Endpoint Protection

Since I upgraded my management servers to v12.1.6 I have been getting the "CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions" email notification several times a day. I understand the intent of the notification, but I'm not sure what the description "Server did not find clients closest matches" means. As you can see in the screenshot, the definition name is "SEPC Iron Revocation List 12.1 RU6" and the version requested appears to only be a couple versions ahead of the current version on the client. Also, not shown in the screenshot, the file size is only 1MB, is this really something to be concerned about? What is the SEPC Iron Revocation List update definition used for?

FYI, I have upgraded the GUPs these clients use and most of my clients are on version 12.1.4112.4156. Only a few are upgraded to 12.1.6 at this time.

SEPC Iron Revocation List  is the Iron database associatd with the Insight reputation.

Similar issue here:

https://www-secure.symantec.com/connect/forums/network-load-requests-full-definitions-notification

Is this considered normal then because of the content type or is there does this indicate an issue with clients attempting to download updates for Insight?

All content types are kicking off alerts. Because there is no way to adjust/edit the alert, this is the drawback.

A 1MB size content download is probably normal.

First of all, SEP 12.1.4 clients are definitely able to process 12.1.6 Revocation List delta files.

SEPC Iron Revocation List will be updated rather frequently. So it's possible that some of your clients have too old content to get delta files from the SEPM.

Please check in the logs if your clients are pulling full Revocation List content all too often. It's described in this article (you can use it if you don't use GUPs, too): 

How can we check which content SEP 12.1 clients are downloading from GUP?

You can export the log and import and filter it in Excel. The Revocation List content starts with {810D...}. If there are a lot of full downloads in comparison to delta downloads, you should check the number of content revisions on the SEPM: Admin > Servers > Local Site > Edit Site Properties > LiveUpdate > Disk Space Management for Downloads. If the number is small (e.g. smaller than 10) you should increase it to, say, 90. SEP 12.1.6 is able to save the content very effectively, so that's no problem (as it was in versions prior to 12.1.5).

And what's the interval your SEPM is updating? If it's on "daily", it's possible that some clients will be updating themselves in between via the internet (depending on your settings). In this case, these clients may have a content version that does not match the content version of the SEPM. Result: Delta file creation is impossible, clients will get full content files. If that's the case, just increase the Download Schedule to "Every 4 hours". Then the SEPM will get all possible content files.

OK, I exported the report and came up with only 5 computers that requested a full copy of the revocation list in the last 24 hours. That's only 5 out of about 1900 total computers. The vast majority only requested one download, but none made the request more than twice.

As for your questions, SEPM is set to check with LiveUpdate every 4 hours and I'm keeping 120 revisions. Also, the clients are set not to update from the internet, the LU policy is set so they only check with their GUP and SEPM.

I'm not sure if it is related, but our SIEM is getting the following syslog error message from the SEPM and it appears to be occuring on a large number of machines:

10 06 2015 13:11:03 [SEPM IP] <LOC6:ERRR> Oct  6 13:09:59 SymantecServer [SEPM HOSTNAME]: [CLIENT HOSTNAME],Category: 2,REP,Cannot assign a client authentication token. There was a general communication failure.

My understanding is this error is related to clients communicating with Symantec for insight updates as well, but I haven't been able to resolve it. Do you think this is related?

Its the iron db download and that is normal at times we update the db, and its an issue with the way we implemented the full def alert. You should not be flooding the network with 1MB updates I hope :).

we have a feature update to filter ONLY on AV defs planned in the MP3 release estimate end of 2015. caveats for futures apply.

usually a client authentication token error means you have over deployed your license count.you will be seeing email alerts on licensing. those clients without a token are disabled from Insight only. So Unrelated.

Without Insight SONAR is severly handicapped, without Insight efficay for various engines drops, higher fp risk, scan times can increase. We are kind enough to not entirely cut off all def flows when over deployed (today), and there is a grace period.

Note - If you have a non EE SEP, or a trial version, then licensing has some different outcomes than a EE overdeployed situation and token not availible...

https://support.symantec.com/en_US/article.TECH184530.html

https://www-secure.symantec.com/connect/forums/grace-period

(links to 3 articles also about what happens with different SEP products that are overdeployed or over trial time)