Endpoint Protection

I remember that in SAV parent server, we can manage how many revision number of  virus definition we will keep on a client machine, for example, if my configuration is to allow the client to keep three revision set of virus definition, when new defintion released, it would remove the oldest one from virusdefs folder, where is this setting in SEP 11.0? I only see how I can manage to have number of revision of definition on a SEPM, but not the client, Thanks.
  

I think in SEP by default it keeps three Content revision & deletes the older revisions :)

Hello,

By Default, Symantec Endpoint Protection Manager downloads and keeps 3 Revisions of Virus definition versions in its Repository.

 

Incase if Space is a Concern in Regards to Virus Definitions Folder Size....

1) Login to Symantec Endpoint Protection Manager

2) Click on Admin

3) Go to Servers

4) Right Click on the Local Site

5) Click on Properties

6) Go to the Liveupdate Tab 

My understanding this setting "Number of content revision to keep" is for SPEM, I need to know the client configuration on the client's machine.

Hello,

Correct,
The above resolution provided is for the SEPM.
However, if we check it properly, the same is reflected to the SEP clients along with Liveupdate downloads and Policies from SEPM at every update..

We cannot control the contents stored by the SEP client atleast from GUI.
SEP caches three defs
called SEP cache1,2 and 3
you can see the usage.dat in virusdefs folder.

usage,dat is indeed has three revision lines of def caches, however, what I observed was that the SEP client only has one version of  def when LiveUpdate successfully download the new def to the machine. or the theory of cach 1, 2, 3 only work when client receives def from managment server, not use Liveupdate?

Respectfully, I will have to argue that. Default is 30 !!!! (SEP11. MR4 / MR4.2).

And that is a what causes so many to complain about running out of disk space, and needs to be decreased, no lower than 3 though. See all the threads on this in the forum.

Hi,

At any session for liveupdate only one revision is downloaded. Be it SEPM or SEP client. SEPM, can store multiple revisions and thats why it can provide multiple revisions.

You can control which revision the clients should have by going into policies->LIveupdate Policy-> LIveupdate Content Policy.

The main purpose behind having multiple policies is to provide a scalable security solution. So, if we see that a particular revision is corrput, we switch to an earlier revision untill a new one is released.

Aniket

Hi,

I found a solution from Symantec KB:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008092516184748

btw, I would like to know how to do this in SAV parent server(SAV10.1), thanks! :)

Symantec Endpoint Protection Client Capabilities

You can configure Symantec Endpoint Protection Clients to not cache their full installers at install time.
Open cmd window > launch command msiexec /i "Symantec Antivirus.msi" CACHEINSTALL=0

You can control where Symantec Endpoint Protection stores its install cache.
Open cmd window > launch command msiexec /i "Symantec Antivirus.msi" CACHED_INSTALLS="PATH"

You can control the number of content revisions that the Symantec Endpoint Protection client stores for each content type. Each content type can be configured individually.
Start > Run > regedit > navigate to HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\Symantec Endpoint Protection\Content\ > Open folder with the intended content moniker name > & then depending on version do the following:


1. In Symantec Endpoint Protection 11.0 and MR1, adjust the "CachedEntries" DWORD value to the # of cache content revisions to keep.
   
    
2. In Symantec Endpoint Protection MR2 and newer, adjust the "CachedEntriesEx" DWORD value to the # of cache content revisions to keep.