Endpoint Protection

Hello, I am brand new to this product.  I have a client who has Symantec Endpoint Protection Manager (ver. 11.0.1000.1375).  This product is taking a lot of disk space.  The "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db" folder is 3.6 GB, the "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub" folder is 21.5 GB (the "content" subfolder is 21.1 GB), and the web site logs at "C:\WINDOWS\system32\LogFiles\W3SVC1" is taking up 17 GB.  Is this normal?  Is there anything I can do to reduce the space?  Does this product require the web loggingto be turned on?  Can I delete the web logs?  Is there anything else that I can do to reduce the footprint?

Thanks,

Drew

 

First you should really get the latest version: 11.0 MR4. There was some efforts to reduce the disk foot print in MR2/MR3. What you are seeing does not surprise me? MR4 should be hopefully better. Download this via your fileconnect account.

Regarding the web log question, no we do not require the web log in order to operate, but it does provide a good historical reference if you run into issues. You might do a log rotation scheme.

 

How many clients do you have? I can provide you with the document for the sizing of programs and databases. Also you can set logs to delete on the Database Maintenance.

Jim said:

"First you should really get the latest version: 11.0 MR4. There was some efforts to reduce the disk foot print in MR2/MR3."

How do I tell which one I am currently running?

 

"How many clients do you have?"

We have about 50.

"I can provide you with the document for the sizing of programs and databases."

Where?

"Also you can set logs to delete on the Database Maintenance."

How?

Thank you so much for all your help!!!

Drew

Here is the link for the Sizing please see below;

http://www.anti-malware.ru/forum/index.php?act=attach&type=post&id=3019

Hope this helps..

The Admin Guide (link form MR4) provides information on database tuning. See the "Configuring database maintenance options for logs" topic.

As far as the SEPM version, I would think there is a Help -> About or some menu in the upper right on the console. It has been awhile since I brought up the console. Certainly the clients have a Troubleshooting (or Help) -> About.

Certainly for 50 clients, that sounds like too much space being utilized. I don't think we have an auto-log rotation for the web logs. How long has this server been running (accumulating data :-) ).

This says...

Thanks, Drew

 

Hi Drew,

Really, I think that either uninstall/reinstall or install over would work. The way I remember the disk usage fixes, preserving your settings will not impact the disk savings you get.

JimBr

Hi JimBr,

You were right.  Although I was on hold for over 30 min. waiting on Symantec Support, when they did get on, they were extremely helpful.  He knew just what could be deleted and even did the upgrade for me with him having remote control of my server.  We were on the phone for almost 4 hours!  But in the end, my server went from having less than 1 GB disk space available to having over 34 GB free!  Since I'm a newbie to the product, he also helped me configue SEP and push out to the clients.

Thanks, Symantec! 

Very cool. Sorry to hear about the 30 minute wait time. Certainly the 4 hour engagement with support helped. I am glad to hear of such success with our support team. I am not doubting their skills, I am just new to the customer forum boards and am glad to hear some good feedback on our support team. I'll have to recommend them more in these kinds of scenarios ... since, as a customer, you paid for the support already. Thanks for the feedback.

Jim, I am very glad that Symantec personnel are on these forums to give us customers more than one place to go for support.  No sooner than I had this victory, than it looks like there is a potential disaster with SEP on another client's site.  I'll put another post up about that one.

Thanks, Drew

 

We are running 11.0.776.942 and our disk got full. We had lots of space being used by inetpub\content objects.

What do I need to do to get endpoint to prune old content?

Thanks for any help.

Upgrading to at least MR4 (11.0.4000.2295 - or later) should do it.  You can also disable logging on the SEP website in IIS and delete the website logs at %windir%\system32\LogFiles\<the_SEP_website_logfile_folder>

If after you upgrade, you still have space issues, I encourage you to call Symantec support.  While you may be on the phone for an extended period of time, they have always been competent with me.

Hi,

this is a well known bug of your release.
Download the latest version from https:\\fileconnect.symantec.com
If you have a small enviroment, the fastest solution is to uninstall the old version and install the new one. In this way you will also reinstall the database that is often damaged in this circumstance.

Here's the official document for a plain migration:
http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/2a6a2128a27239858825739200044b34?OpenDocument

If you uninstall and reinstall, you will have to reinstall all of the clients or relink all of the clients...see:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009022414415348

 ONce you have upgraded to latest release or even latest MR4
1. IIS logging is by default disabled.
However if you want to disable it manually
Open IIs manager ( start -run-inetmgr ) expand website -right click on the website on which you have SEPM installed -properties- home directory -Uncheck Log Visit.. you can aslo uncheck log visit for the sub folders in the website.

2.For controlling Inetpub\Content folder 
Login to SEPM -Admin -Local Site -Properties -Liveupdate

Number of Content revisions to keep [ ]
Depending on your number of clients you can adjust this number that will keep your Content folder in size
for about 100 computers 3-5 should be fine.

What exactly does the content foler do?

The number of content revisions determines if the server will be able to provide a direct-delta AV Definition update package to the client, when the client is running older defs. With 5 revisions cached, a client running defs 4 versions back can still be updated using a SEPM generated delta package. If the client is running a def set not in the SEPM cache, the client must download the full (not a delta) package in order to update to the current AV defs. This is because SEPM cannot generate a delta package if SEPM does not have the matching source def version.

So, if you have a small client population all on a local network or an environment were almost all clients stay up-to-date, keeping "Number of content revisions" low is fine.

If you have a decent number of clients running on low bandwidth connections or don't stay up-to-date, keeping a larger "number of content revisions" would probably be better.

The actual number to keep depends on your environment. Watch the # def versions in the console's main page to gauge how out-of-date your clients get. You will have to decide if those clients updating via a full package causes problems in your network.