Endpoint Protection

Hi all,

Got a Windows 2003 server here running Symantec Endpoint (11.0.3001.2224 according to the console) which has been consuming HUGE amounts of data daily (5gb a day). I noticed (using PRTG on our snmp enabled router) that every 15mins or so, 60mb of data was being pulled in via our net connection. Obviously this ramped up our usage and costing us extra .....  looked at EP's configuration and found it was continuously polling for updates etc.... fair enough, but a new 60mb update every 15mins ????

So I have set it to only check for updates once a day...its now checking once every 4 hours but still pulling in that 60mb of data each time.

So Im wondering : why is it doing checks every 4 hrs when its been set to once daily, and what the heck is this 60mb its pulling in all the time ??

TIA

Gavin

ok do you have a client on the server it self?
Is it managed or unmanaged?
Check the liveupdate policy for the clients & see if you have enabled the schedule for the clients?
and also do you have GUP configured?

Sepm pulls the whole update file everytime (not incremental as it is a server) but the clients gets increamental update from sepm. set live update to once a day.

something sounds wrong. even if it checks every 15 minutes, it should stay up-to-date. It shouldn't be downloading same packages over and over. do you plan to upgrade to MR4? Is this problem specific to that client?

ok do you have a client on the server it self?

Yes

Is it managed or unmanaged?

Managed

Check the liveupdate policy for the clients & see if you have enabled the schedule for the clients?

Have made a change to that now :)

and also do you have GUP configured?

It wasnt enabled, but have enabled it now.


Still seeing that data coming through though every 4-5 hours now.
Its got us puzzled as anything.

As mentioned in OP, this was set to daily but still seems to be poling every 4-5 hours.

 Certified Def's come out about every 4-5 hours, daily.  They are about 40+MB in size...  I like to keep servers right around that schedule, up to 6 hours per liveupdate.

This seems like normal behavior, no?

I would most def, upgrade the SEPM to MR4 MP2.  Watch for a few weeks, then work on rolling out client upgrades seeing as how you are a major MR behind anyways... ;-)

NOTE: MR4 can manage MR3 machines no prob :-)

The easiest way to solve this is to install and use wireshark to see exactly what the server is doing when it is using this bandwidth. If you do this post back with the results, and we can help further. Just a side note what is wrong with the ~40 mb every four hours. This is not that huge. Ends up being about 8 gb a month. I think I hit far more than that on my home computer ; p   But that is just a side note. Wireshark will help narrow down your problem.

Cheers
Grant

Thanks for everyones response but looks like we're putting a new server in and its been licensed for an alternative product so the server with Symantec will be put in storage for a bit. I might have a play with it and try the ideas etc that have been offered and see what happens when Im free and go form there :)

40mb every 4 hours is manageable, but when it was every 10mins... well...  lets just say we were paying 2c per mb........... you soon see why it was an issue ;)

No totally agree every 10 min... Man I don't even want to try to calculate that ; ) I am glad you at least got it to not run every 10 min, but I would still suggest wireshark to see exactly what is pulling out those other 40 mb transfers.

Grant-

You mean You are moving to any other AV product.

Correct.
We still have Symantec running at other sites but not Endpoint.

Which product you are  moving to.