Before I continue our SEPM is running Windows 2003 standard server with SEPM version 12.1.4013.4013

All the clients (3) concerned are running at least client version 12.1.1000

I have seen some older posts from other members regarding similar issues and the advice given to them at the time included changing from Push mode to Pull mode and turning off application learning etc. I have checked all those settings on my server and we have all of those "solutions" already configured.

I have 2 questions really.

1. Generally speaking in a "situation normal" day how data would be exchnaged between a SEP client and a SEPM?

2. Specifically regarding the 3 client mentioned above, normally these clients are connected to the LAN at my site but this week they have travelled to one of our other sites. By virtue of both sites being connected via Verizon these 3 clients are connecting to my SEPM here for there updates. My IT colleagues at this other location are seeing huge amounts of data exchange between his router and our SEPM. As much as 500 mb an hour. He is telling me the port being used is 8014.

I would appreciate any suggestions on how I can troubleshoot this issue.

Thanks in advance

James
 

Is it possible the client have corrupted defs? A typicall full content download is 550MB.

RUn the symhelp tool on on affected client to see if it shows bad defs:

Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues

If they are corrupt, you can manually remove:

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

You can enable sylink debugging on the client as well to see communication between client/SEPM, this will show what's going on:

Enable sylink debugging for Endpoint Protection clients

This isn't normal for clients to be downloading full defs all day so something is up.

I would go with your Collegue ,to reduce the space most of us configure the revisions to 3, in SEPM.

so when SEPM cant build delta t, it would send full updates to the clients thats more than 500 MB anytime.

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

http://www.symantec.com/business/support/index?page=content&id=TECH131528

Thanks for your quick response. I would say short answer is yes. It is possible 1 of these 3 clients has somehow got corrupt defs. Unlikely all 3 will have though. They have been either using our LAN or the internet

for the defs updates so this may have been happening for a while and we didn't know. As soon as they return from their business trip I will start troubleshooting  using your suggestions.

Trouble is not sure how I will  know the problem has been fixed.

My content revisons are set to 5 at the moment. I don't have a huge amount of disk on the server for anymore but surely the higher this figure is the better if what you are saying is correct?

I was right, 5 revisons will not cover even 2 days, defs.

Post the sylink.log , you will know what the client is requesting. you will see that it will be requesting more than 500 Mb

5 revisions doesn't even cover 2 days so you need to increase this number. Can you go to 10?

The other thing is, when these machines go off network, are they configured to get updates from Symantec LiveUpdate?

Hello all , so normally what is the size if a single full update these days either from a SEPM or a GUP 500 MB ? Isn't it used to be around 270 - 280 MB ?

Regards,

Hi,

Please check the number of content revisions..if more number is ok

Not even close anymore. At least 550MB now.

Brian what change has been done recently , that has caused the size to grow immensly to 550 MB now ?

Hello all

sorry for the delay coming back. In Symantec terms things took a turn for the worst on Friday and I was away yesterday for personal reasons. Anyway the latest twist is that the embedded datbase that our SEPM is using has decided not to start anymore. I have already tried running dbvalidator and shrinking the database. No Luck. Would this be the reason for the initial problem of high data traffic?

I think I have no choice but to reinstall. Was considering doing that anyway because of the apparent lack of def revisions I am currently using.

Any tips to make the move to a new server any easier would be appreciated

unbelievably after numerous attempts to start all the symantec services incl the embedded database it has actually started now. currently trying to do a database backup.

Here is the log file you asked for.

Attachment(s)

scm-server-0_53.txt   18 KB 1 version

:) we dont need this as you are able to get the service up.

Would be still needing sylink.log to see what its requesting from SEPM

sorry for my ignorance but to get the sylink.log do I need to enabled debugging on the client?

Would probably be easier to do this from my machine first

Yes, see here on how to enable:

Enable sylink debugging for Endpoint Protection clients