I think it was a problem with the Live update..
I uninstalled Live update, then started a SEP manager Repair process from the CD and now it's working fine again.