When do clients pull definitions from the SEP management server?
Updated: 07 Oct 2010 | 17 comments
(Or when does the SEP management server push definitions to the clients, if that's the more correct question).
Defs are given to my clients via the SEP management server rather than live update servers, and it looks like I don't have the option of selecting a time for this to happen. What is the default time that definitions are sent out and is there a way to change it?
I appreciate whatever help you guys can provide. :)
SEP 11.5
Discussion Filed Under:
Comments
That can be done from the
That can be done from the Policy Tab , Live update policy
By default it is 4 hours. but it can be changed
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
That is for environments
That is for environments where clients obtain updates through LiveUpdate servers, though.
Those settings are grayed out for me because my clients get updates through the SEP management server, which is selected in the Server Settings tab right above the Schedule tab you've pictured.
I appreciate the response, nonetheless!
Click on Server settings and
Click on Server settings
and then Click on Use a Live update server
Thsi will allow you to change the schdule on the next tab, after clicking on enable LU scheduling
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
SEP manager pushes
SEP manager pushes definitions whenever they download it ( by default 4 hours )
SEPM- Admin- Servers- Local Site- Properties-Liveupdate
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
These are my settings for
These are my settings for that section. Any idea why this would cause my SEPM server to be hammering one of my sites with traffic at 8:30 AM?
Thanks!
I am assuming all the traffic
I am assuming all the traffic is happening once the users turn on their machines in the morning. Since the machines were probably off at the time you are looking to push out the updates, when they turn on they will request the new updates from the SEPM. Also it might be the case that they are downloading the full content package from the SEPM instead of just the delta updates. This will be true especially if the 8:30 traffic happens on Monday mornings (ie when the machines have been off all weekend).
Please consult the guide below on changing the number of content revisions to keep on the SEPM. The more content revisions means the more space you will use on the SEPM. However it also means that all of your client machines can be disconnected from the SEPM longer without downloading the full definitions.
Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3938da984f20efdc88257554007950a2?OpenDocument
Cheers
Grant
Please don't forget to mark your thread solved with whatever answer helped you : )
Actually, most of the client
Actually, most of the client machines should've been left on all weekend (I was rolling out some Windows updates). Regardless, space isn't too much of an issue on the SEPM server, so I set the content revisions to 5 (it was on 1). Not sure if this will do anything since the machines were on, but it's worth a shot to me.
Thanks. :)
Other suggestions still welcome.
Try setting the heartbeat
Try setting the heartbeat
Endpoint Knowledge Base
Security Best Practices
Heartbeat is 12 hours, which
Heartbeat is 12 hours, which I'm thinking shouldn't cause any bandwidth issues.
Is that site in same time
Is that site in same time zone ?? Why don't you consider having a GUP for that site ?
Symantec Endpoint Protection 11.0 Group Update Provider (GUP)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092720522748
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
can we say that if the client
can we say that if the client manually initiate the update or typeing "luall" it pulls the update from the server not from the Live update website ?
/* Infrastructure Support Engineer */
luall only controls
luall only controls liveupdate
Defintion downloads from the SEPM are dependant on heartbeat interval and comms settings.
When you start a machine with a SEP client, the SEP service will start and begin the heartbeat with the SEPM.
Depending on your settings it will either keep a persistent connection up or it will wait and reconnect at the heartbeat interval
So machines across your enterprise will all be on slightly different heartbeat intervals as they have all had the SEP service started at different times.
The same holds true if you restart the SEP service or do an smc -stop and smc -start command.
Sylinkmonitor will show you all of this in a completely transparent manner...
SEP Manager does not push
SEP Manager does not push definitions to the client!!
The SEP client gets the definitions when it heartbeats with the SEPM and realises it needs new defintions.
Grab the sylinkmonitor tool and enable logging on a SEP client and you can see the entire process:
http://service1.symantec.com/support/ent-security....
It is really dependant on your heartbeat settings (even in "push" mode).
The same applies if you have your SEP clients setup to get updates via liveupdate. They will check in at the specified time interval and pull the defs.
This is one of the big differences between SAV and SEP.
SAV pushes definitions to all clients dependant on last check in time.
cheers
Z
Thanks for your explanation
Thanks for your explanation Zer0
/* Infrastructure Support Engineer */
Try by keeping the client in
Try by keeping the client in pull mode with 1 hour heart beat interval..I hope you are using GUPs for the updation.Whether any client having old update than 5 days(Your no. of revisions in the server).If yes this client required a full update(~60mb).This may be the reason for said traffic..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
12 hour heartbeat seems a bit
12 hour heartbeat seems a bit excessive. As reccomended above, I would change that and also use the download randomization feature in communication settings to help prevent all clients from retrieving updated content at once.
The liveupdate settings you
The liveupdate settings you have shown in the console are only for configuring when the servers within your site will attempt to update from the Symantec liveupdate servers on the internet.
They have nothing to do with when your clients will get their updates apart from the fact that the new defs will be available when a client heartbeats with the SEPM.
I pull the defs once per day between 5-9am as Symantec will release 3 per day but I feel that is excessive bandwidth use for little gain.
Set the content revisions to 30, which means I will get 30 days @ one update per day.
You set the clients comms policy in the following locations:
- Policies > liveupdate
- Clients > GroupName > Policies > Connunication Settings
I use the following settings for sites with 10's of thousands of SEP clients:
- Pull mode
- 1 hour heartbeat interval
- 5 minute randomization
Use a GUP on each subnet you have at any remote site and set it to also hold 30 days of updates with a 2gb size limit.
Use a wildcard rule or reg key rule to identify GUP's.
Disk space on the GUP is very good: For example my GUP at a remote site is using 140MB of disk space holding 30 days of defs.
Would you like to reply?
Login or Register to post your comment.