Endpoint Protection

This has been occuring for the past 5 days and I'm not aware of any major changes having occured. It's isolated to just one location in Asia--this location has 1000-1500 clients. We have one SEPM server in the US and one GUP in the Asia location. It appears 25 clients at a time about 8 times a day with different clients, are trying to pull full definitions and I'm not sure why they are doing this.

Using the Symantec Content Distribution Manager (SEPM Monitor), I see that under "Latest versions available" the Virus/Spyware type had an outdated revision so I manually ran liveupdate on SEPM to update. Under "Operation status of all GUPs" it has a green checkmark but Virus/Spyware revision was showing an older one and text was red. After going to GUP and running liveupdate, now this is green showing 2016-10-25 rev.002

Error I'm receiving:

25 requests for Virus and Spyware full definitions received in the past 10 minutes. This situation could indicate a potential network overload. You can block any future requests for full definitions. In the management console, go to Admin > Servers > Server Properties > Full Definitions Download tab, and check Prevent clients from downloading full definition packages.

• I'm receiving these messages multiple times through out the day--like 8 times spread over the day.
• This is only happening at our remote site that's in Asia
• The Asia site uses a GUP and the GUP contacts the SEPM in the US for content
• I get about 25 clients trying to get full definition requests at a time
• Revisions are set to 90 days
• Clients show this almost always in the Client Activity Log:
  • Cannot assign a client authentication token. There was a general communication failure.
  • [Client authentication token request] Submitting information to Symantec failed.
  • [Intrusion prevention submission] Submitting information to Symantec failed.

So only those 25 are affected? Are they showing the latest revision installed? Can you run the SymDiag tool on one of the affected ones to see what it retuns?

No, its a different 25 every 4 hours or so it seems. I'll look and check on their revision numbers and run symdiag and see what it shows

So I was able to get the technician in the Asia location to check a handful of clients down there. All 5 were showing clients not up-to-date and "One or more Symantec Endpoint Protection definition sets are corrupted".

These clients appear to be using 12.1 RU4 (12.1.4013.4013) which is older then the latest being 12.1 RU6 (12.1.7061.6600).

It's odd though that so many clients--presuming most are like this--would be corrupted? Should I have them update all their clients and pull new content definitions down?

I generally see this activity when content is corrupt. SymDiag has a "fix content" option in it when you run it and it detects bad defs. You can do a manual repair but I'd suggest upgrading the client to the latest version, which should also fix it.

So here are my GUP settings. Should I increase Maximum number of simultaneous downloads to client since we have so many clients down there?

This doesn't explain why so many clients were downloading full content downloads. Any ideas why so many clients are trying to download full content?

Just an update on this:

I ran Symdiag on 4 clients and they indeed had issues, although only a couple had corrupt definitions. I upgraded the clients, updated the content and oddly of the 155 clients reporting in the Symantec Network Critical Alert, they have not happened in 5 days. Not sure how upgraded 4 clients could resolve the issue, but it's probably something else that changed that has remediated the issue. Not sure what changed however.