Endpoint Protection

Hi,

We have to manage ~80 clients and recently moved the SEPM to a newer and faster server. The clients connect to the correct server, getting new policys as configured (30 Min) and reporting the status correct and in time to the SEPM.

Now we've got a problem with updating the clients via the management server.

The management server gets the correct definitions constantly from the LiveUpdate server (normal Symantec - no LUA, confirmed). The clients can download the newest definitions from the LiveUpdate server(Symantec) if enabled. 

But, when External LiveUpdate is Disabled the Clients can't get Updates in time, the strage thing, some clients get an update a period of 3-5 days (Update Check is set to 30 Min, download Randomization is set to 60 minutes)

Please help us fix this!

Another question: is there a way to force the client to search for updates? (Management server - not LiveUpdate(normal Symantec)

Thank You!

Greetings

whenever SEPM has defs it will be pushed to clients, 

have you checked if clients are connected to sepm with green dot on them?

admin

servers

show liveupdate downloads ( do u see latest defs downloaded from SEPM?)

Sorry, i forgot to mention that the communication settings are set to Pull mode. (tested Push, same result)

Every online client has the blue(bold) computer with the green dot.

The SEPM already downloaded the latest definitions (checked), and says: "No updates found for XXX"

did you check the date on sepm? sometimes it would say all defs are upto date but it wont download defs.

enable sylink logging and please post the logs

http://www.symantec.com/business/support/index?page=content&id=TECH104758

It says:

which according to http://www.symantec.com/security_response/definitions.jsp seems to be correct.

Ok il post the log in around an hour.

Hi,

Thank you for posting in Symantec community.

Q, When External LiveUpdate is Disabled the Clients can't get Updates in time, the strage thing, some clients get an update a period of 3-5 days (Update Check is set to 30 Min, download Randomization is set to 60 minutes)

--> How do you disable External liveupdate?. Clients talk with SEPM according to heartbeat interval settings. Have you tried to check source of an update when clients get an update a period of 3-5 days.

Q. is there a way to force the client to search for updates?

--> It depends upon configuration, clients will check the available SEPM's according to received MSL(Management Server List). 

Enable sylink logging on an affected client and post the log here

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/docs/TECH104758

@Chetan Savade

A: I created a new LiveUpdate policy in which only "Use the default management server" is checked and not "Use a LiveUpdate server" which results in a gray LiveUpdate link in the SEP Clients.

A: I meant a similar link in a SEP Client like LiveUpdate, where the default management server is asked if there are new updates and not the external Symantec one.

@Rafeeq & _Brian

I attached the log (anonymized). The monitored client managed to get an update after the last entry (typical... monitor something and it works...). I have to monitor another client, but not today. I have some other work to do. I'm back on monday.

I wish you a nice weekend!

Attachment(s)

xxx.txt   129 KB 1 version

Hi,

For 80 clients  I would suggest to change the heartbeat interval to "Push mode" and randomzation windows to 5 mins. It all the clients are in the same LAN then there shouldn't be any concern.

Why did you change default settings?

You can enable or disable the randomization function. The default setting is enabled. You can also configure a randomization window. The management server uses the randomization window to stagger the timing of the content downloads. Typically, you should not need to change the default randomization settings.

In some cases, however, you might want to increase the randomization window value. For example, you might run the Symantec Endpoint Protection client on multiple virtual machines on the same physical computer that runs the management server. The higher randomization value improves the performance of the server but delays content updates to the virtual machines.

You also might want to increase the randomization window when you have many physical client computers that connect to a single server that runs the management server. In general, the higher the client-to-server ratio, the higher you might want to set the randomization window. The higher randomization value decreases the peak load on the server but delays content updates to the client computers.

In a scenario where you have very few clients and want rapid content delivery, you can set the randomization window to a lower value. The lower randomization value increases the peak load on the server but provides faster content delivery to the clients.

Reference: http://www.symantec.com/docs/HOWTO55173

I would suggest leaving the default randomization at 5 minutes instead of 60. The heartbeat can be lowered as well, maybe to 15 minutes, especially with that low number of clients.

The sylink log looks pretty clean

Agreed with what has been mentioned. The size of your site is quite small so if you really have a faster server, you can let the default communication settings (Push and 5min HB).

If I understood well, you've set your SEPM to run LiveUpdate continiously and it's getting his definitions from LUA.

Is there any reason why you're using LUA ? Testing ? Downloading other Symantec contents products ? Updating some MAC or Linux Clients ? If not, I would recommand to simply use the SEPM as a definition provide and let him get itself the defintions from Symantec LiveUpdate servers every 4 hours as we do provide 3 contents per day anyway.

Kind regards,

A. Wesker

Another question: is there a way to force the client to search for updates? (Management server - not LiveUpdate(normal Symantec)

At client side, just force a connection to the SEPM (heartbeat):

Right-click on yellow shield in system tray > Update policy

or

Client GUI > Help > Troubleshooting > Policy Profile/Update

Open a Run prompt and type smc -updateconfig

This is another option to force the client to check in to the SEPM.