Endpoint Protection

(I apologize is this is int he wrong section, I could not easily find the one it should be in)

We have 2 SEPM servers:

That watch just over 17,000 Endpoints:

Right now we are experiencing some issues with the size of the definitions that are stored. According to http://www.symantec.com/business/support/index?page=content&id=TECH96214 if you have more than 1,000 endpoints you should keep around 30 revisions. So we do:

Now we are experience some issues with size the size of the definitions. On the main server we had an 80 gig drive, one day while looking into some issues we found that it was maxed out, so we increased it by 20 gigs. Instantly it was filled. We continued to do so until it was 120 gigs, and even now it is maxed.

Now this is rather troubling, from what I've looked at I can't see why it is so large nor where it will max out. We of course want it large enough to hold everything, but what's that size?

Another troubling problem is that on our other server (AV7) we also increased the size to 120 gig, and yet it hasn't gone above the 72 gigs it started with.

I have read through http://www.symantec.com/business/support/index?page=content&id=TECH92225, but did not find any help on the size we should have.

SebastianZ a Symantec Employee pointed out here http://www.symantec.com/connect/forums/sepm-content-folder-size that

As you are keeping 20 revisions - 1.3/1.4GB x 20 = the content folders for the AV defs only may increase in size up to 26 GB / 28 GB and this is expected.

So thinking we have 30 revisions x 1.4GB = 42GB. Even if we say the size of each is 3.5gig X 30 = 105GB.

So my questions

1 - What is the sweet spot for the 30 revisions we are storing and why?

2 - Why is the revision amount different on these two servers, yet they are both set up the same?

Let me know if any more information is needed!

What's your exact SEPM version? Are they setup for failover/load balancing? replication?

Hi,

Thank you for posting in Symantec community.

Is there any relationship between those two SEPM servers?

Are you performing SQL database maintenance regularly?

Refer the Hard disk requirements:

Small Business Edition: 16 GB available minimum; 100 GB available recommended.
Enterprise version: 16 GB available minimum (100 GB recommended) for the management server; 40 GB available minimum (200 GB recommended) for the management server and a locally installed database

Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control

http://www.symantec.com/docs/TECH163829

I think it's normal behaviour.

For other AV7 server could you compare the SEPM settings? Are they exactly the same?

SEPM Version -> 12.1.4023.4080

They are set up for failover/load balancing.

No, they are not replicating, nor do we want that.

Relationship between those two SEPM servers? I do not understand the question. They are two separate servers that maintain the same set of client. If a client goes to AV8 and cannot find it, it will go to AV7.

Yes, SQL databases have maintenance done regularly.

I had seen those disk requirements before. Though I don't know if that answers my question completely. We set up the server as such with these requirements in mind. That documentation does not say anything about if the amount of definition revisions kept were to change or not. Sure, 200 GB with how many revisions? It is just the content / definitions as shown in the pictures that has the issue (we partitioned its own space on a separate drive for that).

From everything I have looked at and could find, the SEPM settings between the two are identical.

It means there are two SEPM server's with two separate SQL database & It's configured for failover and load-balancing.

Thought definitions are not corrupted I would recommend to go through the following article to verify whether it can make any difference. At lease on the first server where disk space is increased around 120 GB.

http://www.symantec.com/business/support/index?page=content&id=TECH166923

Looking at Step 1:

1. Delete the content of folder "C:\Documents and Settings\All users\Application Data\Symantec\LiveUpdate\Downloads\" 

That directory doesn't exist (yes I have hidden files, etc enabled). The closest I can find is:

C:\ProgramData\Symantec\LiveUpdate\Downloads

Is this the location in reference?

Looking at Step 3:

Delete the numbered or TMP folders inside the paths:

Symantec\Symantec Endpoint Protection Manager\inetpub\content

So, the numbered to TMP folders, there are no TMP folders, and ALL the folders are numbered like shown in the reference:

• %programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{535CB6A4-...
• %programfiles%\symantec\symantec endpoint protection manager\inetpub\content\{07B590B3-...

so am I emptying out the ENTIRE 120 GB's and then restarting SEPM and letting it re-download everything? Seems slightly drastic, so that's why I ask.

Reference location is correct. It's mentioned in the article In Server 2008, the Downloads folder in step 1 is located at  %programdata%\Symantec\LIveUpdate\Downloads

Secondly, You are right. It will start the download immediately. I hope to download the data bandwidth won't be the concern.

After doing as instructed, our servers have decreased from 120GB to 66GB on AV8 and 75GB to 65GB on AV7. From what I can see, everything is working just fine!! Thanks!!!