Endpoint Protection

We have a customer here that concern on how virus definition updates, since they have multiple sites and will use LUA and GUP technology.
If I am using LUA, is it  SEP Clients download the antivirus incrementally or on 1 big file (45MB)? or in total 45MB on first download and then incremental the download of virus definitions, means only new virus definitions will be download?

and how if I am using GUP, how this is working? I also reads on the manual that this using VDTM technology and then the next updates only download newest virus definition? and will not download for example current virus def is 45MB next day is 46MB will it download the 46MB or 1MB only?

please give us enlightment since this is our concern on this deployment project.

appreciate for the hints,

rgds,
meon

Hi Meon, Both LUA and GUP download the full set of definitions once initially and the daily updates are only incremental as you said. If we talk about GUP in specific, the Endpoint Protection Manager creates these incremental or delta updates, as we call them, and the GUP download these delta updates from SEPM and distributes them to the clients that are updating the definitions from GUP. Please let me know if you have any more questions. :-)

Hello Meon,

LUA server downloads around 20-25 MB twice or three times a day from Symantec servers if you optimize it to support SEP Client updates only. If you configure it to feed SEP Manager updates as well, then each download size will go up to 50-60MB per definition release (average). If you're talking about client side updates, they will connect to one of the LUA  distribution centers and will download only new items, so it is incremental.

GUP is working in a similar fashion apart from that clients ask SEP Manager continuously to check whether there is a new update. If so, it will go and download from the GUP client.

I'd suggest you to share the network structure with us for further help and to use GUP.

okay, thanks for the prompt reply.
the incremental things i actually already explain to the customer as i show to customer the logs of SEP clients transaction process of downloads the defs. so it suppose wouldnt an issue anymore, since you guys affirmative the idea of how the antivirus download the virus defs.
how can i get support from symantec that state the first would be for example 45MB and the next is incremental, and also for GUP that use incremental download the virus defs? is it i should a create ticket, since we also a symantec partner?

one more, about LUA, can we custom LUA to only download defs from Symantec for example 32bit only? to reduce the size defs to be download? and not product updates, IPS, firewal signature etc?
the setting now is seems I can't tick to choose defs only for 32bit machine, and it would download in full, like for x32, x64, IA64 etc, which is we only need for x32 machine. can we pick the download only for x32 machine?

this is takes time, and bandwidth, but when we do upload to distribution point we can select things what we want which is only to upload virus definitions for x32bit only. this is inefficient, since we want only x32 bit virus defs to download and distribute to SEP clients?

can we custom to allow this circumstances?

is it LUA also download incrementally or not? since in the options we can lock revision which what we will do is we lock certain virus defs (latest) and the next we will download the latest updates from symantec and purge at certain day, so it will takes time and bandwidth? since we have multiple sites to download from LUA central, this issue is the most critical at the moment.

this is can do able? or is there smart things than this idea?

you guys, i appreciate for the helps and supports.

regards,
meon

I dont think we can configure the LUA or SEPM to download only 32 bit defs.

To add to your first question I Would like to tell if you are using GUP & if SEPM is configured to keep only 3 contents defs (i.e by default) then the clients connecting to the SEPM after 3 Days will download the full Zip file instead of the delta Defs file so if you are going to use GUP setup then make sure you change the size of the content from 3 to atleats10. but that wil consume some extra space on your SEPM server.

Hello meon,

What Kavin says about GUP is correct and you should consider. I cannot deeply inform you about GUP but I can help you on LUA to the end.

Yes you can download only 32-bit Client content only. If you select to download whole SEP containet in the LUA interface, that means you are downloading content to update SEP manager as well, which you would not want to do to save bandwidth. Follow this link to retreive content for only 32-bit SEP clients: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/434f5a6ff8750105882574de006badf9?OpenDocument

Do a fresh install and configure to download only those components as in the link above. A few advice:
- Never do a "manual download request", always work with jobs you added
- Never cancel a job
- Make sure you'll have enough disk space after downloading required amount of historical updates (my suggestion would be to prepare a 10GB space)
- Take image backups of LUA server periodically to guarantee recover from any database failures of LUA server

After the configuration you'll initially probably download around 500MB of content, than around 25MB every day (if you run the download job once, which would be enough if you are on low bandwidth). These number will increase a few KBs every day since definition sizes are increasing.

To show your customer how much data is being downloaded by each client (both initially and daily), you can enable manually launching LiveUpdate option from client group's  LiveUpdate policy within the SEP Manager's interface. After you configure the policy to download only from the LUA, you can then launch the LiveUpdate on the SEP Client. It will say how much it will download. Then you do the same thing on the next day, and you will see the new size. Repeat this for 2-3 days so that you can have an average (one result may mislead you). If customer does not trust the LiveUpdate interface on the Client side, than you should install a software to monitor the statistics (NetLimiter is one of them but it is not a freeware).

Otherwise you cannot have any logs on LUA server about who is connected and who downloaded what.

You shouldn't need to lock revisions if there is no problem with the up-to-date definitions.

I have used the link above to feed the IIS and UNC distribution centers across 64kpbs sattelite links, so it should be working for anyone.

hello guys,
i was on training, few time to go online. okay, the customer is still insist that LUA should under 10MB, is that possible?
I already reduce that only to download virus defs (only 32bit, so i tick only 4 items) but, it still 30MB, but in the some other day (in average 3-4 days) sometime 50-60MB download.
is this how LUA works? if then so, we will ask Symantec to give us like statement in a paper, so customer will accept, and its not about wrong setting or inconsistency of the LUA download.

whats your experience on this? since the customer expect LUA download below 10MB.

rgds,
meon

If you're going to update 32bit SEP clients in their network, then LUA will download a minimum of 25MB of data daily. 10MB a day is not possible.

You are not talking about the downloads which clients make from LUA server within the intranet, are you?

Hi bekirdur,
clients was expect to use LUA, and they also expect their SEP clients download from LUA. since this will be multisite and over WAN geographical differencies, only 1 LUA will connect to symantec and hundred site will have its own LUA, but will connect to LUA central.

so between LUA we expect to download the size under 10MB due to bandwidth constraint. if that is not possible, we will find a way to make it work, let say using GUP, or maybe add more bandwidth which is making sense if how LUA working is like that.

I will update you when the project is done. so if there is another project experience at the same situation this might helpfull to person who doing the same deployment.

best regards,
meon

Hello meon,

How many LUA servers are you planning to install at the end?

hello all,
Bekirdur: we only install 1 LUA at the end.

for hundreds branch office we using GUP. using 1 single group but with network location awareness, so when the laptop/dektop move/relocate to another branch office then no need to configure.

when installing GUP on the branch office, we also install latest update virusdefspackage.exe from symantec website, just to make sure have latest virus definition, but then the GUP will get about 52MB from SEPM, and the next is incremental virus defs.

the installation is about painfull, since on the deployment is only 30% succeed on 100 clients, and we need to retry the rest of clients.

and there is about some problem that is not giving customer satisfation, such as the information on console is not complete (like the computer version, computer status, virus definition date etc), and we couldnt find KB about this, once again we rerty the installation and expect the information above well provided on the SEPM console.

we trying to fullfill the project plan, but somehow will kinda little bit tight deadline, since we have to retry the client installation, and carefully installed on clients, since this is customer requirements.

so, this might you guys experiencing when deploys SEP11.

i really appreciate everyone who helps on this projects, through forums etc, and wish you all luck on the SEP deployments.

to refresh the client info on the SEP Manager try deleting the client from the GUI. Keep the hearbeats low if you have slow uplinks. And you should be using pushdeployment wizard on each branch, so that you will have to send only one setup.exe package to each.

MR5 now has bandwidth throttling for GUPs. First test your clients before the upgrade. We had some problems on Vista. You cannot use throttling if both the Manager and the GUP agent is not MR5.

you're wellcome.

good luck to you too