Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Symantec AV def caused heavy traffic

Created: 17 Jan 2012 | 13 comments
mxu's picture

We are running SEP 11 MR6 on all windows XP workstation and Win 2003 R2 servers

We only have on SEPM server, 400 clients with only AV installed no network and proactive protection installed.

This just happened  about two months

We have 19 branches, each branch has T 1 line, pretty fast but strange things are

1) We get very slow connection 1500 --3000 ms after  every holiday (2-3 long weekends) for particular branch and not all branch offices

2) each branch has 8-10 workstations and most of PCs are on all the time (reboot it daily or weekly)

We use sniffer to capture some problem workstations and see more traffic coming from SEPM server.

It seems download defination files.

If we shut down SEPM server, the traffic is very light and no slowness.

We could not figure out whether symantec changed some download format for AV def files

Any help will be appreciated.

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

why not configure GUP in the remote places?

check these links

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)

Group Update Provider(GUP): Sizing and Scaling Guidelines

Cameron_W's picture

What most likely is happening is the your SEPM is only holding 3 content revisions, about a day's worth. Now during the week when everyones machine is turned on this wont be a issue as clients are updating everyday and are able to pull small deltas down to update.

Now after a long weekend when these clients check back in for updates because the SEPM only holds about a days worth it will have to provide a to the client which is MUCH larger then a delta update (~170 MB). Raising the amount of content revisions your SEPM holds should relieve the bandwidth significantly.

To do this in the SEPM go to Admin -> Local Site (right click edit)  -> liveupdate

Here you will see a section towards the bottom called disk space management for downloads, which I am guessing is set to 3. I would recommend raising this to 10 which should be enough to still provide deltas after a long weekend. Please note that this will take some additional hard drive space on the SEPM.

If I was able to help resolve your issue please mark my post as solution.

mxu's picture

I like Cameron's answer. We hold 4 contents revission. The client PCs are on all the time. It is not all the branch offices, only a few.......... Any thoughts about this?

Thank you very much. But we don't have this problem before --many years. This just started after we implement MPSL but I am not managing rounter and switches. Another person who manage this keeps saying it is symantec problem.

I think some line and access list configuration also is the factor....

We don't want to implement GUP since we will change to MS FrontEnd soon this year.

Go_Beavs's picture

Utilizing GUP's in your scenario is by far the best solution to the issue you are experiencing.  You may want to take a second look at it.  They are very simple to configure and do not require anything extra to be installed.

James-x's picture

Hello Ben,

Actually, the customer will probably gain more from just upping the number of content revisions his SEPM keeps.

GUPs are great for reducing the copying the same update file across the WAN multiple times, but they don't decrease the chance that the SEP client will need a full definition file (as opposed to needing a delta.)

We already know that the customer's SEPM only keeps four definition files (which is not enough to make it through a holiday weekend), so they would probably see the greatest benefit upping that to 10-12. If they need to reduce bandwidth further after making that change, then GUPs are a great idea.



The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Go_Beavs's picture

He says in one of his posts that the machines are on all the time, however you are correct that if the occasional machine gets turned off over the weekend (or extended weekend), increasing the number of content revisions would be helpful.

James-x's picture

Hello mxu,

It is likely that some/most/all users decide to shutdown their machines before a long holiday. It would only take one or two users turning off their machines to affect the network since every machine which has to pull a full definition set will need to download around 135MB of data. (For comparison, a normal delta download will be around 200-500KB.)

If only some users turn off their machines, then this would also explain why only some branch offices are experiencing the problem.



The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

mxu's picture

Well, how can it not be a problem before for 2  years on this version 11 MR 6 and just happened recently .

Did symantec change some download format or something?

Jason1222's picture

Do you know if you use "push mode" or "pull mode" for policies and definitions?

What is the difference between Push and Pull modes when downloading policies and content from the management server?

Clients that use the Push mode download policies and content as soon as they become available. On push mode an open connection is kept so that the manager can contact the client immediately when data is available. Clients that use the Pull mode download policies and content based on the Heartbeat interval setting, which is set to 5 minutes by default. Because of the greater network bandwidth that is used with the push mode, it is recommended more for small and medium-sized networks.


* * * * * * * * *

You could try setting your server to pull with a greater heartbeat interval, say something like 15 minutes and see if that helps at all... 

mxu's picture

We have had symantec for 3-4 years. We always use PULL mode.

It worked fine last year, just started from Dec holidays 2011.

Do you know it may be related license? Our license expired in  early Sep.

Symantec said we have 3 months grace period. Even after 3 months grace period, we still can get new def update but not support and new version upgrade.

I am not sure that is the case for license issue..........

James-x's picture

Hello mxu,

The SEP 11.0.x product line does not use any sort of licensing technology within the product. This means that the product itself has no idea that your license has expired.

We can safely rule out any sort of licensing status as the cause of this issue.



The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Vikram Kumar-SAV to SEP's picture

It might be possible that 1 or 2 clients in offsite location have got the definitions corrupted and they keep asking for

enable logging in IIS for Content and check which clients are picking up definitions

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

mxu's picture

well,  we hve to do that next holidays. It works just fine during regular weekdays and weekends except holidays......

We use sniffer to monitor clients' traffic and find out which client has more traffic from SEPM server.