Endpoint Protection

 View Only
Expand all | Collapse all

Symantec Endpoint bandwidth issues

Migration User

Migration UserSep 29, 2010 10:16 AM

Migration User

Migration UserSep 29, 2010 06:28 PM

  • 1.  Symantec Endpoint bandwidth issues

    Posted Sep 28, 2010 03:10 PM

    Hello,

    We run Symantec Endpoint on our network and our clients are at version 11.0.6100.645 or at least most of them are, running windws xp SP3. Our engineers are detecting bandwidth spikes every hour on some problem clients of ours and we can't quite figure out what it is. Some of these contained older symantec products and then upgraded to endpoint clients.

     

    I know in a previous release of an update that that should have fixed the bandwidth issues. And it did for the most part. But there are some but not all machines that show that spike of bandwidth for about 3 minutes every hour. So, what i've done to those machines is reinstall Endpoint by uninstalling symantec via add remove programs. also uninstalling the live update service. Then rebooting, then running cleanwipe and then running ccleaner to clean up misc files etc. Then manually remove any other symantec folders that remain on the C:\program files directory. Reinstall Endpoint on machine and this seems to fix the issue.

    So, is the fragments of the old files from other clients actually doing this? I guess i'd like to see if anyone can assist in what to check other than having me to uninstall and reinstall the symantec clients.

     

    Thanks much,



  • 2.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 28, 2010 05:59 PM

    Try a SEP Support Tool on one of the machines currently experiencing the issue.

    Are they experiencing issues with the firewall driver (WPS, WPSHelper)?  I saw a problem recently where clients were repeatedly requesting IPS signatures, but because the NTP component was broken, it couldn't actually install them, so would request them again.

    A Sylink log would confirm this.

    Title: 'How to enable Sylink Debugging for Symantec Endpoint Protection in the registry'
    http://www.symantec.com/docs/TECH104758

    The solution would be to uninstall and reinstall NTP (restarting each time), and then if that doesn't do it, removing SEP and reinstalling would be the fix.

    Something similar happens if the clients have low disk space, but you probably would have noticed if that were the case.  smiley

    sandra



  • 3.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 08:52 AM

    So, i've installed the SEP Support Tool and ran it. The only thing it came up with is that it wasn't the latest version of SEP. I'm only one version behind on this pc but it is still the client version that didn't have bandwidth issues. So I guess i'm lost.  What do I do with the sylink.log file once I have it created? Just remove and reinstall the NTP portion of SEP and see if that fixes it? I guess I don't know when the sylink.log file is going to be populated, or is that only if I uninstall and reinstall NTP?

     

    Thanks for your assistance.



  • 4.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 09:32 AM

    Scratch that for the sylink.log, I have that logging now. What am I looking for in that log exactly?



  • 5.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 10:10 AM

    The sylink log is logging communication between client and manager.  You could look for evidence of the transfer of content.  Feel free to upload it here, too (an attachment would probably be best).

    sandra



  • 6.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 10:16 AM
      |   view attached

    ok here is a log from one of the pc's.

     

    Attachment(s)

    txt
    sylink_6.txt   341 KB 1 version


  • 7.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 10:30 AM

    change the client communication to pull mode and observer the traffic



  • 8.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 11:03 AM

    How would I do that? I'm not the one that manages the SEP Server so I don't have access to that. Is this something I can do on the client to check the traffic?



  • 9.  RE: Symantec Endpoint bandwidth issues

    Broadcom Employee
    Posted Sep 29, 2010 11:07 AM

    it needs to be done on the SEPM to change it to PULL.

    else if there is any client which is already set to PULL mode you can copy the sylink from there and paste on your machine.



  • 10.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 11:12 AM

     

    How to throttle network bandwidth used by the Endpoint Protection Manager (SEPM) website in Microsoft's Internet Information Server (IIS)

     

    http://www.symantec.com/business/support/index?page=content&id=TECH104518&locale=en_US



  • 11.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 11:15 AM

    Ok, I haven't done that yet but I did ask my engineer what he is seeing for traffic when the bandwidth spikes. He wrote this.

     "user agent SMC was in the packets"

     "secars/secars.dll"
     
    I'm not sure if that is normal for him to see that but that is what he wrote to me. I'll get with the SEP admin and see if he can help me out if this isn't going to be enough information. So the sylink.txt file I sent doesn't have any relevant information in it to see if it's doing something it shouldn't be doing?
     
    Thanks everyone for your help. Hopefully we'll get to the end of this soon.
     
     


  • 12.  RE: Symantec Endpoint bandwidth issues
    Best Answer

    Posted Sep 29, 2010 11:44 AM

    Here's what I see in the log (this happens repeatedly) (I redacted your SEPM IP):

    09/29 06:36:55 [5048] <PostEvent>done post event=EVENT_SERVER_UPGRADE_AVAILABLE, return=0
    09/29 06:36:55 [5048] <DownloadNow:>Set download URL=http:// [sepm] :8014/ClientPackages\82a5a5272d24e3a27d64e65554373399\xdeltae1e5a91b85807978f43ee442110d7d8e.dax
    09/29 06:36:55 [5048] <DownloadNow:>Set storage path=C:\Program Files\Symantec\Symantec Endpoint Protection\Download\PKG82a5a5272d24e3a27d64e6555437339911.0.6000.5507
    09/29 06:36:55 [5048] <PostEvent>going to post event=EVENT_SERVER_CONNECTING
    09/29 06:36:55 [5048] <PostEvent>done post event=EVENT_SERVER_CONNECTING, return=0
    09/29 06:36:55 [5048] <DownloadNow:>DOWNLOADing new client package
    09/29 06:36:55 [5048] <DownloadNow:> Cached install size: 178729829, Package size: 3376859, Space required: 718296096
    09/29 06:36:55 [5048] <DownloadNow:>Setting the session timeout on ClientPackage download session to 2 min.
    09/29 06:36:55 [5048] <CDownloadManager::mfn_StartDownload()>
    09/29 06:36:55 [656] <gDownloadThreadProc()>
    09/29 06:36:55 [656] CDownloadManager::mfn_CreateInetSession => Creating System Proxy (default) Session ..
    09/29 06:36:55 [656] <CDownloadManager::mfn_DownloadOneFile()>
    09/29 06:36:55 [656] <CDownloadManager::HttpDownload()>
    09/29 06:36:55 [656] CDownloadManager::HttpDownload() Sufficient disk space (718296096 bytes) is available to start the download.
    09/29 06:36:55 [656] <CHttpFileDownload::CHttpFileDownload()>
    09/29 06:36:55 [656] </CHttpFileDownload::CHttpFileDownload()>
    09/29 06:36:55 [656] <CHttpFileDownload::Do()>
    09/29 06:36:55 [656] <CHttpFileDownload::getRemainingBytesToDownload()>
    09/29 06:36:55 [656] Already downloaded file is bigger than the target file to be downloaded.
    09/29 06:36:55 [656] </CHttpFileDownload::getRemainingBytesToDownload()>
    09/29 06:36:55 [656] <CHttpConnector::SendRequest()>
    09/29 06:36:55 [656] Request> http:// [SEPM] :8014/ClientPackages/82a5a5272d24e3a27d64e65554373399/xdeltae1e5a91b85807978f43ee442110d7d8e.dax
    09/29 06:36:55 [656] Unable to query return content length for SendRequest, 122

    (Is this client currently at RU5?)

    All I could find pertaining to this bolded message is that the upgrade package may be corrupt so it's possible it's trying to initiate a download again and again.  Try the following:

    1. Stop the smc service: Start -> Run "smc -stop"
    2. Remove PKG82a5a5272d24e3a27d64e6555437339911.0.6000.5507 from the C:\Program Files\Symantec\Symantec Endpoint Protection\Download\ directory
    3. Start the smc service: Start -> Run "smc -start"

    sandra



  • 13.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 04:51 PM

    You also might want to check the logs that are being sent from the SEP client to the SEPM. There are different places to check for log retention

    SEPM>Admin>Local Site>Edit Site Properties>Log Settings

    SEPM>Policies>Antivirus and Antispyware>Miscellaneous>Log Handling

    But, switching from push to pull and increasing the heartbeat level, but helps as well.



  • 14.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 04:56 PM

    I've deleted this download file from a few pc's. I will know more by tomorrow afternoon if this is a solution to the issue. I think it may be....

    Thank you very much!!



  • 15.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 29, 2010 06:28 PM

    Looking forward to good news... smiley

    sandra



  • 16.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 30, 2010 10:09 AM

    So, this appears to be working thus far. After removing the pkg file , the bandwidth utilization now has dropped significatly for these clients.

    However, our System admin wanted me to ask a few questions.

     He wanted to know if there was an error or bug in the way that the client updates itself from SEPM? We have 2 packages advertised to the clients, 1-64bit and 1-32bit client. Maybe some clients are trying to get the 64bit client when they shouldn't be?

    Is this possible?

    also, this appears to be an older SEP client pkg that I removed from the download folder. I believe from the pkg file it is update 11.0.6000.5507. This is the update that was issued to rid of the bandwidth issues that symantec endpoint had before , correct? Our admin also noted that this package has been removed from the SEPM servers a while ago, so he's not sure why it would still be pushing to client still.

    Any ideas? Or are we leaning on the fact that this somehow got corrupted and basically the client just kept trying to update itself even after it was updated using this old file that is pointing at the server, that no longer has this update available? Does that make sense?

    Thanks so much for all of the assistance!

     


  • 17.  RE: Symantec Endpoint bandwidth issues

    Posted Sep 30, 2010 12:06 PM

    I have run across a document mentioning 32-bit RU6 clients requesting the 64-bit full.zip (definitions), but nothing like what you're describing with client packages.

    If the clients were already at RU6 (11.0.6000), the request might have been for the delta package to upgrade it, and the 11.0.6000 build in the name is what they're upgrading from.  (If the RU6 packages have been removed from the SEPM I'm not sure how it would be able to do a delta package.)

    I think you mean this bandwidth fix in RU6? This is pertaining to definition deltas, not client package updates:

    Clients downloading full LU content unexpectedly
    Fix ID: 1782039
    Symptom: Random clients continually download full LU content. Some clients may not be updated regularly. High network bandwidth usage.
    Solution: Changes to allow clients to download the current full content even when newer content is available. This allows clients to retrieve deltas sooner, which will reduce network bandwidth usage.

    Glad that seems to be working for you!

    sandra



  • 18.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 04, 2010 09:04 AM

    Yes This problem occur in RU6 MP1. Symantec needs to provide the solution for Low bandwidth customer. Because its a business need. 



  • 19.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 04, 2010 10:32 AM

    "Best practices for clients communication settings with SEPM through very low network bandwidth."
    http://www.symantec.com/docs/TECH134168

    sandra



  • 20.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 05, 2010 07:39 AM

    Refer this article it help you to configure in Low Bandwidth

     

    Tips For Installing SEP In A Low Bandwidth Environment

    https://www-secure.symantec.com/connect/articles/tips-installing-sep-low-bandwidth-environment



  • 21.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 07, 2010 08:42 AM

    Thank you so much for the assistance and everyone's input. I really appreciate it. We now have the problem under control.

    Until next time, Have a good one!



  • 22.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 15, 2010 12:01 PM

    Hey, we are having bandwidth issues as well.

     

    We have configured the Update policy to use Servers as well as Symantec LiveUpdate.

     

    Which one does the client attempt first?



  • 23.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 18, 2010 05:06 PM

    It's going to depend on your settings.

    If the client heartbeats every 5 minutes, it's going to check for the availability of new content on each check-in.  The likelihood of getting updates from the SEPM is much greater, so that when LiveUpdate runs it should determine there's nothing new to get.

    If, however, your clients heartbeat every 12 hours in Pull mode, and the LiveUpdate schedule is set to every 4 hours, guess which is more likely to get updated definitions first? smiley

    sandra



  • 24.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 18, 2010 08:25 PM

    The issue shown in the sylink logs is only related to a SEP client upgrade package.

    Not related to definitions at all.

    If a SEP client doesn't have enough disk space it will get into a loop:

    1. Download SEP client upgrade package from SEPM
    2. Run out of disk space
    3. Re-download SEP client upgrade package from SEPM
    4. repeat

    I also believe there are instances where an infectec client will get into a loop:

    1. Download SEP client upgrade package from SEPM
    2. Begin install
    3. Virus blocks the install or process etc.
    4. Download SEP client upgrade package from SEPM

    There are probably other circumstances where a similar loop will be encountered.

    You can use wireshark or check the sylinkmonitor for evidence of continual download requests.

    If you have Altiris/SCCM/SMS/etc you are far better off using that technology to deploy your SEP client upgrades.



  • 25.  RE: Symantec Endpoint bandwidth issues

    Posted Oct 18, 2010 08:35 PM

    I have also seen this with corrupted definitions. The defs become corrupted so the client continually pounds on either the SEPM, GUP, or LU (depending on configs) trying to get an update that will never take because of the corruption. Clearing out the defs manually does the trick every time.